samba - Apr 2015 - Member server - winbind unable to resolve users/groups

On 05/04/15 15:09, Luca Olivetti wrote:
> El 05/04/15 a les 15:31, Rowland Penny ha escrit:
>
>> OK, so you have users that start at '500', these will
undoubtedly be
>> local Unix users not AD users, unless you have migrated these users to
>> AD, in which case you would have had to remove the local Unix users.
> Uh? They're users, currently in ldap and after that in AD, and they
will
> maintain the same uids/gids. I would be pretty angry if they didn't,
> since it would screw up file ownership
You shouldn't really have used such low numbers in the first place, but 
that was your decision.
>
>> If you will never need any local Unix users (and what happens if the
>> domain connection goes down ?)
> Isn't winbind supposed to cache that?
> ;-)
What if the problem is winbind ?
>> then you could start the AD users at
>> where the local Unix users are supposed to start (debian 1000, older
>> red-hat 500, newer red-hat 1000), but this is if you *only* have Unix
>> system users on the computer.
> Nonsense. I can simply use uids/gids outside the range for local users.
Right and what happens if your number of AD users grows ? they could 
collide with your local Unix users.

>> I cannot recommend this type of setup, there is no reason to have such
a
>> setup and if you do have such a setup, then my recommendation is to
>> retire and let somebody else sort out your mess.
> This is not a "mess". This was best-practice in its day (some of
us have
> been using Linux when it was still not fashionable to do so) and it
> still works fine. There is no reason to change what's working fine only
> to follow your recommendation. Otherwise there would be no reason to
> make the range configurable: it is in order to adapt to one's
environment.
Yes, it may have been best practice in its day (cannot think when, but 
hey) but it is not best practice now and hasn't been for quite sometime.

As for using Linux when it was still not fashionable, well I
A) Remember reading Linus's message shortly after he sent it out (didn't
really understand what he was trying to get at)
B) Remember booting my first Linux machine from a couple of 3-1/2 inch 
floppies called 'boot' and 'root'

So, don't try and pull the 'I am older than Methuselah' routine :-D

Rowland
>
> Bye

On 05/04/15 16:41, Rowland Penny wrote:
> On 05/04/15 15:09, Luca Olivetti wrote:
>> El 05/04/15 a les 15:31, Rowland Penny ha escrit:
>>
>>> OK, so you have users that start at '500', these will
undoubtedly be
>>> local Unix users not AD users, unless you have migrated these users
to
>>> AD, in which case you would have had to remove the local Unix
users.
>> Uh? They're users, currently in ldap and after that in AD, and they
will
>> maintain the same uids/gids. I would be pretty angry if they
didn't,
>> since it would screw up file ownership
>
> You shouldn't really have used such low numbers in the first place, 
> but that was your decision.
>
>>
>>> If you will never need any local Unix users (and what happens if
the
>>> domain connection goes down ?)
>> Isn't winbind supposed to cache that?
>> ;-)
>
> What if the problem is winbind ?
>
>>> then you could start the AD users at
>>> where the local Unix users are supposed to start (debian 1000,
older
>>> red-hat 500, newer red-hat 1000), but this is if you *only* have
Unix
>>> system users on the computer.
>> Nonsense. I can simply use uids/gids outside the range for local users.
>
> Right and what happens if your number of AD users grows ? they could 
> collide with your local Unix users.
>
>
>>> I cannot recommend this type of setup, there is no reason to have 
>>> such a
>>> setup and if you do have such a setup, then my recommendation is to
>>> retire and let somebody else sort out your mess.
>> This is not a "mess". This was best-practice in its day (some
of us have
>> been using Linux when it was still not fashionable to do so) and it
>> still works fine. There is no reason to change what's working fine
only
>> to follow your recommendation. Otherwise there would be no reason to
>> make the range configurable: it is in order to adapt to one's 
>> environment.
>
> Yes, it may have been best practice in its day (cannot think when, but 
> hey) but it is not best practice now and hasn't been for quite
sometime.
>
We don't want best anything. We want what we have to work. And anyway 
didn't you hear? Butter is good for you again this year. Linux: we 
configure it as we wish. Not as someone else dictates. You're worse than 
my IT teacher. Your idealism helps no one.
> As for using Linux when it was still not fashionable, well I
> A) Remember reading Linus's message shortly after he sent it out 
> (didn't really understand what he was trying to get at)
> B) Remember booting my first Linux machine from a couple of 3-1/2 inch 
> floppies called 'boot' and 'root'
>
> So, don't try and pull the 'I am older than Methuselah' routine
:-D
>
> Rowland
>>
>> Bye
>

Am 05.04.2015 um 16:55 schrieb buhorojo:
> We don't want best anything
sad enough
> We want what we have to work
so do what you want - who cares
> Linux: we configure it as we wish
why don't you do then?
> Not as someone else dictates
well, do what you want but why do you discuss on public mailing lists if 
you only want to hear the same as you say?
> You're worse than my IT teacher
> Your idealism helps no one
without such idealism you couldn't even write here

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150405/5f1214bb/attachment.pgp>

El 05/04/15 a les 16:41, Rowland Penny ha escrit:

> You shouldn't really have used such low numbers in the first place, but
> that was your decision.
No, it wasn't my decision, it was the default in the distribution I used
at the time. In fact, the *only* distribution starting from 1000 was
debian, every other distribution used 500. It's only recently that they
decided to change to 1000, but without breaking compatibility with
existing users
> 
>>
>>> If you will never need any local Unix users (and what happens if
the
>>> domain connection goes down ?)
>> Isn't winbind supposed to cache that?
>> ;-)
> 
> What if the problem is winbind ?
I keep local users for such (and similar) cases.
> 
>>> then you could start the AD users at
>>> where the local Unix users are supposed to start (debian 1000,
older
>>> red-hat 500, newer red-hat 1000), but this is if you *only* have
Unix
>>> system users on the computer.
>> Nonsense. I can simply use uids/gids outside the range for local users.
> 
> Right and what happens if your number of AD users grows ? they could
> collide with your local Unix users.
I doubt I will reach uid 50000 anytime soon. I hope I'll have retired by
then ;-)

> 
> Yes, it may have been best practice in its day (cannot think when, but
> hey) but it is not best practice now and hasn't been for quite
sometime.
Fedora changed from 500 to 1000 in 2011. Even though I wasn't using
fedora, at the time I had a couple millions files or more, so even if
the default changed it still wasn't practical to change ownership of all
those files. Besides, it could have unintended side effects far worse
than using uids < 10000.
BTW, when I migrated my users to LDAP I used a recommended
(best-practice) script which populated the database with the windows
groups, and it assigned the gid 513 to "Domain Users". It's not a
random
coincidence that both me and Andrey have the same gid for "Domain
Users": it was the *standard* practice.
> As for using Linux when it was still not fashionable, well I
> A) Remember reading Linus's message shortly after he sent it out
(didn't
> really understand what he was trying to get at)
> B) Remember booting my first Linux machine from a couple of 3-1/2 inch
> floppies called 'boot' and 'root'
> 
> So, don't try and pull the 'I am older than Methuselah' routine
:-D
And yet you don't know that most distributions used uid 500 as the first
non system user?

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007