[Samba] Issues post AD migration

Rowland Penny rpenny at samba.org
Sun Apr 15 07:46:43 UTC 2018

On Sat, 14 Apr 2018 21:48:57 -0400
Nico Kadel-Garcia <nkadel at gmail.com> wrote:

> On Fri, Apr 13, 2018 at 8:26 AM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > On Fri, 13 Apr 2018 11:50:55 +0000
> > Praveen Ghimire <PGhimire at sundata.com.au> wrote:
> >
> >> Hi Rowland,
> >>
> >> The group was in /etc/group and LDAP. Post the AD migration, the
> >> group didn’t show up in AD. We then added the group in AD, will
> >> check if it has a gid number. If AD doesn’t have gid, can I remove
> >> the group /etc/group and assign it the same gid in AD?
> >>
> >> The group in question was one of many which had the same issue,
> >> hence the question about importing missed groups in AD
> >>
> >
> > First things first, you cannot have users or groups in /etc/passwd
> > or /etc/group and in AD. To be an AD user or group, they must exist
> > only in AD.
> Well, you *can* have local groups and users that are also in AD.
> they're resolved on Linux systems and in CygWin  in the order
> specified in /etc/nsswitch.conf. It's precisely how you can list a
> local user, with a different local password, to provide shell access
> and especially sudo access if the Samba or AD server goes toes up.
> They can also be the source of endless confusion if they don't match
> uid, gid, group members, home directory, etc., etc., etc. But they can
> cause endless confusion, especially if they are inconsistent. It's
> generally safest to list them strictly in AD.

If you do have users or groups in /etc/passwd or /etc/group that are
also in AD, then these will be used instead of the AD users & groups
unless you swap 'files winbind' to 'winbind files' in /etc/nsswitch.conf
However, there doesn't seem to be much point in doing this, mainly
because it isn't required.

You would also have to create them on another machine, because, once
the Unix machine is set up correctly as a domain member/DC that uses
libnss_winbind, you will not be able to create them on that machine,
this will be because they already exist.

The correct way of doing this is to only have users & groups in AD
and extend them to be Unix users & groups. If you worry about loosing
connection to the DC, then add 'winbind offline logon = yes' to
smb.conf on Unix domain members. 

To be blunt, if you do have the same users & groups in /etc/passwd
& /etc/group and in AD, you are doing it wrong.


More information about the samba mailing list