[Samba] Usernames in /etc/passwd vs domain (Domain Member Setup)

Rowland Penny rpenny at samba.org
Thu Sep 22 09:39:06 UTC 2022 


On 22/09/2022 10:25, Andrew Bartlett via samba wrote:
> On Wed, 2022-09-21 at 23:00 +0000, Eddie Rowe via samba wrote:
>> I am new to Samba and working to understand things since I have an
>> existing Samba server joined to Active Directory as a domain
>> member.  I have been reading the O'Reilly Samba book to get oriented
>> to things and now setting up a test server.  So as to not muddy the
>> water with distribution specific instructions I have been working off
>> the Samba wiki<
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>> to setup a test system.  Under the section "Configuring the Name
>> Service Switch" the wiki states "Do not use the same user names in
>> the local /etc/passwd file as in the domain.".  I am afraid this is
>> how things are setup today on the existing server.  Any suggestions
>> for what I can review in the Wiki or Samba site to understand how I
>> can bring our setup into one that would be a standard setup?  Today
>> the process for giving someone access to a Samba share involves
>> killing winbind, adding the local account, adding the group that
>> corresponds to the share, restarting winbind.
> 
> Samba's preference is, because it avoids double-managment and ensures
> we can honour AD groups etc, to use nss_winbind to provide the users to
> nsswitch, eg to make them linux users.
> 
> As you then don't want two user ids for a user, the guidance is not to
> create a duplicate locally.

It isn't 'want', it is 'need'

> 
> However many installations have done so, and do not use nss_winbind,
> but want Samba to honour the local user authorization, just as NFS, SSH
> or local login would.

Historically, what you are saying is correct, but there is no need for a 
local user. If you use AD, NFS, SSH and local logins will all work 
without a local user, so why continue to do it ?

> 
> See
> https://attachments.samba.org/attachment.cgi?id=16970 for guidance on
> how to keep your setup working with a modern (patched) Samba version.
> 
> We really should have a wiki page for nsswitch based authorization, to
> help the many sites that use Samba the way you do.  It isn't our
> preference, but we know it is a practice that is in use and we try to
> keep it working.  (As this is historically how Samba behaved).

Perhaps we should have such a wiki page (are you offering to write it 
?), But it should have something like this at the top:

YOU DO NOT NEED TO DO THIS.

In very big letters.

It should be noted that the user 'fred' in /etc/passwd is not the same 
user as a user 'fred' in AD.

Rowland

More information about the samba mailing list