samba - Jan 2018 - Local user could not access share directory

2018-01-20 17:40 GMT+08:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Sat, 20 Jan 2018 17:22:32 +0800
> Younger Liu <younger.liucn at gmail.com> wrote:
>
> > 2018-01-19 18:11 GMT+08:00 Rowland Penny via samba
> > > You are using the winbind 'ad' backend, have you added
anything to
> > > the users AD object (a uidNumber attribute for instance)
> > >
> > > You also seem to saying that you have users with the same name
> > > in /etc/passwd and AD, this is NOT allowed, the user should only
be
> > > in AD.
> >
> > Yes,  the local users in /etc/passwd has the same name as in the
> > domain.
> >
> > I do not add anything to users AD object.
> > If local users are not same to AD users, they could access the share
> > directory.
> >
> > Only local users which in /etc/passwd have same names in AD, local
> > users (such as:
> ​​
> testuser) could not access share directory, But AD
> > users (such as: ENAS\testuser) could access share directory. Why?
> >
> > As you say, the same name in
> ​​
> /etc/passwd and AD is not allowed. Why?
>
> Because the local user will always be found first and the AD user
> ignored. You do not need users in
> ​​
> /etc/passwd on a Unix domain member,
> you just make the AD user into Unix users by using the winbind 'ad'
> backend and ADDING a unique uidNumber attribute to the user and a
> gidNumber attribute to Domain Users, OR you can use the winbind
'rid'
> backend and you do not need to add anything to AD.
>
> It is all explained here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member​

​I understand what yo​u mean. and also know the explainations of wiki.
But, the question I met is as follow:
   Local users which in /etc/passwd have same names in AD (this scenario is
possible).
for example, name is "testuser".
   While access share directory, I must use"ENAS\testuser" to access
share
directory,
unable to access directory using "testuser".
  Although nss config is as follow:
...
passwd: files winbind
group: files winbind
...

   I expect "testuser" in
​
 /etc/passwd  could access shared directory rather than
"ENAS\testuser" in
AD,
when a name are both in /etc/passwd and AD.

  Can you give me some advice?


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Mon, 22 Jan 2018 09:32:46 +0800
Younger Liu <younger.liucn at gmail.com> wrote:

> 
> ​I understand what yo​u mean. and also know the explainations of wiki.
> But, the question I met is as follow:
>    Local users which in /etc/passwd have same names in AD (this
> scenario is possible).
> for example, name is "testuser".
>    While access share directory, I must use"ENAS\testuser" to
access
> share directory,
> unable to access directory using "testuser".
>   Although nss config is as follow:
> ...
> passwd: files winbind
> group: files winbind
> ...
> 
>    I expect "testuser" in
> ​
>  /etc/passwd  could access shared directory rather than
> "ENAS\testuser" in AD,
> when a name are both in /etc/passwd and AD.
> 
>   Can you give me some advice?
> 
I thought I already had, remove the duplicate users from /etc/passwd,
change to the winbind 'rid' backend and your AD users will become Unix
users as well.
If you don't want the DOMAIN at the start of the username and you only
have one AD domain, add this to smb.conf:

winbind use default domain = yes

Rowland

2018-01-22 17:16 GMT+08:00
Rowland Penny via samba <samba at
lists.samba.org>:
>
>
>
> I thought I already had, remove the duplicate users from /etc/passwd,
> change to the
> winbind 'rid' backend and your AD users will become Unix
> users as well.
> If you don't want the DOMAIN at the start of the username and you only
> have one AD domain, add this to smb.conf:
>
> winbind use default domain = yes
  tks Rowland.
  I have esolved this problem. add configurations:
    winbind use default domain = no
    using winbind 'rid' backend
  It would distinguishes two kinds of users. Domain users look likes
"DOMAIN\username", and local users look likes "username".
Although
they have same username, their IDs are not different.