On 6/15/20 11:29 AM, Rowland penny via samba wrote: ... snippity> You also have 'unix password sync = Yes', you should remove this, you cannot > have users in /etc/passwd and AD.Actually, as far as a base statement, you can have both, that is, the idea of a username in Windows AD and the same username in /etc/passwd. The namespaces are not cojoined. However, that doesn't mean "unix password sync" is ok. I don't know enough about the assumptions being made inside of samba with regards to that. Note, having the same username in the two namespaces can cause some ambiguity. As simply reporting a username doesn't identify the namespace from which it came from. You'd have to look (for example) at the underlying uid. Especially true where default domain is used. While this might appear to be "incorrect", it could also be looked at as a feature. And something that has been *ix for a long time really. In other words, things can be based on context. It might be a mistake to limit/control either namespace by trying to force there to just be one.
On 15/06/2020 18:02, Christopher Cox via samba wrote:> Actually, as far as a base statement, you can have both,You cannot have the same user in /etc/passwd and AD, though if you persevere enough you probably could create them in both databases. Lets take a user called 'fred': rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred' Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but: rowland at devstation:~/tests$ getent passwd fred Produces this: fred:*:10005:10000::/home/fred:/bin/bash So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred' is, so lets try and create 'fred' as a Linux user: rowland at devstation:~/tests$ sudo adduser fred [sudo] password for rowland: adduser: The user `fred' already exists. So, the OS will not let me create 'fred' in /etc/passwd I could probably create 'fred' in /etc/passwd by removing 'winbind' from the 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user 'fred' would be used instead of the AD user 'fred', even when I put winbind back in /etc/nsswitch.conf. Please don't try to 'bend' AD, that way will only lead to trouble and there is absolutely no reason to do it. Rowland
On 6/15/20 12:35 PM, Rowland penny via samba wrote:> On 15/06/2020 18:02, Christopher Cox via samba wrote: >> Actually, as far as a base statement, you can have both, > > You cannot have the same user in /etc/passwd and AD, though if you persevere > enough you probably could create them in both databases. > > Lets take a user called 'fred': > > rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred' > > Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but: > > rowland at devstation:~/tests$ getent passwd fred > > Produces this: > > fred:*:10005:10000::/home/fred:/bin/bash > > So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred' is, > so lets try and create 'fred' as a Linux user: > > rowland at devstation:~/tests$ sudo adduser fred > [sudo] password for rowland: > adduser: The user `fred' already exists. > > So, the OS will not let me create 'fred' in /etc/passwdThe command prohibited it. So, look at this differently. Assume you have a host where local users already exist and then you join that host as a domain member. Surprise! You can now have the same user in /etc/passwd as well as via winbind.> > I could probably create 'fred' in /etc/passwd by removing 'winbind' from the > 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user > 'fred' would be used instead of the AD user 'fred', even when I put winbind back > in /etc/nsswitch.conf. > > Please don't try to 'bend' AD, that way will only lead to trouble and there is > absolutely no reason to do it.I kinda like you, but you DO NOT take criticism well at all. Just because "you think" you understand how things work doesn't mean that you actually do. Better response: Hmmm, you're right, but I don't advise doing it. I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS.
On Mon, 2020-06-15 at 12:02 -0500, Christopher Cox via samba wrote:> On 6/15/20 11:29 AM, Rowland penny via samba wrote: > ... snippity > > You also have 'unix password sync = Yes', you should remove this, > > you cannot > > have users in /etc/passwd and AD. > > Actually, as far as a base statement, you can have both, that is, the > idea of a > username in Windows AD and the same username in /etc/passwd. The > namespaces are > not cojoined. However, that doesn't mean "unix password sync" is > ok. I don't > know enough about the assumptions being made inside of samba with > regards to that.It is all a bit moot anyway, unless there is a local passdb entry for the local user, the SAMR server won't operate for that user and so there will be no way to change the password. AD passwords are changed on a domain controller, not on or via the domain member. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba