On Tue, Aug 9, 2016 at 3:07 PM, Jeremy Allison via samba < samba at lists.samba.org> wrote:> On Tue, Aug 09, 2016 at 07:50:12PM +0200, Michael Adam via samba wrote: > > On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote: > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > > > > > getent passwd username > > > > > > > > (or "theusername") is not the literal command. I substitute > > > > 'username' here to protect the user id. > > > > genent passwd on the user does work and it returns uid and gui of > > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > > output as grep 'username' on /etc/passwd > > > > > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > > > by all measures. > > > > > > And I think you have just posted your problem! > > > > > > Lets use 'fred' as one of your users, replace 'fred' with a real users > > > name > > > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > > > If so, choose one and then delete the other, you cannot have them in > > > both. > > > > *Not* setting 'winbind use default domain = yes' will allow you > > to have them both. And they will be what they shoult be: two different > > users. With different unix IDs. > > But to clarify, they will then be user 'fred' and user 'DOMAIN\fred'. > Not the same name at all.. > <https://lists.samba.org/mailman/options/samba> >That's like saying a beer poured from a bottle into the glass is not the same beer. If that is what all this disagreement has been about, it is very sad. We've modified our smb.conf shares about 10 years ago to have valid users with MYDOM\user and it has worked very well. It is still working well for the most part.
On 2016-08-09 at 16:29 -0300, francis picabia via samba wrote:> On Tue, Aug 9, 2016 at 3:07 PM, Jeremy Allison via samba < > samba at lists.samba.org> wrote: > > > On Tue, Aug 09, 2016 at 07:50:12PM +0200, Michael Adam via samba wrote: > > > On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote: > > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > > > > > > > > > getent passwd username > > > > > > > > > > (or "theusername") is not the literal command. I substitute > > > > > 'username' here to protect the user id. > > > > > genent passwd on the user does work and it returns uid and gui of > > > > > 1000, exactly what we see in the /etc/passwd file. It is the same > > > > > output as grep 'username' on /etc/passwd > > > > > > > > > > Remember, when winbind is off, it works. This is certainly bug 10604 > > > > > by all measures. > > > > > > > > And I think you have just posted your problem! > > > > > > > > Lets use 'fred' as one of your users, replace 'fred' with a real users > > > > name > > > > > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > > > > > If so, choose one and then delete the other, you cannot have them in > > > > both. > > > > > > *Not* setting 'winbind use default domain = yes' will allow you > > > to have them both. And they will be what they shoult be: two different > > > users. With different unix IDs. > > > > But to clarify, they will then be user 'fred' and user 'DOMAIN\fred'. > > Not the same name at all.. > > <https://lists.samba.org/mailman/options/samba> > > > > That's like saying a beer poured from a bottle into the glass is not the > same beer.No, these two are two different objects. They (winbind use default domain just obfuscates that fact). They are different users the same way as user from two different AD domains with the same username are different users. In that case you would not claim that they are the same (DOM1\user and DOM2\user), because they also have different sids. Unix does not have worldwide unique user ids (alas!), but still a user brought in from a AD is different from the local user. So it's not cosmetic. It's fundamental. Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/6ae6f2e7/signature.sig>
On Tue, 9 Aug 2016 16:29:12 -0300 francis picabia via samba <samba at lists.samba.org> wrote:> On Tue, Aug 9, 2016 at 3:07 PM, Jeremy Allison via samba < > samba at lists.samba.org> wrote: > > > On Tue, Aug 09, 2016 at 07:50:12PM +0200, Michael Adam via samba > > wrote: > > > On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote: > > > > On Tue, 9 Aug 2016 13:37:18 -0300 > > > > francis picabia <fpicabia at gmail.com> wrote: > > > > > > > > > > > > > > > > > > getent passwd username > > > > > > > > > > (or "theusername") is not the literal command. I substitute > > > > > 'username' here to protect the user id. > > > > > genent passwd on the user does work and it returns uid and > > > > > gui of 1000, exactly what we see in the /etc/passwd file. It > > > > > is the same output as grep 'username' on /etc/passwd > > > > > > > > > > Remember, when winbind is off, it works. This is certainly > > > > > bug 10604 by all measures. > > > > > > > > And I think you have just posted your problem! > > > > > > > > Lets use 'fred' as one of your users, replace 'fred' with a > > > > real users name > > > > > > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ? > > > > > > > > If so, choose one and then delete the other, you cannot have > > > > them in both. > > > > > > *Not* setting 'winbind use default domain = yes' will allow you > > > to have them both. And they will be what they shoult be: two > > > different users. With different unix IDs. > > > > But to clarify, they will then be user 'fred' and user > > 'DOMAIN\fred'. Not the same name at all.. > > <https://lists.samba.org/mailman/options/samba> > > > > That's like saying a beer poured from a bottle into the glass is not > the same beer. > If that is what all this disagreement has been about, it is very sad.If you cannot understand that 'fred' and 'DOMAIN\fred' are different users, then try and understand it this way, user 'fred' is not the same user as 'barney', do you agree with this ? Now replace 'barney' with 'DOMAIN\fred', the 'DOMAIN\' bit makes him a different user.> > We've modified our smb.conf shares about 10 years ago to have > valid users with MYDOM\user and it has worked very well. It is > still working well for the most part.Yes and in ten years, a very lot of Samba has changed. Rowland
On 08/09/2016 03:29 PM, francis picabia via samba wrote:> We've modified our smb.conf shares about 10 years ago to have > valid users with MYDOM\user and it has worked very well. It is > still working well for the most part.10 years ago Samba was configured as a traditional NT Domain, not so Active Directory. It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but "opening a 'new' bottle of beer" In other words, it's two different sets of users (one described by smb.conf and the other in the AD LDAP DB)
On Tue, Aug 9, 2016 at 4:56 PM, Steve Ankeny via samba < samba at lists.samba.org> wrote:> On 08/09/2016 03:29 PM, francis picabia via samba wrote: > >> We've modified our smb.conf shares about 10 years ago to have >> valid users with MYDOM\user and it has worked very well. It is >> still working well for the most part. >> > > 10 years ago Samba was configured as a traditional NT Domain, not so > Active Directory. > > It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but > "opening a 'new' bottle of beer" > > In other words, it's two different sets of users (one described by > smb.conf and the other in the AD LDAP DB) > >Ha ha. I wondered last night if the beer analogy would work best, and it seems so. Here is why it is not a new bottle of beer. The right hand is pouring the bottle, and the left hand is holding the glass, tilted slightly to avoid frothing, so the user is most pleased. In between the hands there is an administrative unit known as the brain which has established a trust between the left and the right hand being under a common administration. There are indeed organizations where the left hand doesn't know what the right hand is doing, but in general that is not the case, and we have checks to keep things aligned. There may be a reason why a developer would want to assume this is a new bottle of beer in light of recent security issues. On a few dozen systems running Linux and Solaris and in production, MYDOM\username = username as far as we are concerned. It isn't unique to Samba. Many applications have a local user which maps to the AD user and make the assumption they are the same, which we can do because we administer both ends. We're not talking about self-sign up portals and mailing lists, but things which are under one administration. Other than the case of bug report 10604 and Samba 4.2.10 on Debian, this solution has been working well for us.