Rowland Penny
2022-Feb-12 13:36 UTC
[Samba] Corruption of winbind cache after converting NT4 to AD domain
On Sat, 2022-02-12 at 15:04 +0300, Michael Tokarev wrote:> 12.02.2022 12:30, Rowland Penny via samba wrote: > > On Sat, 2022-02-12 at 11:56 +0300, Michael Tokarev wrote: > > > Please note: I'm not arguing here, my intention is the > > > understanding. > +++ > > Rowland, I really apprecate your explanations. And the only my > intention > is to understand. But I still can not... :( > > I see what you suggest, what you recommend to do/use. But why it is > incorrect to have local user AND the AD user (maybe after fixing the > bug > in winbind from $subj which you say is not a bug)?There is no bug, it is the way it is supposed to work. If you have a local user 'fred' (in /etc/passwd), this will not be the same user as a user called 'fred' in AD. Samba can obtain the users data from AD, but it may not be saved as the AD user and this can lead to all sorts of problems. Now if you only have 'fred' in AD none of these problems will occur because 'fred' will be the same user everywhere.> > You're saying "stop thinking the old way". But it raises the same > question: why, what's wrong with the "old way" (besides the $subj)? > Why I can't have everything locally without relying on any external > networking services unless I actually come over network (from windows > machine)?Because that isn't the way AD works. Okay, a bit of history :-) First there was DOS, which was a single user system, then Windows came along, but wasn't really useful until Windows for workgroups. Now workgroups were interesting because these allowed users to read/write data to other computers and use printers etc on other computers (I am simplifying things here), but workgroups didn't scale well, you had to create the same users & groups on all workgroup machines, this soon got tedious. So Microsoft came up with NT4 domains, followed by Samba. On Windows the SID identifies the users & groups, but means nothing to Unix, this is where Samba comes in, initially in an NT4-style domain, Samba required a local user to map domain users to, later versions using ldap did away with this requirement. However NT4-style domains had their problems, security being one of them, so Microsoft came up with AD, which used DNS, ldap and kerberos. Samba had to keep up with Microsoft, so it gained code to allow it to join an AD domain and work began to make Samba operate as an AD DC. Right from the start, an AD joined computer did not require local users, winbind maps AD users to a local Unix users. For instance, the 'rid' idmap backend will take an AD users RID and calculate the users Unix ID from that.> > The corruption definitely can be fixed, this is not a question here > anymore. The argument that local user and AD user have different SIDs > is not valid either, we can make them the same.Yes it can be fixed, by setting things up correctly. You are not the first person to try and bend AD and it has always ended in tears.> > But the main - conceptual - question is why we can't have local user > with "AD extensions", so to say, or "AD user" with "local > extensions", > declaring them the SAME user? What's wrong with this *conceptually*?Because you do not need to do it, yes, you can use an unjoined 'standalone server' in an AD domain, but this would mean creating exactly the same users & groups on the standalone server that exist in AD, also the passwords would have to be the same and kept in sync. Once you join a computer to an AD domain, you must use the users & groups from AD.> > Again, I'm not asking about personal preferences, but about the > concept. > > Maybe if this conceptual question is answered, everything else will > become much simpler...It is simple, join all machines to the domain and use the users and groups from AD Rowland
Michael Tokarev
2022-Feb-12 14:01 UTC
[Samba] Corruption of winbind cache after converting NT4 to AD domain
12.02.2022 16:36, Rowland Penny via samba ?????: ...> Okay, a bit of history :-)Heh. I come from before-MS-DOS era. And I managed WfW workgroups too, and instead of switching to winNT I switched to samba and one domain I've set up was still up-n-running until a few days ago (which started this thread). I still remember WfW. And I still remember some GUI on MS-DOS 2.x (iirc) which - I think - started windows in the first place, it was some sort of file manager. ...>> The corruption definitely can be fixed, this is not a question here >> anymore. The argument that local user and AD user have different SIDs >> is not valid either, we can make them the same. > > Yes it can be fixed, by setting things up correctly. You are not the > first person to try and bend AD and it has always ended in tears.I'm not trying to bend AD. Not at all. I'm not trying to bend anything. And I'm not trying to bend local users, either. In my understanding it all working together just fine, if not some bug which you keep saying is not a bug. And I *still* yet to see the reason for your thinking that something needs to be bent - either AD or local users. You keep saying "do this" instead of answering the only my question: WHY, what is wrong with keeping it all peacefully without needing to bend anything? I'll stop this. We're going in circles... :( Thank you! /mjt