[Samba] Corruption of winbind cache after converting NT4 to AD domain

Patrick Goetz pgoetz at math.utexas.edu
Fri Feb 11 22:01:28 UTC 2022

On 2/11/22 15:34, Michael Tokarev via samba wrote:
> For a long time, we had unix users with their own regular home directories,
> shell access and lots of work in linux.  As far as I can see, in order to
> use AD domain, we should convert linux users to AD, so that a user is 
> in linux OR in AD, but not both.  I found nothing conclusive about this, it
> is just my gut feeling, - there's no direct requirement like this in the 
> docs
> I found so far.  But I see that people do it like this, not mixing uids and
> usernames.  It is just my gut feeling maybe I'm wrong..
> So there are two parts of the question:
> First, how such setup should be done? We really used to linux auth and 
> linux
> work, it's somewhat unnatural to rely on the AD when dealing with local 
> linux
> accounts.  But at the same time, these account should have access from 
> windows
> to their files.  And most important, _why_ this setup should be done?
> And second, what to do with this cache corruption, how to prevent it? Is it
> possible to perform AD auth by samba AND linux auth when logging in to 
> the linux
> machine?  Adding --no-cache to winbind command line helped, but this 
> obviously
> is not a good solution...

I just moved from NT4 to Samba AD too.  My original plan was to leave 
the linux machines standalone, but the more I worked with the system the 
more obvious it became that this was a bad idea for various reasons; 
e.g. the access permissions on filesystems shared to Windows machines 
aren't the same if you don't mind the linux workstation to the domain.

So, what I'm currently doing on the linux machines:

  1. Remove local linux accounts which match AD accounts.

  2. Bind the linux machine to the domain

  3. Reset the permissions on the /home/USER directories on the linux 
machines to match the UID assigned by Samba. If you're using security 
groups, these work, too, and you can assign permissions on linux with 
these, too.

This seems to work pretty well and avoids the complications of using, 
say, autofs. You're just using AD for authentication in this case, 
although of course you can mount shares, too.  I *don't*, and continue 
to use NFS to mount file systems between linux machines. You can also 
make this work if you have a home directory server with autofs clients. 
  Just execute the above on the home directory server and make sure your 
linux clients are using AD to authenticate.

More information about the samba mailing list