[Samba] windows service access denied

Lukasz Brodowski lukasz at teamup.pl
Sat Feb 12 08:56:35 UTC 2022


Back to main topic - as i said - i don’t have ad. Only local users. What about it?


> Wiadomość napisana przez Rowland Penny via samba <samba at lists.samba.org> w dniu 12.02.2022, o godz. 09:30:
> 
> On Sat, 2022-02-12 at 10:46 +0300, Michael Tokarev via samba wrote:
>> 12.02.2022 01:24, Patrick Goetz via samba wrote:
>>> You have local accounts which match Samba AD accounts?  That seems
>>> like a terrible idea; but in particular surely the user SID's don't
>>> match and maybe 
>>> this is the problem?
>> 
>> Um. *why* this is a bad idea, Patrick?
>> 
>> It seems to be a popular topic (I faced another prob due to this),
>> but it seems it all
>> boils down to 2 questions:
>> 
>> 1. *why* it is actually a bad idea to have the same users locally and
>> in AD?
> 
> Because the local Samba 'user' will have a different SID to the AD
> user, they ARE different users.
> 
>> Myself, I think about just one "user", parts of its attributes,
>> roughly speaking, are
>> stored locally in /etc/passwd &Co for local access and parts are in
>> AD, for access
>> over SMB network.
> 
> Stop thinking like that :-)
> 
>>  The two parts are in sync
> 
> I doubt this.
> 
>> (I assume it is okay for that user to
>> not work right in case they're not in sync).  Why my view is a
>> "terrible idea"?
>> This question is important, to me at least.
> 
> Once you get your head around having only one place (alright multiple
> places if you have multiple DC's, but the same database) to
> administrate your domain, no adding users to /etc/passwd and then
> creating them again in another database, you just create them once and
> use them anywhere in your domain.
> 
>> 
>> 2. If it really is this that bad an idea, why this really important
>> and confusing
>> for so many people fact isn't mentioned in bold on every ad-related
>> page? :)
> 
> Because it would get tedious and it accepted that this is how AD works.
> 
>> Seriously, people come to this conclusion only after facing many
>> errors trying
>> to fix all sorts of probs. I guess it'd be much less
>> surprising/confusing if
>> there was some information about this somewhere...
> 
> It is all over the internet, but is disguised as Microsoft
> documentation :-D
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list