On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 9 Aug 2016 13:37:18 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > > > > getent passwd username > > > > (or "theusername") is not the literal command. I substitute > > 'username' here to protect the user id. > > genent passwd on the user does work and it returns uid and gui of > > 1000, exactly what we see in the /etc/passwd file. It is the same > > output as grep 'username' on /etc/passwd > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > by all measures. > > And I think you have just posted your problem! > > Lets use 'fred' as one of your users, replace 'fred' with a real users > name > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > If so, choose one and then delete the other, you cannot have them in > both. >I don't think you've done this before. Have you used security = ads? I have dozens of servers and hundreds of users running just fine with this. Having the same user defined in both Linux and AD, and mapping it for authentication is the whole point.
On 2016-08-09 at 14:49 -0300, francis picabia via samba wrote:> On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > getent passwd username > > > > > > (or "theusername") is not the literal command. I substitute > > > 'username' here to protect the user id. > > > genent passwd on the user does work and it returns uid and gui of > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > output as grep 'username' on /etc/passwd > > > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > > by all measures. > > > > And I think you have just posted your problem! > > > > Lets use 'fred' as one of your users, replace 'fred' with a real users > > name > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > If so, choose one and then delete the other, you cannot have them in > > both. > > > > I don't think you've done this before. Have you used security = ads? > > I have dozens of servers and hundreds of users running just fine > with this. Having the same user defined in both Linux and AD, > and mapping it for authentication is the whole point.No, this completely misses the point of winbind and security ads: Winbind removes the need to maintain local users on each server. Instead you plug winbind into nsswitch and tell it to use the same id mapping scheme on all servers, and hence you have perfectly valid, same-looking unix users on all the servers without ever touching the passwd and group files... Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/5c656717/signature.sig>
On Tue, 9 Aug 2016 14:49:37 -0300 francis picabia <fpicabia at gmail.com> wrote:> On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > getent passwd username > > > > > > (or "theusername") is not the literal command. I substitute > > > 'username' here to protect the user id. > > > genent passwd on the user does work and it returns uid and gui of > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > output as grep 'username' on /etc/passwd > > > > > > Remember, when winbind is off, it works. This is certainly bug > > > 10604 by all measures. > > > > And I think you have just posted your problem! > > > > Lets use 'fred' as one of your users, replace 'fred' with a real > > users name > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > If so, choose one and then delete the other, you cannot have them in > > both. > > > > I don't think you've done this before. Have you used security = ads?ROFL ROFL ROFL Can I direct you to my email address.> > I have dozens of servers and hundreds of users running just fine > with this. Having the same user defined in both Linux and AD, > and mapping it for authentication is the whole point.That was the old way, if you are using AD, you do not need Unix users in /etc/passwd and in fact, you should not have users in both /etc/passwd and AD. To make an AD user a Unix user, either add RFC2307 attributes to the users object in AD and then use the winbind 'ad' backend, or use the 'rid' backend, in which case you do not have to add anything to AD. Can you also stop sending email directly to me and CCing the list, just send to the list. Rowland
On Tue, Aug 9, 2016 at 2:59 PM, Michael Adam <obnox at samba.org> wrote:> On 2016-08-09 at 14:49 -0300, francis picabia via samba wrote: > > On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > > > > > getent passwd username > > > > > > > > (or "theusername") is not the literal command. I substitute > > > > 'username' here to protect the user id. > > > > genent passwd on the user does work and it returns uid and gui of > > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > > output as grep 'username' on /etc/passwd > > > > > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > > > by all measures. > > > > > > And I think you have just posted your problem! > > > > > > Lets use 'fred' as one of your users, replace 'fred' with a real users > > > name > > > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > > > If so, choose one and then delete the other, you cannot have them in > > > both. > > > > > > > I don't think you've done this before. Have you used security = ads? > > > > I have dozens of servers and hundreds of users running just fine > > with this. Having the same user defined in both Linux and AD, > > and mapping it for authentication is the whole point. > > No, this completely misses the point of winbind and security > ads: Winbind removes the need to maintain local users on each > server. Instead you plug winbind into nsswitch and tell it to > use the same id mapping scheme on all servers, and hence you > have perfectly valid, same-looking unix users on all the servers > without ever touching the passwd and group files... > > Cheers - Michael >In my systems [homes] is something they use on the Linux system where they have access via ssh or mapping the network drive. It isn't a new thing. I've used it for over a decade without major problems. When winbind is left out of nsswitch.conf, we can control that only users with an account on the specific box can access it.
On Tue, Aug 9, 2016 at 3:00 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Tue, 9 Aug 2016 14:49:37 -0300 > francis picabia <fpicabia at gmail.com> wrote: > > > On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > > > > > getent passwd username > > > > > > > > (or "theusername") is not the literal command. I substitute > > > > 'username' here to protect the user id. > > > > genent passwd on the user does work and it returns uid and gui of > > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > > output as grep 'username' on /etc/passwd > > > > > > > > Remember, when winbind is off, it works. This is certainly bug > > > > 10604 by all measures. > > > > > > And I think you have just posted your problem! > > > > > > Lets use 'fred' as one of your users, replace 'fred' with a real > > > users name > > > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > > > If so, choose one and then delete the other, you cannot have them in > > > both. >Here you wrote that a user *cannot* be in both /etc/passwd and AD.> > > > > > I don't think you've done this before. Have you used security = ads? > > ROFL ROFL ROFL > > Can I direct you to my email address. > > > > > I have dozens of servers and hundreds of users running just fine > > with this. Having the same user defined in both Linux and AD, > > and mapping it for authentication is the whole point. > > That was the old way, if you are using AD, you do not need Unix users > in /etc/passwd and in fact, you should not have users in > both /etc/passwd and AD. >*Should* not? What does that mean? Sounds different than can not.> To make an AD user a Unix user, either add RFC2307 attributes to the > users object in AD and then use the winbind 'ad' backend, or use the > 'rid' backend, in which case you do not have to add anything to AD. >Now we *can* have a Unix user in AD? I'm not sure which of the three statements has any meaning. I don't know if English is your native language, but there are differences in truth logic in the three ways the statement on user mapping support has been made. I've been working with the third statement being true and exercising the rid option.