On Tue, Aug 9, 2016 at 4:56 PM, Steve Ankeny via samba < samba at lists.samba.org> wrote:> On 08/09/2016 03:29 PM, francis picabia via samba wrote: > >> We've modified our smb.conf shares about 10 years ago to have >> valid users with MYDOM\user and it has worked very well. It is >> still working well for the most part. >> > > 10 years ago Samba was configured as a traditional NT Domain, not so > Active Directory. > > It's not "pouring beer from a bottle (NT Domain) into a glass (AD)" but > "opening a 'new' bottle of beer" > > In other words, it's two different sets of users (one described by > smb.conf and the other in the AD LDAP DB) > >Ha ha. I wondered last night if the beer analogy would work best, and it seems so. Here is why it is not a new bottle of beer. The right hand is pouring the bottle, and the left hand is holding the glass, tilted slightly to avoid frothing, so the user is most pleased. In between the hands there is an administrative unit known as the brain which has established a trust between the left and the right hand being under a common administration. There are indeed organizations where the left hand doesn't know what the right hand is doing, but in general that is not the case, and we have checks to keep things aligned. There may be a reason why a developer would want to assume this is a new bottle of beer in light of recent security issues. On a few dozen systems running Linux and Solaris and in production, MYDOM\username = username as far as we are concerned. It isn't unique to Samba. Many applications have a local user which maps to the AD user and make the assumption they are the same, which we can do because we administer both ends. We're not talking about self-sign up portals and mailing lists, but things which are under one administration. Other than the case of bug report 10604 and Samba 4.2.10 on Debian, this solution has been working well for us.
On Wed, 10 Aug 2016 10:42:11 -0300 francis picabia via samba <samba at lists.samba.org> wrote:> > On a few dozen systems running Linux and Solaris and in production, > MYDOM\username = username as far as we are concerned. It isn't > unique to Samba. Many applications have a local user which > maps to the AD user and make the assumption they are the same, > which we can do because we administer both ends. We're not > talking about self-sign up portals and mailing lists, but things > which are under one administration. > > Other than the case of bug report 10604 and Samba 4.2.10 on Debian, > this solution has been working well for us.Sorry, but you still don't seem to have got the message, you map local Unix users to AD users only if you are using Samba as a standalone server or in an NT4-style domain. You do not map users in an AD domain, you make the AD users become local Unix users by adding RFC2307 attributes or by using the winbind 'rid' backend, this way, you do not need the users in /etc/passwd and in fact, they must not be in /etc/passwd rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash rowland at devstation:~$ cat /etc/passwd | grep rowland rowland at devstation:~$ rowland at devstation:~$ As you can see, I exist as a local Unix user, but I am not in /etc/passwd Rowland
On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 10 Aug 2016 10:42:11 -0300 > francis picabia via samba <samba at lists.samba.org> wrote: > > > > > On a few dozen systems running Linux and Solaris and in production, > > MYDOM\username = username as far as we are concerned. It isn't > > unique to Samba. Many applications have a local user which > > maps to the AD user and make the assumption they are the same, > > which we can do because we administer both ends. We're not > > talking about self-sign up portals and mailing lists, but things > > which are under one administration. > > > > Other than the case of bug report 10604 and Samba 4.2.10 on Debian, > > this solution has been working well for us. > > Sorry, but you still don't seem to have got the message, you map local > Unix users to AD users only if you are using Samba as a standalone > server or in an NT4-style domain. > > You do not map users in an AD domain, you make the AD users become > local Unix users by adding RFC2307 attributes or by using the winbind > 'rid' backend, this way, you do not need the users in /etc/passwd and > in fact, they must not be in /etc/passwd > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > rowland at devstation:~$ cat /etc/passwd | grep rowland > rowland at devstation:~$ > rowland at devstation:~$ > > As you can see, I exist as a local Unix user, but I am not > in /etc/passwd > >We're not interested in that solution. On one system I may have tcsh shell, or bash on another. We have different home paths on different systems as well. These systems have local storage, not a SAN providing /home/MYDOM/username to a user on any system. I can't imagine how ssh keys would be handled with one big unified home directory scheme. I believe we are using it like NT4 style domain with rid user mapping. AD is running on Windows servers.