[Samba] samba users at boot, the same local and samba user bug has gone
Andrew Bartlett
abartlet at samba.org
Mon May 22 21:13:51 UTC 2023
On Sun, 2023-05-14 at 19:29 +0300, Michael Tokarev via samba wrote:
> Hi!
>
> We faced another issue with not having samba (ad-dc) users in local /etc/password:
> this way, we can't easily have services run as users this way, since winbindd is
> started later than most services are (and it requires working network). Also,
> user-defined cron @reboot jobs aren't being run, for the same reason: cron is
> stared before winbindd on most systems. This is quite difficult to change too,
> since ordering is historic and other dependencies exists in-between.
I think some effort should be put into understanding that ordering. If
@reboot is to be expected to work, then the users should be supplied
before cron starts.
This isn't something Samba controls, this is a packaging choice.
I realise it won't be easy, but that would be the correct way forward
on this issue.
> Thankfully, the bug which existed in samba 4.16 where, in presence of the same
> username in ad and in /etc/passwd, winbindd/smbd sometimes treated it as one and
> sometimes as two different users with different SIDs, apparently has been fixed
> in 4.17. So far, samba always treats this user as one single entity here, with
> 4.17 and 4.18, - unlike sporaric/unstable behavior we've seen in 4.16.
This might be related to the Nov 2021 security fixes.
However I would warn that multiple definition of users is not something
we test, so I would be very cautious, and generally suggest moving to a
'single source of truth', as any manual /etc/passwd entries would need
to be maintained manually.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
More information about the samba
mailing list