samba - Feb 2023 - idmap ad question

On 13/02/2023 22:53, Vaughan, Robert J via samba wrote:
> 
>>> Were you running 'getent passwd' rather than 'getent
passwd AUSERNAME' ?
> 
> Yes, I am used to getting that output with getent on my UNIX LDAP system. 
As long as I can get it from wbinfo I suppose that works too.
>>Never understood why anyone requires all the users or groups on a 
>>regular basis, just as long as the OS knows a user or group should be 
>>enough.
>>As for wbinfo, that reads directly from AD and as such, using the
'ad'
>>idmap backend, doesn't mean all the users or groups are available on
>>Unix, only the ones with a uidNumber or gidNumber will be.
> 
>>> To get all the users shown, you need 'winbind enum users =
yes', but it
>>> isn't required and, as you have found out, it just slows things
down.
> 
> So, I don't think giving a gidNumber to 'domain users' did
anything useful for me.  All the AD users using UNIX or SAMBA have uidNumber and
gidNumber set (along with homedir and shell) and the UNIX groups are >all in
AD too now.  I don't plan to use the standard AD groups (or ones created by
Windows admins) for UNIX or SAMBA purposes.  Perhaps if I wasn't planning on
assigning UID/GID using POSIX attributes or creating >my own groups the
'domain users' becomes useful?
>>Then something appears to have changed, at one time, when using the
'ad'
>>idmap backend, you had to give Domain Users a gidNumber, even when using
>>'unix_primary_group = yes'. I also have never really understood
why you
>>would use that setting, what is wrong with using Domain Users ? It
isn't
>>as if you can have a user group with the same name as the user.
I am the UNIX admin and don't have a use for all domain users group since
all domain users won't be UNIX (or SAMBA) users

What do you mean by "It isn't as if you can have a user group with the
same name as the user"?  We currently do have group names in UNIX (local
and in LDAP) that are the same as a user (not a real person, but a shared/admin
type account for an application) - is there some problem for AD with that?  I
thought all it cared about was the SID?

Thanks,

Robert Vaughan

----------------------------------------------------------------------
This is an e-mail from General Dynamics Land Systems. It is for the intended
recipient only and may contain confidential and privileged information.  No one
else may read, print, store, copy, forward or act in reliance on it or its
attachments.  If you are not the intended recipient, please return this message
to the sender and delete the message and any attachments from your computer.
Your cooperation is appreciated.

On 14/02/2023 11:41, Vaughan, Robert J via samba wrote:
> I am the UNIX admin and don't have a use for all domain users group
since all domain users won't be UNIX (or SAMBA) users
Your decision.
> 
> What do you mean by "It isn't as if you can have a user group with
the same name as the user"?  We currently do have group names in UNIX
(local and in LDAP) that are the same as a user (not a real person, but a
shared/admin type account for an application) - is there some problem for AD
with that?  I thought all it cared about was the SID?
In AD, all names must be unique, you cannot have a user called 'fred' 
and a group called 'fred'

You also shouldn't have a local Unix user (one in /etc/passwd) called 
'fred' and another user in AD called 'fred'. Depending on where 
'winbind' appears in the passwd line in /etc/nsswitch will decide which 
user will be used, they will never be the same user.

If you do want usergroups, then there is only one way, use the 'rid' 
idmap backend and you will get synthetic usergroups, the group isn't 
stored anywhere, the 'rid' idmap backend creates it on the fly.
The downside of using the 'rid' idmap backend is, every AD user and 
group becomes a Unix user or group.

Now, can I ask what you are actually trying to achieve ?
What is the application ?

I can then try to advise you if it is possible and if you should be 
doing it.

Rowland