[Samba] net ads status stripped output
Rowland penny
rpenny at samba.org
Wed Jun 3 15:13:00 UTC 2020
On 03/06/2020 15:38, Markus Lindberg wrote:
> Nope, we are using good old local accounts added to passwd and shadow.
Users added to /etc/passwd on an AD joined machine are just local users
and you cannot have the same username in /etc/passwd and AD.
> Does this apply _even_ if I'm using Samba to authenticate any users? I
> do not fully comprehed how Samba works, which I need to read up on. Is
> it perhaps used if a user mounts a network share via cifs?
If you use the winbind 'ad' backend, you must add a unique uidNumber to
your users in AD (which, as I said, must not exist in /etc/passwd), you
must also add a gidNumber attribute to Domain Users. All of these
numbers must be inside the DOMAIN range you set in smb.conf, for
instance, if your line is:
idmap config SAMDOM : range = 10000-999999
All the numbers must be inside '10000-999999' and you can have a user
with the same uidNumber as a groups gidNumber. i.e. a users uidNumber
could be '10000' and the group Domain Users could have the gidNumber
'10000'.
If you do not want to add anything to AD, you could use the rid backend,
but you would need to use exactly the same smb.conf on all Unix
machines. The part about not having users & groups in /etc/passwd &
/etc/group and in AD would still apply though.
Rowland
More information about the samba
mailing list