[Samba] windows service access denied

[Rowland Penny]

On Sat, 2022-02-12 at 10:46 +0300, Michael Tokarev via samba wrote:
> 12.02.2022 01:24, Patrick Goetz via samba wrote:
> > You have local accounts which match Samba AD accounts?  That seems
> > like a terrible idea; but in particular surely the user SID's don't
> > match and maybe 
> > this is the problem?
> 
> Um. *why* this is a bad idea, Patrick?
> 
> It seems to be a popular topic (I faced another prob due to this),
> but it seems it all
> boils down to 2 questions:
> 
> 1. *why* it is actually a bad idea to have the same users locally and
> in AD?

Because the local Samba 'user' will have a different SID to the AD
user, they ARE different users.
 
> Myself, I think about just one "user", parts of its attributes,
> roughly speaking, are
> stored locally in /etc/passwd &Co for local access and parts are in
> AD, for access
> over SMB network.

Stop thinking like that :-)

>   The two parts are in sync

I doubt this.

>  (I assume it is okay for that user to
> not work right in case they're not in sync).  Why my view is a
> "terrible idea"?
> This question is important, to me at least.

Once you get your head around having only one place (alright multiple
places if you have multiple DC's, but the same database) to
administrate your domain, no adding users to /etc/passwd and then
creating them again in another database, you just create them once and
use them anywhere in your domain.

> 
> 2. If it really is this that bad an idea, why this really important
> and confusing
> for so many people fact isn't mentioned in bold on every ad-related
> page? :)

Because it would get tedious and it accepted that this is how AD works.

> Seriously, people come to this conclusion only after facing many
> errors trying
> to fix all sorts of probs. I guess it'd be much less
> surprising/confusing if
> there was some information about this somewhere...

It is all over the internet, but is disguised as Microsoft
documentation :-D

Rowland