samba - Feb 2022 - Corruption of winbind cache after converting NT4 to AD domain

On 2/11/22 15:34, Michael Tokarev via samba wrote:
> 
> For a long time, we had unix users with their own regular home directories,
> shell access and lots of work in linux.? As far as I can see, in order to
> use AD domain, we should convert linux users to AD, so that a user is 
> EITHER
> in linux OR in AD, but not both.? I found nothing conclusive about this, it
> is just my gut feeling, - there's no direct requirement like this in
the
> docs
> I found so far.? But I see that people do it like this, not mixing uids and
> usernames.? It is just my gut feeling maybe I'm wrong..
> 
> So there are two parts of the question:
> 
> First, how such setup should be done? We really used to linux auth and 
> linux
> work, it's somewhat unnatural to rely on the AD when dealing with local
> linux
> accounts.? But at the same time, these account should have access from 
> windows
> to their files.? And most important, _why_ this setup should be done?
> 
> And second, what to do with this cache corruption, how to prevent it? Is it
> possible to perform AD auth by samba AND linux auth when logging in to 
> the linux
> machine?? Adding --no-cache to winbind command line helped, but this 
> obviously
> is not a good solution...
> 
I just moved from NT4 to Samba AD too.  My original plan was to leave 
the linux machines standalone, but the more I worked with the system the 
more obvious it became that this was a bad idea for various reasons; 
e.g. the access permissions on filesystems shared to Windows machines 
aren't the same if you don't mind the linux workstation to the domain.

So, what I'm currently doing on the linux machines:

  1. Remove local linux accounts which match AD accounts.

  2. Bind the linux machine to the domain

  3. Reset the permissions on the /home/USER directories on the linux 
machines to match the UID assigned by Samba. If you're using security 
groups, these work, too, and you can assign permissions on linux with 
these, too.

This seems to work pretty well and avoids the complications of using, 
say, autofs. You're just using AD for authentication in this case, 
although of course you can mount shares, too.  I *don't*, and continue 
to use NFS to mount file systems between linux machines. You can also 
make this work if you have a home directory server with autofs clients. 
  Just execute the above on the home directory server and make sure your 
linux clients are using AD to authenticate.

On Fri, 2022-02-11 at 16:01 -0600, Patrick Goetz via samba
wrote:
> On 2/11/22 15:34, Michael Tokarev via samba wrote:
> > For a long time, we had unix users with their own regular home
> > directories,
> > shell access and lots of work in linux.  As far as I can see, in
> > order to
> > use AD domain, we should convert linux users to AD, so that a user
> > is 
> > EITHER
> > in linux OR in AD, but not both.  I found nothing conclusive about
> > this, it
> > is just my gut feeling, - there's no direct requirement like this
> > in the 
> > docs
> > I found so far.  But I see that people do it like this, not mixing
> > uids and
> > usernames.  It is just my gut feeling maybe I'm wrong..
> > 
> > So there are two parts of the question:
> > 
> > First, how such setup should be done? We really used to linux auth
> > and 
> > linux
> > work, it's somewhat unnatural to rely on the AD when dealing with
> > local 
> > linux
> > accounts.  But at the same time, these account should have access
> > from 
> > windows
> > to their files.  And most important, _why_ this setup should be
> > done?
> > 
> > And second, what to do with this cache corruption, how to prevent
> > it? Is it
> > possible to perform AD auth by samba AND linux auth when logging in
> > to 
> > the linux
> > machine?  Adding --no-cache to winbind command line helped, but
> > this 
> > obviously
> > is not a good solution...
> > 
> 
> I just moved from NT4 to Samba AD too.  My original plan was to
> leave 
> the linux machines standalone, but the more I worked with the system
> the 
> more obvious it became that this was a bad idea for various reasons; 
> e.g. the access permissions on filesystems shared to Windows
> machines 
> aren't the same if you don't mind the linux workstation to the
> domain.
If you have AD, there is no point in using Samba as a standalone
server, in fact, if you later decide to join the 'standalone server' to
the domain, that is where your troubles start.
> 
> So, what I'm currently doing on the linux machines:
> 
>   1. Remove local linux accounts which match AD accounts.
> 
>   2. Bind the linux machine to the domain
> 
>   3. Reset the permissions on the /home/USER directories on the
> linux 
> machines to match the UID assigned by Samba. If you're using
> security 
> groups, these work, too, and you can assign permissions on linux
> with 
> these, too.
> 
> This seems to work pretty well and avoids the complications of
> using, 
> say, autofs. You're just using AD for authentication in this case, 
> although of course you can mount shares, too.  I *don't*, and
> continue 
> to use NFS to mount file systems between linux machines. You can
> also 
> make this work if you have a home directory server with autofs
> clients. 
>   Just execute the above on the home directory server and make sure
> your 
> linux clients are using AD to authenticate.
It all just works, you may need slightly different 'incatations' in the
conf files, but it all just works.

One of the benefits of this is that you can use SSH with kerberos, no
keys.
 
Rowland

12.02.2022 01:01, Patrick Goetz via samba wrote:
[]
> I just moved from NT4 to Samba AD too.? My original plan was to leave the
linux machines standalone, but the more I worked with the system the more
> obvious it became that this was a bad idea for various reasons; e.g. the
access permissions on filesystems shared to Windows machines aren't the same
> if you don't mind the linux workstation to the domain.
"The more obvious it become". This is my "gut feeling" for
now, - just
because else it doesn't actually work due to the $subj. But I'm not
sure yet if it is just wrong assumption in winbind a bug due to this
wrong assumption, or it is actually _required_ to have no unix users
with the same name/uid as in AD. So far I tend to see it more like
a bug than actual architectural requirement.  Maybe difficult to
fix bug but still a bug.
> So, what I'm currently doing on the linux machines:
> 
>  ?1. Remove local linux accounts which match AD accounts.
> 
>  ?2. Bind the linux machine to the domain
> 
>  ?3. Reset the permissions on the /home/USER directories on the linux
machines to match the UID assigned by Samba. If you're using security
groups,
> these work, too, and you can assign permissions on linux with these, too.
FWIW, this step isn't actually necessary if you assign uidNumber &
gidNumber
for your users/groups to be the same as on your standalone server(s)
(assuming all servers shared the same uids).

/mjt