[Samba] Samba as a domain member:

Mon Jun 15 19:50:26 UTC 2020

On 6/15/20 2:26 PM, Rowland penny via samba wrote:
> On 15/06/2020 20:02, Christopher Cox via samba wrote:
>> On 6/15/20 12:35 PM, Rowland penny via samba wrote:
>>> On 15/06/2020 18:02, Christopher Cox via samba wrote:
>>>> Actually, as far as a base statement, you can have both,
>>>
>>> You cannot have the same user in /etc/passwd and AD, though if you persevere 
>>> enough you probably could create them in both databases.
>>>
>>> Lets take a user called 'fred':
>>>
>>> rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred'
>>>
>>> Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but:
>>>
>>> rowland at devstation:~/tests$ getent passwd fred
>>>
>>> Produces this:
>>>
>>> fred:*:10005:10000::/home/fred:/bin/bash
>>>
>>> So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred' 
>>> is, so lets try and create 'fred' as a Linux user:
>>>
>>> rowland at devstation:~/tests$ sudo adduser fred
>>> [sudo] password for rowland:
>>> adduser: The user `fred' already exists.
>>>
>>> So, the OS will not let me create 'fred' in /etc/passwd
>>
>> The command prohibited it.  So, look at this differently. Assume you have a 
>> host where local users already exist and then you join that host as a domain 
>> member.
>>
>> Surprise!  You can now have the same user in /etc/passwd as well as via winbind.
>>
>>>
>>> I could probably create 'fred' in /etc/passwd by removing 'winbind' from the 
>>> 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user 
>>> 'fred' would be used instead of the AD user 'fred', even when I put winbind 
>>> back in /etc/nsswitch.conf.
>>>
>>> Please don't try to 'bend' AD, that way will only lead to trouble and there 
>>> is absolutely no reason to do it.
>>
>> I kinda like you, but you DO NOT take criticism well at all.  Just because 
>> "you think" you understand how things work doesn't mean that you actually do.  
>> Better response:  Hmmm, you're right, but I don't advise doing it.
>>
>> I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS.
> 
> I am ignoring that, because you are wrong and also because I do take criticism, 
> but only when it is deserved.
> 

I disagree.

> Yes, if you have users in /etc/passwd and then join the computer to the domain 
> (where the same usernames exist), then the 'usernames' will exist in the both 
> databases, but they are not the same users and the 'local' users will be used 
> before the domain users. This is because the 'passwd' line in /etc/nsswitch.conf 
> will be similar to this:  passwd: compat winbind

Two namespaces, which I CLEARLY stated.

> 
> That line means, check /etc/passwd first and if the user isn't found, then check 
> winbind. So, if the username exists in /etc/passwd, winbind will never be checked.

Correct, the idea that there is more than one namespace.

> 
> As far as Samba is concerned, the local user will be COMPUTER_HOSTNAME\username, 
> domain users will be DOMAIN\username, to prove this:
> 
> rowland at devstation:~/tests$ sudo net getdomainsid
> SID for local machine DEVSTATION is: S-1-5-21-1108792384-1865707183-3144552696
> SID for domain SAMDOM is: S-1-5-21-1768301897-3342589593-1064908849
> 
> As I hope you can see, there are two SID's there.

And, in your one context view, yes, again, agreeing totally with everything I said.

> 
> I wrote this because I didn't want the thread to end on something that sounded 
> like Samba supported having the same users in /etc/passwd and AD, we do not 
> support this at all.

My point, especially in the context of the original thread, which had a lot to 
do with a host with multiple namespaces, is that you have the same username 
twice on a host where the context matters.  Again, taking note of my statement 
with regards to ambiguity.