samba - Mar 2019 - Samba 4.4.8 AD member ads / nss fails to find group id

On 3/29/2019 12:51 PM, Rowland Penny via samba wrote:
> You are trying to do your user mapping in the wrong direction.
>
> The nss backend was meant for the old way of doing things, when you
> could have users in /etc/passwd and Samba. Nowadays you have all your
> users in AD and make these into Unix users. The easiest way is to use
> the 'rid' backend, but this will undoubtedly mean your Unix
ID's will
> change.
So, is the nss backend no longer supported?

I am dealing with an environment where most of the time users are using 
there existing Unix accounts across multiple Unix clients via NFS with 
several TB of data and associated backups all using their existing UIDs. 
I was hoping to do a quick switch-over to the new system with minimal 
disruption. Changing everyone's UID would involve a major disruption.

Thanks,
David.

On Fri, 29 Mar 2019 14:37:07 -0400
"Thomas, David via samba" <samba at lists.samba.org> wrote:
> On 3/29/2019 12:51 PM, Rowland Penny via samba wrote:
> > You are trying to do your user mapping in the wrong direction.
> >
> > The nss backend was meant for the old way of doing things, when you
> > could have users in /etc/passwd and Samba. Nowadays you have all
> > your users in AD and make these into Unix users. The easiest way is
> > to use the 'rid' backend, but this will undoubtedly mean your
Unix
> > ID's will change.  
> So, is the nss backend no longer supported?
> 
> I am dealing with an environment where most of the time users are
> using there existing Unix accounts across multiple Unix clients via
> NFS with several TB of data and associated backups all using their
> existing UIDs. I was hoping to do a quick switch-over to the new
> system with minimal disruption. Changing everyone's UID would involve
> a major disruption.
> 
> Thanks,
> David.
> 
It is still supported in the area it was designed for, workgroups and
computers NOT joined to a domain, it ensures that the SID for a Unix
user becomes the same as an AD user. There is no need for this in a
domain, all SID's are the same.

The whole reason behind a domain is centralisation of authentication
i.e. your users are stored in the same place 'AD'. This means that your
users & groups will have the same SID-RID on all domain computers, but
depending on the winbind backend used, they may have different Unix ids.

I get the feeling that your users have different Unix ids on each Unix
computer, this just leads to trouble.

Rowland

Roland,

On 3/29/2019 2:54 PM, Rowland Penny via samba wrote:
>   get the feeling that your users have different Unix ids on each Unix
> computer, this just leads to trouble.
We use nss so all the unix computers at our site share the same database 
of users, uids and gids.

The problem that I'm having seems to be that smbd is trying to find a 
gid from the SID for the Domain Users group and is failing. This stops 
users from authenticating.

Using wbinfo I can resolve the "Domain Users" name from the S....-513 
SID but wbinfo fails to resolve a gid for that SID.

The domain controller is a windows machine that's part of the corporate 
IT network and I have no control over it.

Is there a work around for this?

Can I create an entry in a tdb file


Thanks,
David.