[Samba] samba users at boot, the same local and samba user bug has gone

[Andrew Bartlett]

On Sun, 2023-05-14 at 19:29 +0300, Michael Tokarev via samba wrote:
> Hi!
> 
> We faced another issue with not having samba (ad-dc) users in local /etc/password:
> this way, we can't easily have services run as users this way, since winbindd is
> started later than most services are (and it requires working network). Also,
> user-defined cron @reboot jobs aren't being run, for the same reason: cron is
> stared before winbindd on most systems. This is quite difficult to change too,
> since ordering is historic and other dependencies exists in-between.

I think some effort should be put into understanding that ordering.  If
@reboot is to be expected to work, then the users should be supplied
before cron starts.  

This isn't something Samba controls, this is a packaging choice. 

I realise it won't be easy, but that would be the correct way forward
on this issue.

> Thankfully, the bug which existed in samba 4.16 where, in presence of the same
> username in ad and in /etc/passwd, winbindd/smbd sometimes treated it as one and
> sometimes as two different users with different SIDs, apparently has been fixed
> in 4.17. So far, samba always treats this user as one single entity here, with
> 4.17 and 4.18, - unlike sporaric/unstable behavior we've seen in 4.16.

This might be related to the Nov 2021 security fixes.  

However I would warn that multiple definition of users is not something
we test, so I would be very cautious, and generally suggest moving to a
'single source of truth', as any manual /etc/passwd entries would need
to be maintained manually. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba