[Samba] Corruption of winbind cache after converting NT4 to AD domain
Michael Tokarev
mjt at tls.msk.ru
Sat Feb 12 07:36:02 UTC 2022
12.02.2022 01:01, Patrick Goetz via samba wrote:
[]
> I just moved from NT4 to Samba AD too. My original plan was to leave the linux machines standalone, but the more I worked with the system the more
> obvious it became that this was a bad idea for various reasons; e.g. the access permissions on filesystems shared to Windows machines aren't the same
> if you don't mind the linux workstation to the domain.
"The more obvious it become". This is my "gut feeling" for now, - just
because else it doesn't actually work due to the $subj. But I'm not
sure yet if it is just wrong assumption in winbind a bug due to this
wrong assumption, or it is actually _required_ to have no unix users
with the same name/uid as in AD. So far I tend to see it more like
a bug than actual architectural requirement. Maybe difficult to
fix bug but still a bug.
> So, what I'm currently doing on the linux machines:
>
> 1. Remove local linux accounts which match AD accounts.
>
> 2. Bind the linux machine to the domain
>
> 3. Reset the permissions on the /home/USER directories on the linux machines to match the UID assigned by Samba. If you're using security groups,
> these work, too, and you can assign permissions on linux with these, too.
FWIW, this step isn't actually necessary if you assign uidNumber & gidNumber
for your users/groups to be the same as on your standalone server(s)
(assuming all servers shared the same uids).
/mjt
More information about the samba
mailing list