[Samba] ad-backend: uidNumber set too late

Viktor Trojanovic viktor at troja.ch
Fri Sep 3 07:27:49 UTC 2021 

Hi,

I'm using Samba in a domain using the ad backend.

Sometimes it happens that I create a new user and forget to set the
uidNumber attribute right away. As far as Windows Server resources are
concerned, that doesn't matter but as soon as I start giving this user
access to resources on a Samba server, specifically on files using Windows
ACL permissions, things don't work as expected until I realize that I
forgot to set the uidNumber.

Typically, in such a situation, I have to set the uidNumber attribute for
the user, remove all permissions for the user on Samba machines and set
them again from scratch.

I wonder, is there another, maybe better way to correct such a situation?

And a follow-up question to this. Back in the day, I was under the
impression that the ad backend is the "best" backend to use. After having
followed several discussions on the topic on the list over the past few
years, it seems to me that the ad backend may have its advantages in hybrid
environments where domain users need access to Linux machines. But other
than that, RID seems better suited and easier to manage in single-domain
environments where users only ever log on to Windows machines but may
access file shares on Samba servers. Feel free to correct me on this
impression.

So, say I decided to move from the ad backend to the rid backend, which
steps would be involved?

And one last point: In my opinion, the Wiki pages on the various id mapping
backends are not clear enough and in certain points maybe even outdated.

As a concrete example, in the Wiki page to the ad backend it is stated
that "If the Windows Active Directory Users and Computers (ADUC) program is
not used, you have to manual (sic!) track ID values to avoid duplicates."
With Windows 10 being the current and recommended version of Windows, this
information is no longer true. You have to track the ID values manually in
either case.

As a more experienced Samba user, I see the Wiki page in a different light
today than 5-6 years ago. But for new users, I still feel the content on
these pages could be better structured and offer more guidance. Why not
give a concise summary, describing when the user should prefer this one
backend over another? And when it comes to listing advantages and
disadvantages, I wish that it would be made clearer that some of them
really only apply if domain users are going to work on Linux domain-joined
machines.

Oh, and by the way, I'm more than happy to help with some of this myself if
I get edit access to the Wiki.

Vic

More information about the samba mailing list