samba - Dec 2015 - How can I change the localSID for a SAMBA Server?

On Wed, 2015-12-16 at 01:35 +0100, Tetra wrote:
> We don't need a domain for this system. The PCs used are currently
> not 
> in a domain at all, the Linux PCs will not, the Macs like not, and
> there 
> are even some Windows Home PCs that cannot join a domain. The Samba 
> servers are just for providing file shares in a way Windows
> recognizes. 
> We don't want it to be possible to make users or change password
> locally 
> on the samba servers, all that should be done in the LDAP Account 
> Manager (It can update linux and samba password at the same time.)
> 
> I haven't concluded yet, if this is how to do it, but it seems it is
> a 
> possible way of doing it.
> 
Even if you don't think of the various Samba servers offering file
shares as being in a domain, if they share a password database, the
only supported way of doing so is if they are domain controllers.

If you have nothing joined to the domain, it is harmless for the severs
to also be a PDC or BDC of an NT4-like domain, and by doing so you step
back inside the supported envelope, rather than hacking a currently
-mostly working solution outside it. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 16/12/15 07:44, Andrew Bartlett wrote:
> On Wed, 2015-12-16 at 01:35 +0100, Tetra wrote:
>
>> We don't need a domain for this system. The PCs used are currently
>> not
>> in a domain at all, the Linux PCs will not, the Macs like not, and
>> there
>> are even some Windows Home PCs that cannot join a domain. The Samba
>> servers are just for providing file shares in a way Windows
>> recognizes.
>> We don't want it to be possible to make users or change password
>> locally
>> on the samba servers, all that should be done in the LDAP Account
>> Manager (It can update linux and samba password at the same time.)
>>
>> I haven't concluded yet, if this is how to do it, but it seems it
is
>> a
>> possible way of doing it.
>>
> Even if you don't think of the various Samba servers offering file
> shares as being in a domain, if they share a password database, the
> only supported way of doing so is if they are domain controllers.
>
> If you have nothing joined to the domain, it is harmless for the severs
> to also be a PDC or BDC of an NT4-like domain, and by doing so you step
> back inside the supported envelope, rather than hacking a currently
> -mostly working solution outside it.
>
> Andrew Bartlett
>
Thanks for confirming what I thought, a standalone server is a server 
that holds its own user & group database, if it connects to something 
else for the users & groups, it isn't a standalone server.

Rowland

On 16/12/15 12:24, Terje Trane wrote:
> On 16.12.2015 12:51, Rowland penny wrote:
>> Once you start using just one machine to store the user & group 
>> database, you have a prototype domain. Running a workgroup with a lot 
>> of users is a pain, I know, I have been there, done that. Why is it a 
>> pain? because if a user wants to use a machine (even if just to use 
>> the shared printer), that user has to exist on the computer that 
>> holds the share. When a new user needs adding, the sysadmin has to go 
>> round every PC that the new user will connect to, in my case, this 
>> entailed a round trip of almost 200miles, going to 3 depots.
>
> Yes, having to do that is a pain.  But since the linux users are 
> already in NIS or LDAP, that problem should have been solved, and it 
> is for normal linux command line login, and NFS etc.
>
> The pain now is to have to go to each server and set up the samba 
> servers in a NT4 domain instead of just letting each server use what 
> already is provided. I understand that this is because Windows is 
> using its own hashing scheme(?), but I would love to see a supported 
> mode where a samba server could use a central password database in 
> LDAP, maybe even read only. Compare to the "well-known method" of
> keeping a smbpasswd file updated on one server and just rsyncing it to 
> the others. (Inspired by the way NIS works, maybe?)
There is a supported mode, it is called 'active directory'
>
> PS:
> Isn't it an idea to keep the discussion on the list, or is it too 
> off-topic?
Probably wise to keep it on list, but I just replied to an email you 
sent directly to me, you didn't send it to the list!

Rowland

On 16.12.2015 14:55, Rowland penny wrote:
>
> Probably wise to keep it on list, but I just replied to an email you
> sent directly to me, you didn't send it to the list!
Ah, sorry. Seems I'm both reading this both as a newsgroup and a 
mailinglist, and the client behaves differently. Must pay more attention 
to what buttons I click on.