[Samba] Samba as a domain member:
chriscox at endlessnow.com
Mon Jun 15 19:50:26 UTC 2020
On 6/15/20 2:26 PM, Rowland penny via samba wrote:
> On 15/06/2020 20:02, Christopher Cox via samba wrote:
>> On 6/15/20 12:35 PM, Rowland penny via samba wrote:
>>> On 15/06/2020 18:02, Christopher Cox via samba wrote:
>>>> Actually, as far as a base statement, you can have both,
>>> You cannot have the same user in /etc/passwd and AD, though if you persevere
>>> enough you probably could create them in both databases.
>>> Lets take a user called 'fred':
>>> rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred'
>>> Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but:
>>> rowland at devstation:~/tests$ getent passwd fred
>>> Produces this:
>>> So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred'
>>> is, so lets try and create 'fred' as a Linux user:
>>> rowland at devstation:~/tests$ sudo adduser fred
>>> [sudo] password for rowland:
>>> adduser: The user `fred' already exists.
>>> So, the OS will not let me create 'fred' in /etc/passwd
>> The command prohibited it. So, look at this differently. Assume you have a
>> host where local users already exist and then you join that host as a domain
>> Surprise! You can now have the same user in /etc/passwd as well as via winbind.
>>> I could probably create 'fred' in /etc/passwd by removing 'winbind' from the
>>> 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user
>>> 'fred' would be used instead of the AD user 'fred', even when I put winbind
>>> back in /etc/nsswitch.conf.
>>> Please don't try to 'bend' AD, that way will only lead to trouble and there
>>> is absolutely no reason to do it.
>> I kinda like you, but you DO NOT take criticism well at all. Just because
>> "you think" you understand how things work doesn't mean that you actually do.
>> Better response: Hmmm, you're right, but I don't advise doing it.
>> I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS.
> I am ignoring that, because you are wrong and also because I do take criticism,
> but only when it is deserved.
> Yes, if you have users in /etc/passwd and then join the computer to the domain
> (where the same usernames exist), then the 'usernames' will exist in the both
> databases, but they are not the same users and the 'local' users will be used
> before the domain users. This is because the 'passwd' line in /etc/nsswitch.conf
> will be similar to this: passwd: compat winbind
Two namespaces, which I CLEARLY stated.
> That line means, check /etc/passwd first and if the user isn't found, then check
> winbind. So, if the username exists in /etc/passwd, winbind will never be checked.
Correct, the idea that there is more than one namespace.
> As far as Samba is concerned, the local user will be COMPUTER_HOSTNAME\username,
> domain users will be DOMAIN\username, to prove this:
> rowland at devstation:~/tests$ sudo net getdomainsid
> SID for local machine DEVSTATION is: S-1-5-21-1108792384-1865707183-3144552696
> SID for domain SAMDOM is: S-1-5-21-1768301897-3342589593-1064908849
> As I hope you can see, there are two SID's there.
And, in your one context view, yes, again, agreeing totally with everything I said.
> I wrote this because I didn't want the thread to end on something that sounded
> like Samba supported having the same users in /etc/passwd and AD, we do not
> support this at all.
My point, especially in the context of the original thread, which had a lot to
do with a host with multiple namespaces, is that you have the same username
twice on a host where the context matters. Again, taking note of my statement
with regards to ambiguity.
More information about the samba