[Samba] Corruption of winbind cache after converting NT4 to AD domain

Patrick Goetz pgoetz at math.utexas.edu
Sat Feb 12 12:45:20 UTC 2022 

On 2/12/22 01:36, Michael Tokarev wrote:
>> So, what I'm currently doing on the linux machines:
>>
>>   1. Remove local linux accounts which match AD accounts.
>>
>>   2. Bind the linux machine to the domain
>>
>>   3. Reset the permissions on the /home/USER directories on the linux 
>> machines to match the UID assigned by Samba. If you're using security 
>> groups, these work, too, and you can assign permissions on linux with 
>> these, too.
> 
> FWIW, this step isn't actually necessary if you assign uidNumber & 
> gidNumber
> for your users/groups to be the same as on your standalone server(s)
> (assuming all servers shared the same uids).
> 


Yes, this was my original plan, and that will work with *linux* 
workstations (see following response to your next message).

But then every time you add a new user you have to also add this user to 
/etc/passwd with the right UID, and also remember to delete them when 
they're deleted from the domain.  The question to ask yourself is "what 
is gained by doing it this way?"  I couldn't think of anything; that's 
when I realized that it's simpler to just let the domain manage user 
accounts affiliated with the domain.

It's also worth noting what complications might arise when using local 
accounts.  I haven't tested this (because I abandoned the idea of using 
local uid-synchronized accounts), but in some contexts I make heavy use 
of AD security groups to fine tune file system access.  So, for example, 
I might have security groups that look like this:

    -- structural-biology
       -- rolands-group
       -- jeremeys-group

    -- rolands-group
       - roland
       - mjt
       - ...

    -- jeremys-group
       - jeremy
       - pgoetz
       - ...

Being able to nest security groups is one of the most useful features of 
AD authentication.

So suppose you have local linux users mjt and pgoetz and a share with 
permissions like this:

   drwxr-x---   5 jeremy structural-biology       4096 Jan  5 08:32 data


Are *local* users mtj and pgoetz going to be able to access this 
directory?  I *think* nsswitch will do the right thing here and look for 
the group in AD when it can't find it locally, but this is the sort of 
complication that might come up.

More information about the samba mailing list