[Samba] Corruption of winbind cache after converting NT4 to AD domain

Michael Tokarev mjt at tls.msk.ru
Sat Feb 12 07:36:02 UTC 2022


12.02.2022 01:01, Patrick Goetz via samba wrote:
[]
> I just moved from NT4 to Samba AD too.  My original plan was to leave the linux machines standalone, but the more I worked with the system the more 
> obvious it became that this was a bad idea for various reasons; e.g. the access permissions on filesystems shared to Windows machines aren't the same 
> if you don't mind the linux workstation to the domain.

"The more obvious it become". This is my "gut feeling" for now, - just
because else it doesn't actually work due to the $subj. But I'm not
sure yet if it is just wrong assumption in winbind a bug due to this
wrong assumption, or it is actually _required_ to have no unix users
with the same name/uid as in AD. So far I tend to see it more like
a bug than actual architectural requirement.  Maybe difficult to
fix bug but still a bug.

> So, what I'm currently doing on the linux machines:
> 
>   1. Remove local linux accounts which match AD accounts.
> 
>   2. Bind the linux machine to the domain
> 
>   3. Reset the permissions on the /home/USER directories on the linux machines to match the UID assigned by Samba. If you're using security groups, 
> these work, too, and you can assign permissions on linux with these, too.

FWIW, this step isn't actually necessary if you assign uidNumber & gidNumber
for your users/groups to be the same as on your standalone server(s)
(assuming all servers shared the same uids).

/mjt



More information about the samba mailing list