On 6/15/20 12:35 PM, Rowland penny via samba wrote:> On 15/06/2020 18:02, Christopher Cox via samba wrote: >> Actually, as far as a base statement, you can have both, > > You cannot have the same user in /etc/passwd and AD, though if you persevere > enough you probably could create them in both databases. > > Lets take a user called 'fred': > > rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred' > > Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but: > > rowland at devstation:~/tests$ getent passwd fred > > Produces this: > > fred:*:10005:10000::/home/fred:/bin/bash > > So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred' is, > so lets try and create 'fred' as a Linux user: > > rowland at devstation:~/tests$ sudo adduser fred > [sudo] password for rowland: > adduser: The user `fred' already exists. > > So, the OS will not let me create 'fred' in /etc/passwdThe command prohibited it. So, look at this differently. Assume you have a host where local users already exist and then you join that host as a domain member. Surprise! You can now have the same user in /etc/passwd as well as via winbind.> > I could probably create 'fred' in /etc/passwd by removing 'winbind' from the > 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user > 'fred' would be used instead of the AD user 'fred', even when I put winbind back > in /etc/nsswitch.conf. > > Please don't try to 'bend' AD, that way will only lead to trouble and there is > absolutely no reason to do it.I kinda like you, but you DO NOT take criticism well at all. Just because "you think" you understand how things work doesn't mean that you actually do. Better response: Hmmm, you're right, but I don't advise doing it. I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS.
On 15/06/2020 20:02, Christopher Cox via samba wrote:> On 6/15/20 12:35 PM, Rowland penny via samba wrote: >> On 15/06/2020 18:02, Christopher Cox via samba wrote: >>> Actually, as far as a base statement, you can have both, >> >> You cannot have the same user in /etc/passwd and AD, though if you >> persevere enough you probably could create them in both databases. >> >> Lets take a user called 'fred': >> >> rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred' >> >> Which on 'devstation' produces no output, so the user isn't in >> /etc/passwd, but: >> >> rowland at devstation:~/tests$ getent passwd fred >> >> Produces this: >> >> fred:*:10005:10000::/home/fred:/bin/bash >> >> So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who >> 'fred' is, so lets try and create 'fred' as a Linux user: >> >> rowland at devstation:~/tests$ sudo adduser fred >> [sudo] password for rowland: >> adduser: The user `fred' already exists. >> >> So, the OS will not let me create 'fred' in /etc/passwd > > The command prohibited it.? So, look at this differently. Assume you > have a host where local users already exist and then you join that > host as a domain member. > > Surprise!? You can now have the same user in /etc/passwd as well as > via winbind. > >> >> I could probably create 'fred' in /etc/passwd by removing 'winbind' >> from the 'passwd' line in /etc/nsswitch.conf, but this would mean >> that the Linux user 'fred' would be used instead of the AD user >> 'fred', even when I put winbind back in /etc/nsswitch.conf. >> >> Please don't try to 'bend' AD, that way will only lead to trouble and >> there is absolutely no reason to do it. > > I kinda like you, but you DO NOT take criticism well at all.? Just > because "you think" you understand how things work doesn't mean that > you actually do.? Better response:? Hmmm, you're right, but I don't > advise doing it. > > I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS.I am ignoring that, because you are wrong and also because I do take criticism, but only when it is deserved. Yes, if you have users in /etc/passwd and then join the computer to the domain (where the same usernames exist), then the 'usernames' will exist in the both databases, but they are not the same users and the 'local' users will be used before the domain users. This is because the 'passwd' line in /etc/nsswitch.conf will be similar to this:? passwd:???????? compat winbind That line means, check /etc/passwd first and if the user isn't found, then check winbind. So, if the username exists in /etc/passwd, winbind will never be checked. As far as Samba is concerned, the local user will be COMPUTER_HOSTNAME\username, domain users will be DOMAIN\username, to prove this: rowland at devstation:~/tests$ sudo net getdomainsid SID for local machine DEVSTATION is: S-1-5-21-1108792384-1865707183-3144552696 SID for domain SAMDOM is: S-1-5-21-1768301897-3342589593-1064908849 As I hope you can see, there are two SID's there. I wrote this because I didn't want the thread to end on something that sounded like Samba supported having the same users in /etc/passwd and AD, we do not support this at all. Rowland
