On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 10 Aug 2016 10:42:11 -0300 > francis picabia via samba <samba at lists.samba.org> wrote: > > > > > On a few dozen systems running Linux and Solaris and in production, > > MYDOM\username = username as far as we are concerned. It isn't > > unique to Samba. Many applications have a local user which > > maps to the AD user and make the assumption they are the same, > > which we can do because we administer both ends. We're not > > talking about self-sign up portals and mailing lists, but things > > which are under one administration. > > > > Other than the case of bug report 10604 and Samba 4.2.10 on Debian, > > this solution has been working well for us. > > Sorry, but you still don't seem to have got the message, you map local > Unix users to AD users only if you are using Samba as a standalone > server or in an NT4-style domain. > > You do not map users in an AD domain, you make the AD users become > local Unix users by adding RFC2307 attributes or by using the winbind > 'rid' backend, this way, you do not need the users in /etc/passwd and > in fact, they must not be in /etc/passwd > > rowland at devstation:~$ getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > rowland at devstation:~$ cat /etc/passwd | grep rowland > rowland at devstation:~$ > rowland at devstation:~$ > > As you can see, I exist as a local Unix user, but I am not > in /etc/passwd > >We're not interested in that solution. On one system I may have tcsh shell, or bash on another. We have different home paths on different systems as well. These systems have local storage, not a SAN providing /home/MYDOM/username to a user on any system. I can't imagine how ssh keys would be handled with one big unified home directory scheme. I believe we are using it like NT4 style domain with rid user mapping. AD is running on Windows servers.
On Wed, 10 Aug 2016 11:36:45 -0300 francis picabia via samba <samba at lists.samba.org> wrote:> On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Wed, 10 Aug 2016 10:42:11 -0300 > > francis picabia via samba <samba at lists.samba.org> wrote: > > > > > > > > On a few dozen systems running Linux and Solaris and in > > > production, MYDOM\username = username as far as we are > > > concerned. It isn't unique to Samba. Many applications have a > > > local user which maps to the AD user and make the assumption they > > > are the same, which we can do because we administer both ends. > > > We're not talking about self-sign up portals and mailing lists, > > > but things which are under one administration. > > > > > > Other than the case of bug report 10604 and Samba 4.2.10 on > > > Debian, this solution has been working well for us. > > > > Sorry, but you still don't seem to have got the message, you map > > local Unix users to AD users only if you are using Samba as a > > standalone server or in an NT4-style domain. > > > > You do not map users in an AD domain, you make the AD users become > > local Unix users by adding RFC2307 attributes or by using the > > winbind 'rid' backend, this way, you do not need the users > > in /etc/passwd and in fact, they must not be in /etc/passwd > > > > rowland at devstation:~$ getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > rowland at devstation:~$ cat /etc/passwd | grep rowland > > rowland at devstation:~$ > > rowland at devstation:~$ > > > > As you can see, I exist as a local Unix user, but I am not > > in /etc/passwd > > > > > We're not interested in that solution. On one system I may have tcsh > shell, or bash on another. We have different home paths on different > systems as well.Can I introduce you to a couple of smb.conf settings: template shell = /bin/bash template homedir = /home/%U These, along with the winbind 'rid' backend, will extend your AD users and do what you require, with the extra benefit of only having one place to store your users authentication info.> These systems have local storage, not a SAN > providing /home/MYDOM/username to a user on any system. I can't > imagine how ssh keys would be handled with one big unified home > directory scheme.Can I also introduce you to the concept of using kerberos with ssh> > I believe we are using it like NT4 style domain with rid user > mapping. AD is running > on Windows servers.NT4-style domain != AD domain Rowland
On Wed, Aug 10, 2016 at 12:17 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 10 Aug 2016 11:36:45 -0300 > francis picabia via samba <samba at lists.samba.org> wrote: > > > On Wed, Aug 10, 2016 at 11:04 AM, Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Wed, 10 Aug 2016 10:42:11 -0300 > > > francis picabia via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > On a few dozen systems running Linux and Solaris and in > > > > production, MYDOM\username = username as far as we are > > > > concerned. It isn't unique to Samba. Many applications have a > > > > local user which maps to the AD user and make the assumption they > > > > are the same, which we can do because we administer both ends. > > > > We're not talking about self-sign up portals and mailing lists, > > > > but things which are under one administration. > > > > > > > > Other than the case of bug report 10604 and Samba 4.2.10 on > > > > Debian, this solution has been working well for us. > > > > > > Sorry, but you still don't seem to have got the message, you map > > > local Unix users to AD users only if you are using Samba as a > > > standalone server or in an NT4-style domain. > > > > > > You do not map users in an AD domain, you make the AD users become > > > local Unix users by adding RFC2307 attributes or by using the > > > winbind 'rid' backend, this way, you do not need the users > > > in /etc/passwd and in fact, they must not be in /etc/passwd > > > > > > rowland at devstation:~$ getent passwd rowland > > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > rowland at devstation:~$ cat /etc/passwd | grep rowland > > > rowland at devstation:~$ > > > rowland at devstation:~$ > > > > > > As you can see, I exist as a local Unix user, but I am not > > > in /etc/passwd > > > > > > > > We're not interested in that solution. On one system I may have tcsh > > shell, or bash on another. We have different home paths on different > > systems as well. > > Can I introduce you to a couple of smb.conf settings: > > template shell = /bin/bash > template homedir = /home/%U > > These, along with the winbind 'rid' backend, will extend your > AD users and do what you require, with the extra benefit of only having > one place to store your users authentication info. > > In my world, one user wants zsh, another wants bash.In my world home directories can involve departments in the homedir path on only certain servers. There are likely a dozen flaming hoops I could set up to make every legacy thing work, but it would be too much effort and admin overhead for what it does. /etc/passwd did everything we needed and it still does.> > These systems have local storage, not a SAN > > providing /home/MYDOM/username to a user on any system. I can't > > imagine how ssh keys would be handled with one big unified home > > directory scheme. > > Can I also introduce you to the concept of using kerberos with ssh >That might be interesting, as we could turn off winbind, allowing file shares and AD authentication to work reliably.> > > > I believe we are using it like NT4 style domain with rid user > > mapping. AD is running > > on Windows servers. > > NT4-style domain != AD domain >