samba - Mar 2019 - Samba 4.4.8 AD member ads / nss fails to find group id

Rowland,

On 3/29/2019 9:59 AM, Rowland Penny via samba wrote:
> Why are you using a winbind backend that maps Unix users to domain
> users in an AD domain, when you should be making your AD users into
> Unix users with a backend like the 'rid' or 'ad' ones.
>
> As for your problem, is winbind running ?
Yes, winbind is running.

Thanks for getting me to reconsider that 'rid' or 'ad' backends,
but I
don't think they work in my situation

I have been using the nss backend because:

- On the server that I am setting up Samba, I have existing Unix users 
with existing uids and associated data on the file server
- There is no usable uid information on the AD.
- I have no permissions to modify the AD to set up user information.

I understood that the nss backend was intended for this situation.

It worked on another server set up the same way but running Samba 4.4.4.


Thanks,
David.

On Fri, 29 Mar 2019 12:19:27 -0400
"Thomas, David via samba" <samba at lists.samba.org> wrote:
> Rowland,
> 
> On 3/29/2019 9:59 AM, Rowland Penny via samba wrote:
> > Why are you using a winbind backend that maps Unix users to domain
> > users in an AD domain, when you should be making your AD users into
> > Unix users with a backend like the 'rid' or 'ad' ones.
> >
> > As for your problem, is winbind running ?  
> 
> Yes, winbind is running.
> 
> Thanks for getting me to reconsider that 'rid' or 'ad'
backends, but
> I don't think they work in my situation
> 
> I have been using the nss backend because:
> 
> - On the server that I am setting up Samba, I have existing Unix
> users with existing uids and associated data on the file server
> - There is no usable uid information on the AD.
> - I have no permissions to modify the AD to set up user information.
> 
> I understood that the nss backend was intended for this situation.
> 
> It worked on another server set up the same way but running Samba
> 4.4.4.
> 
> 
> Thanks,
> David.
You are trying to do your user mapping in the wrong direction.

The nss backend was meant for the old way of doing things, when you
could have users in /etc/passwd and Samba. Nowadays you have all your
users in AD and make these into Unix users. The easiest way is to use
the 'rid' backend, but this will undoubtedly mean your Unix ID's
will
change.
If you read 'man idmap_nss', you will find this line:

The idmap_nss plugin provides a means to map Unix users and groups to
Windows accounts.

This means that Unix users in /etc/passwd are mapped to the same
username in AD, the only problem with this is, you should not have
users in /etc/passwd and AD, the users in /etc/passwd will be used
first.

If, as is very likely, you have users in /etc/passwd and AD, I would
strongly urge you to delete the users in /etc/passwd and use the 'rid'
backend instead.

Rowland

On 3/29/2019 12:51 PM, Rowland Penny via samba wrote:
> You are trying to do your user mapping in the wrong direction.
>
> The nss backend was meant for the old way of doing things, when you
> could have users in /etc/passwd and Samba. Nowadays you have all your
> users in AD and make these into Unix users. The easiest way is to use
> the 'rid' backend, but this will undoubtedly mean your Unix
ID's will
> change.
So, is the nss backend no longer supported?

I am dealing with an environment where most of the time users are using 
there existing Unix accounts across multiple Unix clients via NFS with 
several TB of data and associated backups all using their existing UIDs. 
I was hoping to do a quick switch-over to the new system with minimal 
disruption. Changing everyone's UID would involve a major disruption.

Thanks,
David.