[Samba] Corruption of winbind cache after converting NT4 to AD domain

Rowland Penny rpenny at samba.org
Sat Feb 12 08:34:32 UTC 2022

On Sat, 2022-02-12 at 10:36 +0300, Michael Tokarev via samba wrote:
> 12.02.2022 01:01, Patrick Goetz via samba wrote:
> []
> > I just moved from NT4 to Samba AD too.  My original plan was to
> > leave the linux machines standalone, but the more I worked with the
> > system the more 
> > obvious it became that this was a bad idea for various reasons;
> > e.g. the access permissions on filesystems shared to Windows
> > machines aren't the same 
> > if you don't mind the linux workstation to the domain.
> "The more obvious it become". This is my "gut feeling" for now, -
> just
> because else it doesn't actually work due to the $subj. But I'm not
> sure yet if it is just wrong assumption in winbind a bug due to this
> wrong assumption, or it is actually _required_ to have no unix users
> with the same name/uid as in AD. So far I tend to see it more like
> a bug than actual architectural requirement.  Maybe difficult to
> fix bug but still a bug.

It is not a bug, you just do not have users in /etc/passwd and AD, you
just have them in AD.

> > So, what I'm currently doing on the linux machines:
> > 
> >   1. Remove local linux accounts which match AD accounts.

I would go further, any users with an ID > 1000 that are not in AD
should be moved to AD.


More information about the samba mailing list