samba - Jun 2019 - same username in /etc/passwd and in AD

Hi,

we are currently in the process of testing a Samba AD setup and have identified
some "challenges" regarding user accounts in /etc/passwd and in AD.

Let me explain today's situation. Today we use a Linux file server that
serves for both Linux and Windows clients and that acts as a NT4 PDC. The client
computers are dual boot Linux/Win 7. Under Linux, /etc/passwd, /etc/group and
/etc/shadow are rsynced from a central server to all other Linux servers and
clients in our network. The home folders for Linux users are mapped nfs shares
that physically reside on the Linux file server (that also is our PDC). Windows
users map their smb shares from the same server. Under Linux we have an
application that relies on that users of this application exist in /etc/passwd.
We use the same username/password for both the Windows domain and under Linux.

Now, with the move to Samba AD, I read several places in the wiki and on this
list that we can't have the same username in local /etc/passwd and in AD,
but I haven't seen an explanation why this might not be a good idea. In our
world, we have the same /etc/passwd on all Linux clients and servers, and we
have control over user and group IDs so that they would be identical in
/etc/passwd and in AD for a given user.

I would therefore like to have
-       an AD DC,
-       a Linux file server as domain member, but with /etc/passwd that has the
same usernames as in AD,
-       Windows clients (domain members),
-       Linux clients (not domain members, but with identical /etc/passwd like
on file server and in AD).

So let me know what I'm missing or what I have not understood.

Best regards,
Andreas


--
Andreas Habel
Petroleum engineering lab
Geosciences | Unix network
Faculty of Science and Technology
University of Stavanger
Norway

Phone: +47-51 83 22 93

Am 04.06.19 um 13:24 schrieb Andreas Habel via samba:
> Let me explain today's situation. Today we use a Linux file server that
serves for both Linux and Windows clients and that acts as a NT4 PDC. The client
computers are dual boot Linux/Win 7. Under Linux, /etc/passwd, /etc/group and
/etc/shadow are rsynced from a central server to all other Linux servers and
clients in our network. The home folders for Linux users are mapped nfs shares
that physically reside on the Linux file server (that also is our PDC). Windows
users map their smb shares from the same server. Under Linux we have an
application that relies on that users of this application exist in /etc/passwd.
We use the same username/password for both the Windows domain and under Linux.

Well you can have the same functionality with just using the AD as user
database. We do it the same way. The only problem I see if your
application realy needs the data from /etc/passwd and can not use pam
for example.

If your application really needs /etc/passwd you could do this:
> -       an AD DC,
yes
> -       a Linux file server as domain member, but with /etc/passwd that has
the same usernames as in AD,
here I would use a domain member with the AD backend. As you application
does not run on the file server (?)
> -       Windows clients (domain members),
yes
> -       Linux clients (not domain members, but with identical /etc/passwd
like on file server and in AD).
yes (if you really need that application)


As said if you application can use pam it can all work without /etc/passwd.

As to the problems. In the setup you proposed I only see a problem with
the domain member as this one would see both types of users.

Regards

Christian

-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 04/06/2019 12:24, Andreas Habel via samba wrote:
> Hi,
>
> we are currently in the process of testing a Samba AD setup and have
identified some "challenges" regarding user accounts in /etc/passwd
and in AD.
>
> Let me explain today's situation. Today we use a Linux file server that
serves for both Linux and Windows clients and that acts as a NT4 PDC. The client
computers are dual boot Linux/Win 7. Under Linux, /etc/passwd, /etc/group and
/etc/shadow are rsynced from a central server to all other Linux servers and
clients in our network.
If you use AD, you will not have to do this, you just make the AD users 
into Unix users as well.
> The home folders for Linux users are mapped nfs shares that physically
reside on the Linux file server (that also is our PDC). Windows users map their
smb shares from the same server. Under Linux we have an application that relies
on that users of this application exist in /etc/passwd. We use the same
username/password for both the Windows domain and under Linux.
See above

What does the application do ?
>
> Now, with the move to Samba AD, I read several places in the wiki and on
this list that we can't have the same username in local /etc/passwd and in
AD, but I haven't seen an explanation why this might not be a good idea. In
our world, we have the same /etc/passwd on all Linux clients and servers, and we
have control over user and group IDs so that they would be identical in
/etc/passwd and in AD for a given user.
You cannot have the same username in AD and /etc/passwd for several 
reasons, a couple of which are, the first to be found will be used and 
there is absolutely no reason to do this.
>
> I would therefore like to have
> -       an AD DC,
> -       a Linux file server as domain member, but with /etc/passwd that has
the same usernames as in AD,
   The above is not going to work
> -       Windows clients (domain members),
> -       Linux clients (not domain members, but with identical /etc/passwd
like on file server and in AD).
That isn't a good idea, because they will not be Unix domain members, so 
you will have to maintain two databases (AD and /etc/passwd) with the 
same usernames & passwords, how do you plan to do this ? If you make 
them all domain members, then you only have one database,
AD
>
> So let me know what I'm missing or what I have not understood.
>
I don't think you really understand the concept behind AD ;-)

Rowland

On 04/06/2019 15:08, Christian Naumer via samba wrote:
>    Linux clients (not domain members, but with identical /etc/passwd like
on file server and in AD).
> yes (if you really need that application)
>
>
> As said if you application can use pam it can all work without /etc/passwd.
Yes, I suppose you could get this to work, but it would mean on going 
unnecessary work, maintaining two databases.
>
> As to the problems. In the setup you proposed I only see a problem with
> the domain member as this one would see both types of users.
No, you would only see one set of users, whichever comes first in the 
'passwd' line in /etc/nsswitch.conf

Rowland