[Samba] Corruption of winbind cache after converting NT4 to AD domain

Rowland Penny rpenny at samba.org
Fri Feb 11 22:11:43 UTC 2022 

On Fri, 2022-02-11 at 16:01 -0600, Patrick Goetz via samba wrote:
> On 2/11/22 15:34, Michael Tokarev via samba wrote:
> > For a long time, we had unix users with their own regular home
> > directories,
> > shell access and lots of work in linux.  As far as I can see, in
> > order to
> > use AD domain, we should convert linux users to AD, so that a user
> > is 
> > EITHER
> > in linux OR in AD, but not both.  I found nothing conclusive about
> > this, it
> > is just my gut feeling, - there's no direct requirement like this
> > in the 
> > docs
> > I found so far.  But I see that people do it like this, not mixing
> > uids and
> > usernames.  It is just my gut feeling maybe I'm wrong..
> > 
> > So there are two parts of the question:
> > 
> > First, how such setup should be done? We really used to linux auth
> > and 
> > linux
> > work, it's somewhat unnatural to rely on the AD when dealing with
> > local 
> > linux
> > accounts.  But at the same time, these account should have access
> > from 
> > windows
> > to their files.  And most important, _why_ this setup should be
> > done?
> > 
> > And second, what to do with this cache corruption, how to prevent
> > it? Is it
> > possible to perform AD auth by samba AND linux auth when logging in
> > to 
> > the linux
> > machine?  Adding --no-cache to winbind command line helped, but
> > this 
> > obviously
> > is not a good solution...
> > 
> 
> I just moved from NT4 to Samba AD too.  My original plan was to
> leave 
> the linux machines standalone, but the more I worked with the system
> the 
> more obvious it became that this was a bad idea for various reasons; 
> e.g. the access permissions on filesystems shared to Windows
> machines 
> aren't the same if you don't mind the linux workstation to the
> domain.

If you have AD, there is no point in using Samba as a standalone
server, in fact, if you later decide to join the 'standalone server' to
the domain, that is where your troubles start.

> 
> So, what I'm currently doing on the linux machines:
> 
>   1. Remove local linux accounts which match AD accounts.
> 
>   2. Bind the linux machine to the domain
> 
>   3. Reset the permissions on the /home/USER directories on the
> linux 
> machines to match the UID assigned by Samba. If you're using
> security 
> groups, these work, too, and you can assign permissions on linux
> with 
> these, too.
> 
> This seems to work pretty well and avoids the complications of
> using, 
> say, autofs. You're just using AD for authentication in this case, 
> although of course you can mount shares, too.  I *don't*, and
> continue 
> to use NFS to mount file systems between linux machines. You can
> also 
> make this work if you have a home directory server with autofs
> clients. 
>   Just execute the above on the home directory server and make sure
> your 
> linux clients are using AD to authenticate.

It all just works, you may need slightly different 'incatations' in the
conf files, but it all just works.

One of the benefits of this is that you can use SSH with kerberos, no
keys.
 
Rowland

More information about the samba mailing list