On 6/15/20 2:26 PM, Rowland penny via samba wrote:> On 15/06/2020 20:02, Christopher Cox via samba wrote: >> On 6/15/20 12:35 PM, Rowland penny via samba wrote: >>> On 15/06/2020 18:02, Christopher Cox via samba wrote: >>>> Actually, as far as a base statement, you can have both, >>> >>> You cannot have the same user in /etc/passwd and AD, though if you persevere >>> enough you probably could create them in both databases. >>> >>> Lets take a user called 'fred': >>> >>> rowland at devstation:~/tests$ cat /etc/passwd | grep 'fred' >>> >>> Which on 'devstation' produces no output, so the user isn't in /etc/passwd, but: >>> >>> rowland at devstation:~/tests$ getent passwd fred >>> >>> Produces this: >>> >>> fred:*:10005:10000::/home/fred:/bin/bash >>> >>> So, even though 'fred' isn't in /etc/passwd, the Linux OS knows who 'fred' >>> is, so lets try and create 'fred' as a Linux user: >>> >>> rowland at devstation:~/tests$ sudo adduser fred >>> [sudo] password for rowland: >>> adduser: The user `fred' already exists. >>> >>> So, the OS will not let me create 'fred' in /etc/passwd >> >> The command prohibited it.? So, look at this differently. Assume you have a >> host where local users already exist and then you join that host as a domain >> member. >> >> Surprise!? You can now have the same user in /etc/passwd as well as via winbind. >> >>> >>> I could probably create 'fred' in /etc/passwd by removing 'winbind' from the >>> 'passwd' line in /etc/nsswitch.conf, but this would mean that the Linux user >>> 'fred' would be used instead of the AD user 'fred', even when I put winbind >>> back in /etc/nsswitch.conf. >>> >>> Please don't try to 'bend' AD, that way will only lead to trouble and there >>> is absolutely no reason to do it. >> >> I kinda like you, but you DO NOT take criticism well at all.? Just because >> "you think" you understand how things work doesn't mean that you actually do. >> Better response:? Hmmm, you're right, but I don't advise doing it. >> >> I'll save you the time: PLEASE DO NOT MAKE ANY MORE REPLIES ON THIS. > > I am ignoring that, because you are wrong and also because I do take criticism, > but only when it is deserved. >I disagree.> Yes, if you have users in /etc/passwd and then join the computer to the domain > (where the same usernames exist), then the 'usernames' will exist in the both > databases, but they are not the same users and the 'local' users will be used > before the domain users. This is because the 'passwd' line in /etc/nsswitch.conf > will be similar to this:? passwd: compat winbindTwo namespaces, which I CLEARLY stated.> > That line means, check /etc/passwd first and if the user isn't found, then check > winbind. So, if the username exists in /etc/passwd, winbind will never be checked.Correct, the idea that there is more than one namespace.> > As far as Samba is concerned, the local user will be COMPUTER_HOSTNAME\username, > domain users will be DOMAIN\username, to prove this: > > rowland at devstation:~/tests$ sudo net getdomainsid > SID for local machine DEVSTATION is: S-1-5-21-1108792384-1865707183-3144552696 > SID for domain SAMDOM is: S-1-5-21-1768301897-3342589593-1064908849 > > As I hope you can see, there are two SID's there.And, in your one context view, yes, again, agreeing totally with everything I said.> > I wrote this because I didn't want the thread to end on something that sounded > like Samba supported having the same users in /etc/passwd and AD, we do not > support this at all.My point, especially in the context of the original thread, which had a lot to do with a host with multiple namespaces, is that you have the same username twice on a host where the context matters. Again, taking note of my statement with regards to ambiguity.