[Samba] Samba as a domain member:

Rowland penny rpenny at samba.org
Mon Jun 15 19:26:13 UTC 2020

On 15/06/2020 20:02, Christopher Cox via samba wrote:
> On 6/15/20 12:35 PM, Rowland penny via samba wrote:
>> On 15/06/2020 18:02, Christopher Cox via samba wrote:
>>> Actually, as far as a base statement, you can have both,
>> You cannot have the same user in /etc/passwd and AD, though if you 
>> persevere enough you probably could create them in both databases.
>> Lets take a user called 'fred':
>> rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred'
>> Which on 'devstation' produces no output, so the user isn't in 
>> /etc/passwd, but:
>> rowland at devstation:~/tests$ getent passwd fred
>> Produces this:
>> fred:*:10005:10000::/home/fred:/bin/bash
>> So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 
>> 'fred' is, so lets try and create 'fred' as a Linux user:
>> rowland at devstation:~/tests$ sudo adduser fred
>> [sudo] password for rowland:
>> adduser: The user `fred' already exists.
>> So, the OS will not let me create 'fred' in /etc/passwd
> The command prohibited it.  So, look at this differently. Assume you 
> have a host where local users already exist and then you join that 
> host as a domain member.
> Surprise!  You can now have the same user in /etc/passwd as well as 
> via winbind.
>> I could probably create 'fred' in /etc/passwd by removing 'winbind' 
>> from the 'passwd' line in /etc/nsswitch.conf, but this would mean 
>> that the Linux user 'fred' would be used instead of the AD user 
>> 'fred', even when I put winbind back in /etc/nsswitch.conf.
>> Please don't try to 'bend' AD, that way will only lead to trouble and 
>> there is absolutely no reason to do it.
> I kinda like you, but you DO NOT take criticism well at all.  Just 
> because "you think" you understand how things work doesn't mean that 
> you actually do.  Better response:  Hmmm, you're right, but I don't 
> advise doing it.

I am ignoring that, because you are wrong and also because I do take 
criticism, but only when it is deserved.

Yes, if you have users in /etc/passwd and then join the computer to the 
domain (where the same usernames exist), then the 'usernames' will exist 
in the both databases, but they are not the same users and the 'local' 
users will be used before the domain users. This is because the 'passwd' 
line in /etc/nsswitch.conf will be similar to this:  passwd:         
compat winbind

That line means, check /etc/passwd first and if the user isn't found, 
then check winbind. So, if the username exists in /etc/passwd, winbind 
will never be checked.

As far as Samba is concerned, the local user will be 
COMPUTER_HOSTNAME\username, domain users will be DOMAIN\username, to 
prove this:

rowland at devstation:~/tests$ sudo net getdomainsid
SID for local machine DEVSTATION is: 
SID for domain SAMDOM is: S-1-5-21-1768301897-3342589593-1064908849

As I hope you can see, there are two SID's there.

I wrote this because I didn't want the thread to end on something that 
sounded like Samba supported having the same users in /etc/passwd and 
AD, we do not support this at all.


More information about the samba mailing list