[Samba] same username in /etc/passwd and in AD

Rowland penny rpenny at samba.org
Thu Jun 6 15:03:51 UTC 2019 

On 06/06/2019 15:20, Andreas Habel via samba wrote:
>> On 04/06/2019 12:24, Andreas Habel via samba wrote:
>>> Hi,
>>>
>>> we are currently in the process of testing a Samba AD setup and have identified some "challenges" regarding user accounts in >/etc/passwd and in AD.
>>>
>>> Let me explain today's situation. Today we use a Linux file server that serves for both Linux and Windows clients and that >acts as a NT4 PDC. The client computers are dual boot Linux/Win 7. Under Linux, /etc/passwd, /etc/group and /etc/shadow are >rsynced from a central server to all other Linux servers and clients in our network.
>> If you use AD, you will not have to do this, you just make the AD users
>> into Unix users as well.
>>
>>> The home folders for Linux users are mapped nfs shares that physically reside on the Linux file server (that also is our >PDC). Windows users map their smb shares from the same server. Under Linux we have an application that relies on that users of >this application exist in /etc/passwd. We use the same username/password for both the Windows domain and under Linux.
>> See above
>>
>> What does the application do ?
>>
>>> Now, with the move to Samba AD, I read several places in the wiki and on this list that we can't have the same username in >local /etc/passwd and in AD, but I haven't seen an explanation why this might not be a good idea. In our world, we have the >same /etc/passwd on all Linux clients and servers, and we have control over user and group IDs so that they would be identical >in /etc/passwd and in AD for a given user.
>> You cannot have the same username in AD and /etc/passwd for several
>> reasons, a couple of which are, the first to be found will be used and
>> there is absolutely no reason to do this.
>>> I would therefore like to have
>>> -       an AD DC,
>>> -       a Linux file server as domain member, but with /etc/passwd that has the same usernames as in AD,
>> Â  The above is not going to work
>>> -       Windows clients (domain members),
>>> -       Linux clients (not domain members, but with identical /etc/passwd like on file server and in AD).
>> That isn't a good idea, because they will not be Unix domain members, so
>> you will have to maintain two databases (AD and /etc/passwd) with the
>> same usernames & passwords, how do you plan to do this ? If you make
>> them all domain members, then you only have one database, AD
>>> So let me know what I'm missing or what I have not understood.
>>>
>> I don't think you really understand the concept behind AD ;-)
> Yes, maybe - for us, AD is a bit overkill because what we need is nothing more than NT4 domain functionality; since Win10 needs AD we're forced to use it.

Believe it or not, AD is easier to set up and maintain than an NT4-style 
domain, it also has a future, which an NT4-style domain doesn't :)

Rowland

More information about the samba mailing list