[Samba] Corruption of winbind cache after converting NT4 to AD domain
rpenny at samba.org
Sat Feb 12 13:44:19 UTC 2022
On Sat, 2022-02-12 at 16:10 +0300, Michael Tokarev via samba wrote:
> 12.02.2022 15:45, Patrick Goetz wrote:
> > On 2/12/22 01:36, Michael Tokarev wrote:
> > > > So, what I'm currently doing on the linux machines:
> > > >
> > > > 1. Remove local linux accounts which match AD accounts.
> > > >
> > > > 2. Bind the linux machine to the domain
> > > >
> > > > 3. Reset the permissions on the /home/USER directories on the
> > > > linux machines to match the UID assigned by Samba. If you're
> > > > using security groups,
> > > > these work, too, and you can assign permissions on linux with
> > > > these, too.
> > >
> > > FWIW, this step isn't actually necessary if you assign uidNumber
> > > & gidNumber
> > > for your users/groups to be the same as on your standalone
> > > server(s)
> > > (assuming all servers shared the same uids).
> > Yes, this was my original plan, and that will work with *linux*
> > workstations (see following response to your next message).
> > But then every time you add a new user you have to also add this
> > user to /etc/passwd with the right UID, and also remember to delete
> > them when they're
> > deleted from the domain. The question to ask yourself is "what is
> > gained by doing it this way?" I couldn't think of anything; that's
> > when I realized
> > that it's simpler to just let the domain manage user accounts
> > affiliated with the domain.
> No, Patrick, you got me wrong. I'm not saying here to continue list
> users in /etc/passwd - this is your step 1 above. I'm not about
> accounts, not about keeping local account. I was commenting about
> the last step - chown/chgrp (and fixing ACLs the same way).
> When you use idmap_backend = ad, you can have the uid/gid for the
> listed in the AD as uidNumber and gidNumber attributes (and set them
> any value you choose).
> This way, you assign these numbers manually (it is not samba who's
> this), and all your linux machines who're configured with the same
> idmap_backend will have the same uid/gid for them automatically, to
> values you set. If you choose to keep files belonging to your former
> linux users, you can assign your AD users the same uid/gid they had
> linux, and you don't need to change ownership as in the step 3 above.
> It is just a small comment. And ofc. you can prefer other idmap
> which maps RIDs to uids differently.
If you use the same smb.conf on all Unix domain members, then you will
get the same Unix ID's everywhere, what the 'ad' idmap backend gets you
is the ability to give your users different login shells and Unix home
More information about the samba