[Samba] net ads status stripped output

Rowland penny rpenny at samba.org
Thu Jun 4 07:08:54 UTC 2020

On 04/06/2020 07:57, Markus Lindberg wrote:
>> Nope, we are using good old local accounts added to passwd and shadow.
>>> Users added to /etc/passwd on an AD joined machine are just local users
>>> and you cannot have the same username in /etc/passwd and AD.
> That is fair.
>> Does this apply _even_ if I'm using Samba to authenticate any users? I
>> do not fully comprehed how Samba works, which I need to read up on. Is
>> it perhaps used if a user mounts a network share via cifs?
>>> If you use the winbind 'ad' backend, you must add a unique uidNumber to
>>> your users in AD (which, as I said, must not exist in /etc/passwd), you
>>> must also add a gidNumber attribute to Domain Users. All of these
>>> numbers must be inside the DOMAIN range you set in smb.conf, for
>>> instance, if your line is:
> I mistyped. What I meant to type is, does this apply _even_ if I'm *not*
> using Samba to authenticate any users? We only use Samba to join the
> computers to the domain. The user accounts are locally created and is
> not used from a identity management system.
> As mentioned I'm not particularly interested in authentication any user
> accounts via Samba/Winbind, I'm only interested in joining the
> computers to our Active Directory domain.

If you do not want to authenticate users and groups, why are you joining 
the computers to AD ?

The whole idea behind AD is the centralisation of users and groups. If 
you are using users and groups created locally on the computer (i.e. 
they are not in AD), then you are not using AD even if the computer is 
joined to AD.

I think you need to explain just what you are doing.


More information about the samba mailing list