[Samba] samba users at boot, the same local and samba user bug has gone

Kees van Vloten keesvanvloten at gmail.com
Sun May 14 19:32:52 UTC 2023 

On 14-05-2023 21:21, Rowland Penny via samba wrote:
>
>
> On 14/05/2023 17:29, Michael Tokarev via samba wrote:
>> Hi!
>>
>> We faced another issue with not having samba (ad-dc) users in local 
>> /etc/password:
>> this way, we can't easily have services run as users this way, since 
>> winbindd is
>> started later than most services are (and it requires working 
>> network). Also,
>> user-defined cron @reboot jobs aren't being run, for the same reason: 
>> cron is
>> stared before winbindd on most systems. This is quite difficult to 
>> change too,
>> since ordering is historic and other dependencies exists in-between.
>>
>> Thankfully, the bug which existed in samba 4.16 where, in presence of 
>> the same
>> username in ad and in /etc/passwd, winbindd/smbd sometimes treated it 
>> as one and
>> sometimes as two different users with different SIDs, apparently has 
>> been fixed
>> in 4.17. So far, samba always treats this user as one single entity 
>> here, with
>> 4.17 and 4.18, - unlike sporaric/unstable behavior we've seen in 4.16.
>>
>> FWIW. And thank you for the bugfixing.
>>
>> /mjt
>>
>
> Michael, you cannot have AD users in /etc/passwd because if a user is 
> in /etc/passwd it isn't the same user as the user by the same name in 
> AD. Local users do not have a SID, only AD or Samba users have a SID.
> Okay, that's not entirely true, Samba will create SID's 'S-1-2-*' for 
> local users, but they are not true Windows SID's.
>
> If you create a local user on a domain joined machine and then create 
> a domain user (on a DC) with the same name and then use getent on the 
> joined machine, you will get this output:
> adminuser at lmde5:~$ getent passwd unixuser
> unixuser:x:1001:1001:,,,:/home/unixuser:/bin/bash
> adminuser at lmde5:~$ getent passwd SAMDOM\\unixuser
> SAMDOM\unixuser:*:13105:10513::/home/unixuser:/bin/bash
>
> You have to use the username in the form 'DOMAIN\\username' to get the 
> domain users output, otherwise you will always get the output for the 
> local user.
>
> As you can see, though they have the same username, they have 
> different Unix ID's and are different users. You could use the 'ad' 
> idmap backend and set the Unix ID as the users uidNumber, but they 
> would still be different users.

The uid + gid are the unique identifier of a user in Linux, the name is 
only relevant for the translation of number (uid) to name.

I.e. a local-user == domain-user when uid + gid are identical.

My nsswitch.conf prefers local-users over domain-users:

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

But when I do "id <user>" on a user that exists locally and in the 
domain I get the list of groups of both local + domain concatenated as 
one long list.

Would it be viewed as two separate users that would not happen.

- Kees.

>
> If you are running local services on the computer, you should be using 
> local users, not users stored in AD.
>
> Not sure what has changed for yourself, but I wouldn't rely on it, if 
> it changed once, it could, just as easily, change again.
>
> Rowland
>

More information about the samba mailing list