[Samba] same username in /etc/passwd and in AD

Andreas Habel andreas.habel at uis.no
Thu Jun 6 14:20:34 UTC 2019 

>On 04/06/2019 12:24, Andreas Habel via samba wrote:
>> Hi,
>>
>> we are currently in the process of testing a Samba AD setup and have identified some "challenges" regarding user accounts in >/etc/passwd and in AD.
>>
>> Let me explain today's situation. Today we use a Linux file server that serves for both Linux and Windows clients and that >acts as a NT4 PDC. The client computers are dual boot Linux/Win 7. Under Linux, /etc/passwd, /etc/group and /etc/shadow are >rsynced from a central server to all other Linux servers and clients in our network.
>
>If you use AD, you will not have to do this, you just make the AD users
>into Unix users as well.
>
>> The home folders for Linux users are mapped nfs shares that physically reside on the Linux file server (that also is our >PDC). Windows users map their smb shares from the same server. Under Linux we have an application that relies on that users of >this application exist in /etc/passwd. We use the same username/password for both the Windows domain and under Linux.
>
>See above
>
>What does the application do ?
>
>>
>> Now, with the move to Samba AD, I read several places in the wiki and on this list that we can't have the same username in >local /etc/passwd and in AD, but I haven't seen an explanation why this might not be a good idea. In our world, we have the >same /etc/passwd on all Linux clients and servers, and we have control over user and group IDs so that they would be identical >in /etc/passwd and in AD for a given user.
>You cannot have the same username in AD and /etc/passwd for several
>reasons, a couple of which are, the first to be found will be used and
>there is absolutely no reason to do this.
>>
>> I would therefore like to have
>> -       an AD DC,
>> -       a Linux file server as domain member, but with /etc/passwd that has the same usernames as in AD,
> Â  The above is not going to work
>> -       Windows clients (domain members),
>> -       Linux clients (not domain members, but with identical /etc/passwd like on file server and in AD).
>That isn't a good idea, because they will not be Unix domain members, so
>you will have to maintain two databases (AD and /etc/passwd) with the
>same usernames & passwords, how do you plan to do this ? If you make
>them all domain members, then you only have one database, AD
>>
>> So let me know what I'm missing or what I have not understood.
>>
>I don't think you really understand the concept behind AD ;-)

Yes, maybe - for us, AD is a bit overkill because what we need is nothing more than NT4 domain functionality; since Win10 needs AD we're forced to use it.

But thanks for your help (so far...), Christian and Rowland.

Andreas


--
Andreas Habel
Petroleum engineering lab
Geosciences | Unix network
Faculty of Science and Technology
University of Stavanger
Norway

Phone: +47-51 83 22 93

More information about the samba mailing list