[Samba] samba users at boot, the same local and samba user bug has gone

Rowland Penny rpenny at samba.org
Sun May 14 19:58:34 UTC 2023 


On 14/05/2023 20:47, Kees van Vloten via samba wrote:
> 
> On 14-05-2023 21:39, Rowland Penny via samba wrote:
>>
>>
>> On 14/05/2023 20:32, Kees van Vloten via samba wrote:
>>
>>> The uid + gid are the unique identifier of a user in Linux, the name 
>>> is only relevant for the translation of number (uid) to name.
>>>
>>> I.e. a local-user == domain-user when uid + gid are identical.
>>>
>>> My nsswitch.conf prefers local-users over domain-users:
>>>
>>> passwd:         files systemd winbind
>>> group:          files systemd winbind
>>> shadow:         files
>>> gshadow:        files
>>>
>>> But when I do "id <user>" on a user that exists locally and in the 
>>> domain I get the list of groups of both local + domain concatenated 
>>> as one long list.
>>>
>>> Would it be viewed as two separate users that would not happen.
>>>
>>> - Kees.
>>
>>>
>>
>> OK, I should have posted that as well:
>>
>> adminuser at lmde5:~$ id unixuser
>> uid=1001(unixuser) gid=1001(unixuser) 
>> groups=1001(unixuser),13105(unixuser),10513(domain 
>> users),3001(BUILTIN\users)
>>
>> adminuser at lmde5:~$ id SAMDOM\\unixuser
>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain 
>> users),13105(unixuser),3001(BUILTIN\users)
>>
>> Still think they are the same user ?
>>
>> Rowland
>>
> I do !
> 
> But only when uid + gid are identical (which is not the case for your 
> user):
> 
> id samdom\\user1
> uid=1114(user1) gid=1114(user1) 
> groups=1114(user1),100(users),978(ssh-users),10000(domain 
> users),10123(acl-app_group-access),1000001(BUILTIN\users)
> 
> id user1
> uid=1114(user1) gid=1114(user1) 
> groups=1114(user1),100(users),978(ssh-users),10000(domain 
> users),10123(acl-app_group-access),1000001(BUILTIN\users)
> 
> I get exactly the same list of groups for both.
> 
> - Kees.
> 
> 
> 

I think that you are using the 'ad' idmap backend, but I am not sure 
what on, a DC ?

What I am trying to get across is, there is no reason to have two users 
with the same name, one in /etc/passwd and one in AD. the one in 
/etc/passwd is unknown to AD, but the one in AD can very easily become a 
Unix user.

Rowland

More information about the samba mailing list