[Samba] Corruption of winbind cache after converting NT4 to AD domain
Patrick Goetz
pgoetz at math.utexas.edu
Sat Feb 12 12:45:20 UTC 2022
On 2/12/22 01:36, Michael Tokarev wrote:
>> So, what I'm currently doing on the linux machines:
>>
>> 1. Remove local linux accounts which match AD accounts.
>>
>> 2. Bind the linux machine to the domain
>>
>> 3. Reset the permissions on the /home/USER directories on the linux
>> machines to match the UID assigned by Samba. If you're using security
>> groups, these work, too, and you can assign permissions on linux with
>> these, too.
>
> FWIW, this step isn't actually necessary if you assign uidNumber &
> gidNumber
> for your users/groups to be the same as on your standalone server(s)
> (assuming all servers shared the same uids).
>
Yes, this was my original plan, and that will work with *linux*
workstations (see following response to your next message).
But then every time you add a new user you have to also add this user to
/etc/passwd with the right UID, and also remember to delete them when
they're deleted from the domain. The question to ask yourself is "what
is gained by doing it this way?" I couldn't think of anything; that's
when I realized that it's simpler to just let the domain manage user
accounts affiliated with the domain.
It's also worth noting what complications might arise when using local
accounts. I haven't tested this (because I abandoned the idea of using
local uid-synchronized accounts), but in some contexts I make heavy use
of AD security groups to fine tune file system access. So, for example,
I might have security groups that look like this:
-- structural-biology
-- rolands-group
-- jeremeys-group
-- rolands-group
- roland
- mjt
- ...
-- jeremys-group
- jeremy
- pgoetz
- ...
Being able to nest security groups is one of the most useful features of
AD authentication.
So suppose you have local linux users mjt and pgoetz and a share with
permissions like this:
drwxr-x--- 5 jeremy structural-biology 4096 Jan 5 08:32 data
Are *local* users mtj and pgoetz going to be able to access this
directory? I *think* nsswitch will do the right thing here and look for
the group in AD when it can't find it locally, but this is the sort of
complication that might come up.
More information about the samba
mailing list