12.02.2022 01:24, Patrick Goetz via samba wrote:> You have local accounts which match Samba AD accounts?? That seems like a terrible idea; but in particular surely the user SID's don't match and maybe > this is the problem?Um. *why* this is a bad idea, Patrick? It seems to be a popular topic (I faced another prob due to this), but it seems it all boils down to 2 questions: 1. *why* it is actually a bad idea to have the same users locally and in AD? Myself, I think about just one "user", parts of its attributes, roughly speaking, are stored locally in /etc/passwd &Co for local access and parts are in AD, for access over SMB network. The two parts are in sync (I assume it is okay for that user to not work right in case they're not in sync). Why my view is a "terrible idea"? This question is important, to me at least. 2. If it really is this that bad an idea, why this really important and confusing for so many people fact isn't mentioned in bold on every ad-related page? :) Seriously, people come to this conclusion only after facing many errors trying to fix all sorts of probs. I guess it'd be much less surprising/confusing if there was some information about this somewhere... Thank you! /mjt
On Sat, 2022-02-12 at 10:46 +0300, Michael Tokarev via samba wrote:> 12.02.2022 01:24, Patrick Goetz via samba wrote: > > You have local accounts which match Samba AD accounts? That seems > > like a terrible idea; but in particular surely the user SID's don't > > match and maybe > > this is the problem? > > Um. *why* this is a bad idea, Patrick? > > It seems to be a popular topic (I faced another prob due to this), > but it seems it all > boils down to 2 questions: > > 1. *why* it is actually a bad idea to have the same users locally and > in AD?Because the local Samba 'user' will have a different SID to the AD user, they ARE different users.> Myself, I think about just one "user", parts of its attributes, > roughly speaking, are > stored locally in /etc/passwd &Co for local access and parts are in > AD, for access > over SMB network.Stop thinking like that :-)> The two parts are in syncI doubt this.> (I assume it is okay for that user to > not work right in case they're not in sync). Why my view is a > "terrible idea"? > This question is important, to me at least.Once you get your head around having only one place (alright multiple places if you have multiple DC's, but the same database) to administrate your domain, no adding users to /etc/passwd and then creating them again in another database, you just create them once and use them anywhere in your domain.> > 2. If it really is this that bad an idea, why this really important > and confusing > for so many people fact isn't mentioned in bold on every ad-related > page? :)Because it would get tedious and it accepted that this is how AD works.> Seriously, people come to this conclusion only after facing many > errors trying > to fix all sorts of probs. I guess it'd be much less > surprising/confusing if > there was some information about this somewhere...It is all over the internet, but is disguised as Microsoft documentation :-D Rowland
On 2/12/22 01:46, Michael Tokarev wrote:> 12.02.2022 01:24, Patrick Goetz via samba wrote: >> You have local accounts which match Samba AD accounts?? That seems >> like a terrible idea; but in particular surely the user SID's don't >> match and maybe this is the problem? > > Um. *why* this is a bad idea, Patrick? >This is different from the case of local accounts on a linux host. I was laboring under the assumption that Lukasz is talking about Windows clients. I'm not a Windows guy, but I think RIDs are assigned automatically by Windows when you create an account? If that's true, then having a local Windows user with the same username as a user on AD will result in having the same username with 2 different RID's. Someone correct me if I'm wrong here.