[Samba] Fwd: Re: Fwd: Re: Kerberos and NTLMv2 authentication
Rowland penny
rpenny at samba.org
Wed Jun 19 12:19:29 UTC 2019
On 19/06/2019 13:08, Goetz, Patrick G via samba wrote:
> On 6/19/19 2:16 AM, L.P.H. van Belle via samba wrote:
>> So your admins dont know how to use RSAT, it that what your saying?
>> Or are they just lazy..
>>
>> https://www.server-world.info/en/note?os=Windows_Server_2019&p=active_directory&f=12
>> Its just a pain to register the used UID/GID numbers.
>>
> It's a bit more complicated than that. There are about 50,000 students
> at any time at the university, with ~25% changing every year. So in
> this case there are hundreds of thousands of user accounts that have to
> be managed indefinitely (because you can't just delete the account after
> students leave). To manage this, the university has a central identity
> authority, and this is the source of the problem, in this case: the
> users in the AD domain are episodically (daily) sourced from the
> identity authority, and the way they do this is to just flush the
> records and repopulate.
Oh my deity of choice, someone doesn't really understand AD.
> Even if we did add the POSIX stuff to the AD
> DB, it would get flushed on next reload.
Even the winbind 'rid' backend wouldn't help here, your users (by the
sound of it) will have a different RID everyday.
> But yeah, there's probably a way to work around this. Wouldn't call it
> the greatest IT department, and getting steadily worse as they continue
> to low ball salaries and attempt to outsource everything to the cloud.
> In any case, it's not something I control or can do anything about.
There is one thing you could do, find another job, I can see 'disaster'
written all over this and when something does go wrong, I wouldn't want
to be anywhere near it ;-)
Rowland
More information about the samba
mailing list