samba - Apr 2023 - DNS problems (still) with Linux domain members - using Samba's internal DNS backend

On 2023-04-27 10:39, Rowland Penny via samba wrote:
>
>
> On 27/04/2023 14:37, Gary Dale via samba wrote:
>
>> If you don't have Unix users then the UIDs and GIDs can't
interfere.
>> The idea of interference requires the existence of both sets.
>>
>
> What happens if something goes wrong, AD doesn't work and you cannot 
> log on because you do not have any local Unix users because YOU chose 
> to start the AD id's at 1000 ???
I could always log in as root - the one uid that does get mapped. 
Besides, there is nothing magic about 1000. It's where Debian starts 
numbering users but I've seen other distros use 500.

More to the point, the current Samba variant seems to be incompatible 
with local Unix users anyway. Previously Samba used the Unix accounts. 
Now they seem to be redundant. I can't even give my Unix account and my 
Windows account the same name.

Under previous versions, my Windows account mapped to my Unix account. 
Without user mapping, I can only access Samba shares that Windows-only 
users access through my Windows account. Unix accounts can't be members 
of Windows groups and Windows group can't map to Unix groups either.

In any mixed environment, it seems that the two systems can no longer 
co-exist. Instead you have two solitudes. If you want to access things 
available to Windows users, you need a Windows account. If you want a 
local Unix account, you can't access Windows shares with it. User and 
group mapping used to bridge that gap.

>
> Gary this is getting us nowhere, you say something, I try to help you, 
> alter the wiki in some cases, but you keep coming up with more and 
> more problems, objections etc, so welcome to my banned list.
I'm just trying to understand the reasoning behind what appears to be a 
bizarre set of decisions made by the Samba developers in the last year 
that go against a quarter century of Samba practises. Did Microsoft 
suddenly inject a lot of money into the project on the condition that 
they make it incompatible with a normal Linux infrastructure?

I'm not arguing against what you are telling me. I'm accepting that is 
an accurate reflection of the state of Samba. I'm just saying this is a 
really bad direction for Samba to take.

Anyway, I now have working a Samba share again, using the ad idmap 
backend. However I'm thinking seriously about just using AD for my 
Windows VMs to handle their accounts while doing my file sharing to them 
with a USB stick kept plugged into the File & Print server. It seems 
preferable to ditching all my Unix accounts and moving my Linux machines 
to AD.

Am 28.04.23 um 06:13 schrieb Gary Dale via samba:
> Under previous versions, my Windows account mapped to my Unix account. 
> Without user mapping, I can only access Samba shares that Windows-only 
> users access through my Windows account. Unix accounts can't be members
> of Windows groups and Windows group can't map to Unix groups either.
Rowland will not like to hear this but you can still do this. Although I 
agree with Rowland that you should not. If you use the "normal" Linux 
tools you can add users from AD to Linux groups. That only works on the 
machine you are doing this but it does work.
You can even (Rowland do not read further) add local Samba users with 
smbpasswd when your server is running with AD (I accidently did this 
once) and use that to access your server. But makes everything even more 
complex and harder to understand the behaviour in my opinion.
> 
> In any mixed environment, it seems that the two systems can no longer 
> co-exist. Instead you have two solitudes. If you want to access things 
> available to Windows users, you need a Windows account. If you want a 
> local Unix account, you can't access Windows shares with it. User and 
> group mapping used to bridge that gap.
I think you are looking at this to strict. I have been using Samba for 
some time and going to AD simplified things for me. And I have 
absolutely no issues with Linux/Windows environment. OK I use sssd on 
workstations but the member/file servers use Samba. I log onto my Linux 
Computer with my AD account and can ssh, rsync or do smb file access 
without having to use a password.


Regards

Christian