[Samba] Corruption of winbind cache after converting NT4 to AD domain

Patrick Goetz pgoetz at math.utexas.edu
Sat Feb 12 13:16:32 UTC 2022

On 2/12/22 02:56, Michael Tokarev via samba wrote:
> The "one place" has its own good and bad sides. When something can be done
> locally I prefer it to be done locally. It's okay for me to have uid->name
> mapping over the network, but I tend to configure auth for users locally
> (we don't have many servers) and don't understand why just giving some of
> my users access to their files from windows machine forces me to REMOVE
> these users from the system and move everything to network. Very confusing.

Yes, I prefer doing things locally, too.  So much easier; 
self-contained; not dependent on any other machine.  That's why I was 
initially resistant to binding my linux machines to the domain, 
particularly since they NFS mount the shares.

But you should really pay attention to what Roland keeps telling you: 
while you *can* do things this way, it's not optimal and cumbersome to 
maintain. It's an administration/design question, not a technical one.

A good compromise is to have some local accounts which are not in the 
domain so that you can still log in to the machine if, say, your DC is 
down and you don't have redundant DC's.

That said, we're talking about linux here, and there is no 
one-size-fits-all or universal solution to every problem. You have to 
decide, based on the topology of your network and your 
authentication/authorization needs what the best architecture is. It's 
not about "can I do this?" it's more "should I do this?".  That's the 
beauty of linux; you get to decide how things are done, not Microsoft. 
That's why linux runs on several billion more devices than Windows does.

More information about the samba mailing list