[Samba] ad-backend: uidNumber set too late

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Sep 3 12:04:10 UTC 2021 

I wrote ADMan to automatically assign uidNumber and create home directories
on the NAS:

https://gitlab.com/JonathonReinhart/adman



On Fri, Sep 3, 2021, 03:29 Viktor Trojanovic via samba <
samba at lists.samba.org> wrote:

> Hi,
>
> I'm using Samba in a domain using the ad backend.
>
> Sometimes it happens that I create a new user and forget to set the
> uidNumber attribute right away. As far as Windows Server resources are
> concerned, that doesn't matter but as soon as I start giving this user
> access to resources on a Samba server, specifically on files using Windows
> ACL permissions, things don't work as expected until I realize that I
> forgot to set the uidNumber.
>
> Typically, in such a situation, I have to set the uidNumber attribute for
> the user, remove all permissions for the user on Samba machines and set
> them again from scratch.
>
> I wonder, is there another, maybe better way to correct such a situation?
>
> And a follow-up question to this. Back in the day, I was under the
> impression that the ad backend is the "best" backend to use. After having
> followed several discussions on the topic on the list over the past few
> years, it seems to me that the ad backend may have its advantages in hybrid
> environments where domain users need access to Linux machines. But other
> than that, RID seems better suited and easier to manage in single-domain
> environments where users only ever log on to Windows machines but may
> access file shares on Samba servers. Feel free to correct me on this
> impression.
>
> So, say I decided to move from the ad backend to the rid backend, which
> steps would be involved?
>
> And one last point: In my opinion, the Wiki pages on the various id mapping
> backends are not clear enough and in certain points maybe even outdated.
>
> As a concrete example, in the Wiki page to the ad backend it is stated
> that "If the Windows Active Directory Users and Computers (ADUC) program is
> not used, you have to manual (sic!) track ID values to avoid duplicates."
> With Windows 10 being the current and recommended version of Windows, this
> information is no longer true. You have to track the ID values manually in
> either case.
>
> As a more experienced Samba user, I see the Wiki page in a different light
> today than 5-6 years ago. But for new users, I still feel the content on
> these pages could be better structured and offer more guidance. Why not
> give a concise summary, describing when the user should prefer this one
> backend over another? And when it comes to listing advantages and
> disadvantages, I wish that it would be made clearer that some of them
> really only apply if domain users are going to work on Linux domain-joined
> machines.
>
> Oh, and by the way, I'm more than happy to help with some of this myself if
> I get edit access to the Wiki.
>
> Vic
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list