[Samba] Corruption of winbind cache after converting NT4 to AD domain

Patrick Goetz pgoetz at math.utexas.edu
Sat Feb 12 13:40:06 UTC 2022

On 2/12/22 07:10, Michael Tokarev wrote:
>> But then every time you add a new user you have to also add this user 
>> to /etc/passwd with the right UID, and also remember to delete them 
>> when they're deleted from the domain.  The question to ask yourself is 
>> "what is gained by doing it this way?"  I couldn't think of anything; 
>> that's when I realized that it's simpler to just let the domain manage 
>> user accounts affiliated with the domain.
> No, Patrick, you got me wrong.  I'm not saying here to continue list AD
> users in /etc/passwd - this is your step 1 above.  I'm not about local
> accounts, not about keeping local account. I was commenting about just
> the last step - chown/chgrp (and fixing ACLs the same way).
> When you use idmap_backend = ad, you can have the uid/gid for the user
> listed in the AD as uidNumber and gidNumber attributes (and set them to
> any value you choose).

Yes, that's right; that's what the --use-rfc2307 does for you when you 
set up the domain.. This was another plan I was originally going to 
implement, but realized that in my use case (almost everyone working on 
Windows, just a few linux machines) that it was an unnecessary 
complication that would require that I maintain these attributes 
manually i.e. when creating new users you then have to remember to add 
the rfc2307 attributes by hand and make sure they match what you have 
configured in /etc/passwd. As mentioned, your use case might be 
different, in which case it might make sense to do it this way.

The difference between an experienced programmer and a new programmer is 
an experienced programmer is thinking mostly about code maintenance in 
the future while the new programmer is just thinking about how to solve 
the problem at hand. Once you write a program that's useful, you become 
a slave for life, because you're constantly being asked to update your 
code. New programmers don't realize this; you learn this from experience.

The same thing applied to systems administration.  Yes, you can set it 
up any old way and make it work, but what configuration will be most 
easy to maintain as time goes on?  Only you can figure this out, 
depending on your system.

> This way, you assign these numbers manually (it is not samba who's doing
> this), and all your linux machines who're configured with the same
> idmap_backend will have the same uid/gid for them automatically, to the
> values you set. If you choose to keep files belonging to your former
> linux users, you can assign your AD users the same uid/gid they had on
> linux, and you don't need to change ownership as in the step 3 above.
> It is just a small comment. And ofc. you can prefer other idmap backends
> which maps RIDs to uids differently.
> Thanks!
> /mjt
>>> This message is from an external sender. Learn more about why this <<
>>> matters at https://links.utexas.edu/rtyclf.                        <<

More information about the samba mailing list