Rowland penny schreef op 16-07-2016 20:25:> On 16/07/16 14:08, Xen wrote: >> Rowland penny schreef op 14-07-2016 14:50: >> >>> If you have any users in /etc/passwd that are also in AD i.e if you >>> have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' >>> in >>> AD, then sorry, but one of them will have to go, they would be >>> treated >>> as the same user. >> >> Are you entirely sure this is true? I don't yet know how ID mapping >> works in Samba. > > OK, where is rowland stored, can you tell from this: > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bashOf course. But there are issues. getent passwd -s ldap rowland, will answer the same question from a differnt service. Normally there is an order in nsswitch.conf, but if you have a NSCD deamon installed, it might mess that up. Maybe you mean that the ID mapping would work, but not accessing them at the same time for normal operation? There is no way in nscd to disable forwarding from getUID lookups to getName lookups. (So to speak). The moment you read a filesystem part that has the UID for the "imported" user, NSCD will replace its entry for "fred" with that of the LDAP / AD system. If you turn NSCD off, these issues are not there and you can only get the /first/ named user of that name, depending on the order in nsswitch.conf. Regardless I would assume IDmapping would directly request information from a specific source (service, -s) instead of the first one it encounters (general lookup). After all, the only valid users in the system are those that result /after/ or /from/ the IDmap. So the /source/ of the IDmapping (the remote system) can never be anything that is requested through getent. Only the result of it should make it to the getent database, right. Therefore you may have issues duplicate users, but not with mapping them in the first place, because that first thing has nothing to do with getent yet.> No, as far as I can tell, IDmapping is all about mapping a user (or > group) from somewhere else (i.e. AD) to a local Unix user (or group). > Thinking about it, mapping is probably the wrong word, but I cannot > think of a better word now that you cannot have a local user with the > same name as one in AD.Yeah I meant that with importing. Sorry!. It's just a shame I think that NSCD does not honour the nsswitch order for my personal use case. It just keeps one version of each name, and overwrites it with the latest request (if requested by ID).
Am 16.07.2016 um 21:59 schrieb Xen:> Rowland penny schreef op 16-07-2016 20:25: >> On 16/07/16 14:08, Xen wrote: >>> Rowland penny schreef op 14-07-2016 14:50: >>> >>>> If you have any users in /etc/passwd that are also in AD i.e if you >>>> have user 'fred' in /etc/passwd and there is also a user 'ABC+fred' in >>>> AD, then sorry, but one of them will have to go, they would be treated >>>> as the same user. >>> >>> Are you entirely sure this is true? I don't yet know how ID mapping >>> works in Samba. >> >> OK, where is rowland stored, can you tell from this: >> >> rowland at devstation:~$ getent passwd rowland >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Of course. But there are issues. getent passwd -s ldap rowland, will > answer the same question from a differnt service. Normally there is an > order in nsswitch.conf, but if you have a NSCD deamon installed, it > might mess that up. > > Maybe you mean that the ID mapping would work, but not accessing them > at the same time for normal operation? > > There is no way in nscd to disable forwarding from getUID lookups to > getName lookups. (So to speak). The moment you read a filesystem part > that has the UID for the "imported" user, NSCD will replace its entry > for "fred" with that of the LDAP / AD system. > > If you turn NSCD off, these issues are not there and you can only get > the /first/ named user of that name, depending on the order in > nsswitch.conf. > > Regardless I would assume IDmapping would directly request information > from a specific source (service, -s) instead of the first one it > encounters (general lookup). > > After all, the only valid users in the system are those that result > /after/ or /from/ the IDmap. > > So the /source/ of the IDmapping (the remote system) can never be > anything that is requested through getent. > > Only the result of it should make it to the getent database, right. > > Therefore you may have issues duplicate users, but not with mapping > them in the first place, because that first thing has nothing to do > with getent yet. > > >> No, as far as I can tell, IDmapping is all about mapping a user (or >> group) from somewhere else (i.e. AD) to a local Unix user (or group). >> Thinking about it, mapping is probably the wrong word, but I cannot >> think of a better word now that you cannot have a local user with the >> same name as one in AD. > > Yeah I meant that with importing. Sorry!. > > It's just a shame I think that NSCD does not honour the nsswitch order > for my personal use case. > > It just keeps one version of each name, and overwrites it with the > latest request (if requested by ID). >Try unscd insted of nscd it works better in conjunction with samba.
Achim Gottinger schreef op 16-07-2016 22:38:> Try unscd insted of nscd it works better in conjunction with samba.The (man) page on unscd I read mentioned that it had exactly the same options and interface. That means it will probably do the same thing as well? Haven't tried it yet myself.