[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication

Rowland penny rpenny at samba.org
Wed Jun 19 12:19:29 UTC 2019

On 19/06/2019 13:08, Goetz, Patrick G via samba wrote:
> On 6/19/19 2:16 AM, L.P.H. van Belle via samba wrote:
>> So your admins dont know how to use RSAT, it that what your saying?
>> Or are they just lazy..
>> https://www.server-world.info/en/note?os=Windows_Server_2019&p=active_directory&f=12
>> Its just a pain to register the used UID/GID numbers.
> It's a bit more complicated than that.  There are about 50,000 students
> at any time at the university, with ~25% changing every year.  So in
> this case there are hundreds of thousands of user accounts that have to
> be managed indefinitely (because you can't just delete the account after
> students leave).  To manage this, the university has a central identity
> authority, and this is the source of the problem, in this case:  the
> users in the AD domain are episodically (daily) sourced from the
> identity authority, and the way they do this is to just flush the
> records and repopulate.
Oh my deity of choice, someone doesn't really understand AD.
>   Even if we did add the POSIX stuff to the AD
> DB, it would get flushed on next reload.
Even the winbind 'rid' backend wouldn't help here, your users (by the 
sound of it) will have a different RID everyday.
> But yeah, there's probably a way to work around this.  Wouldn't call it
> the greatest IT department, and getting steadily worse as they continue
> to low ball salaries and attempt to outsource everything to the cloud.
> In any case, it's not something I control or can do anything about.

There is one thing you could do, find another job, I can see 'disaster' 
written all over this and when something does go wrong, I wouldn't want 
to be anywhere near it ;-)


More information about the samba mailing list