samba - Sep 2022 - Usernames in /etc/passwd vs domain (Domain Member Setup)

I am new to Samba and working to understand things since I have an existing
Samba server joined to Active Directory as a domain member.  I have been reading
the O'Reilly Samba book to get oriented to things and now setting up a test
server.  So as to not muddy the water with distribution specific instructions I
have been working off the Samba
wiki<https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
to setup a test system.  Under the section "Configuring the Name Service
Switch" the wiki states "Do not use the same user names in the local
/etc/passwd file as in the domain.".  I am afraid this is how things are
setup today on the existing server.  Any suggestions for what I can review in
the Wiki or Samba site to understand how I can bring our setup into one that
would be a standard setup?  Today the process for giving someone access to a
Samba share involves killing winbind, adding the local account, adding the group
that corresponds to the share, restarting winbind.

On 22/09/2022 00:00, Eddie Rowe via samba wrote:
> I am new to Samba and working to understand things since I have an existing
Samba server joined to Active Directory as a domain member.  I have been reading
the O'Reilly Samba book to get oriented to things and now setting up a test
server.  So as to not muddy the water with distribution specific instructions I
have been working off the Samba
wiki<https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member>
to setup a test system.  Under the section "Configuring the Name Service
Switch" the wiki states "Do not use the same user names in the local
/etc/passwd file as in the domain.".  I am afraid this is how things are
setup today on the existing server.  Any suggestions for what I can review in
the Wiki or Samba site to understand how I can bring our setup into one that
would be a standard setup?  Today the process for giving someone access to a
Samba share involves killing winbind, adding the local account, adding the group
that corresponds to the share, restarting winbind.
The username on Linux is found by going through /etc/nsswitch.conf, 
which usually is in a form like this: passwd files winbind

The above line means that when you run something like 'getent passwd 
username', /etc/passwd is checked first (the 'files' bit) and if not
found, then winbind is asked. This means that if the username is in 
/etc/passwd and AD, the local user will be used first.

There is absolutely no reason to have the same username in /etc/passwd 
and in AD.

If I run:

getent passwd rowland

on a Unix domain member, I get this:

rowland:*:11104:10513::/home/rowland:/bin/bash

but running:

grep 'rowland' /etc/passwd

Produces no output

Rowland

On Wed, 2022-09-21 at 23:00 +0000, Eddie Rowe via samba
wrote:
> I am new to Samba and working to understand things since I have an
> existing Samba server joined to Active Directory as a domain
> member.  I have been reading the O'Reilly Samba book to get oriented
> to things and now setting up a test server.  So as to not muddy the
> water with distribution specific instructions I have been working off
> the Samba wiki<
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > to setup a test system.  Under the section "Configuring the Name
> Service Switch" the wiki states "Do not use the same user names
in
> the local /etc/passwd file as in the domain.".  I am afraid this is
> how things are setup today on the existing server.  Any suggestions
> for what I can review in the Wiki or Samba site to understand how I
> can bring our setup into one that would be a standard setup?  Today
> the process for giving someone access to a Samba share involves
> killing winbind, adding the local account, adding the group that
> corresponds to the share, restarting winbind.
Samba's preference is, because it avoids double-managment and ensures
we can honour AD groups etc, to use nss_winbind to provide the users to
nsswitch, eg to make them linux users.

As you then don't want two user ids for a user, the guidance is not to
create a duplicate locally.

However many installations have done so, and do not use nss_winbind,
but want Samba to honour the local user authorization, just as NFS, SSH
or local login would.

See 
https://attachments.samba.org/attachment.cgi?id=16970 for guidance on
how to keep your setup working with a modern (patched) Samba version. 

We really should have a wiki page for nsswitch based authorization, to
help the many sites that use Samba the way you do.  It isn't our
preference, but we know it is a practice that is in use and we try to
keep it working.  (As this is historically how Samba behaved). 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions