[Samba] accessing foreign AD users to NT domain

Rowland penny rpenny at samba.org
Tue Aug 25 08:07:49 UTC 2020 

On 25/08/2020 08:31, L.P.H. van Belle via samba wrote:
>> You can also get rid of some of the old ways of doing things
>> (using the  RID as a Unix ID for one).
> Why use RID. I cant use RID.. And RID is bad in my opionion.

ER, no, I think you misunderstood me ;-)

With the old NT4-style domains it used be thought that using the RID for 
a Unix ID was a good idea e.g. if the RID was '1000' the Unix ID was 
'1000'. Now this wasn't really a problem when you had to have a Unix 
user and a Windows one, but later versions didn't, the users could be in 
ldap. The problem is now coming to the fore with the classic upgrade and 
if your Samba Unix ID's start at '1000', you cannot have any local Unix 
users, which is undoubtedly a problem on distros such as Ubuntu.

> Im still waiting for Rowland's its patch to go in samba.
> Its just crazy that even when we can use and add UnixAttributes, its not stored in the AD.
> This would help so much if its in, maintaining UID/GIDs manualy is not an option, that's crazyness
> And forces you into RID, but this is my personal opinion.
>
I have given up on that, there is always going to be a better way of 
doing this, but it never turns up :-(
>> If you use 'acl_xattr', then the permissions might not be set locally.
> ? Uhm,, acl_xattr and the permissions might not be set locally.?
>
> What did i miss here?
> the permissions might not be set locally.?  But then where are the stored?

'set' and 'stored' are different, you can 'set' them from windows but 
they are stored locally ;-)

On a Samba Unix domain member, the permissions are stored in three 
places, in the normal Unix acl (ugo) shown by 'ls', in extended ACLs 
shown by 'getfacl' and in an EA shown by 'getfattr' or 'samba-tool'.

> 15 years for me now, im replacing the server, i wrote a manual for 15y ago.
>
> Here the windows xp, windows 7 and windows 10 do work, do login without problems.
> Only the drivermappings are shown disabled so now and then.
>
> And this shift users, so what happend, I really dont know, but the simple net use command
> Fix my problem, the problem is only with 1 server, and that runs a samba 3.6.6
> Im replacing it this week. Finaly.

Have you thought about contacting the Guinness book of records ? for the 
slowest update ever LOL.

Rowland

More information about the samba mailing list