Right, the wiki describes how to have Samba assign unix IDs for use within __just samba__. There are segregated pages that describe each different storage backend. The AD backend is the only way to ensure you have the same exact Unix UIDs and GIDs in use on all domain. The other two methods are both ways of having samba automatically assign those IDs and store them locally. However, that's not the current topic. What is the _correct_ way of exposing the users defined in the AD to unix systems? I'm confused on that, and others are too. Someone I expect knows much more about samba than I do has stated that winbind emum is incorrect for exposing that user and group list to NSS services (so that they're shown with getent passwd and getent group; as well as any programs that want to validate usernames / etc): So what should I and others do instead?
?> Right, the wiki describes how to have Samba assign unix IDs for use within __just samba__. ?There are segregated pages that describe each different storage backend.Wrong RID and AD both provide ID's inside a *nix domain member. ?> The AD backend is the only way to ensure you have the same exact Unix UIDs and GIDs in use on all domain. > The other two methods are both ways of having samba automatically assign those IDs and store them locally.> However, that's not the current topic.> What is the _correct_ way of exposing the users defined in the AD to unix systems? ?I'm confused on that, and others are too.> Someone I expect knows much more about samba than I do has stated that winbind emum is incorrect for exposing that user and group list to NSS services (so that they're shown with getent passwd and getent group; as well as any programs that want to validate usernames / etc): So what should I and others do instead??I'm not going to get into the weeds here. ? RID and AD *BOTH ?*expose* all the users to *nix. RID does so automagically, and as long as in the samba config, the ID ranges are defied identically, then the ID's will be the same across all unix member servers. [quoting: User and group IDs are only the same on other domain members using the rid back end, if the same ID ranges are configured for the domain.] ? (Again, there's detail in the Wiki that's important, and I'm afraid I'll forget some detail and get excoriated as "wrong.") ? AD does this *IF* you manually assign unique ID's to all users and groups. (and if I understand it correctly, by suppressing/not-providing an ID for a particular user/group, you can suppress it from appearing as a user/group on Unix domain members. This is something you can not do with RID.) --- All I care about is a mainly Windows environment, so would be unsurprised if there's some detail about *nix I've got wrong. But RID absolutely DOES enumerate the AD ID's inside, for example, Ubuntu, just fine - without needing to manually assign ID's using the AD back end. And those are consistent across multiple members, as the wiki notes "if the same ID ranges are configured for the domain." ? But the gist here is that your warning that I had to assign ID's when I'm using the RID back-end to get the users/groups to show up using getent is simply incorrect. If I'd been using AD, then I _would_ have to assign them in the AD records. ? I'm not going to go further - as I'm getting outside of what I'm fairly confident I know. If you want to debate this more, it will have to be with someone else. ? ?
On 27 February 2022 23:48 Michael Evans wrote:> Someone I expect knows much more about samba than I do has stated that winbind emum is incorrect > for exposing that user and group list to NSS services (so that they're shown with getent passwd and > getent group; as well as any programs that want to validate usernames / etc): So what should I and > others do instead?The winbind enum line in smb.conf is purely to "enumerate" the list of users so that you can use "getent passwd" or "getent group" to get a list of users a groups, including AD users and groups. Remove that line from smb.conf and all you will get are local users and groups when you use the getent commands. However as Gregory says, the AD users are still *known* to the operating system as will be demonstrated by appending an AD user's name or group to the getent command. For example on my system getent passwd roy produces: roy at pi4b:~$ getent passwd roy roy:*:11601:10513:roy:/home/MICROLYNX/roy:/bin/bash HTH, Roy
On Sun, 2022-02-27 at 15:47 -0800, Michael Evans via samba wrote:> Right, the wiki describes how to have Samba assign unix IDs for use > within __just samba__. There are segregated pages that describe each > different storage backend. > > The AD backend is the only way to ensure you have the same exact Unix > UIDs and GIDs in use on all domain. > The other two methods are both ways of having samba automatically > assign those IDs and store them locally. > > However, that's not the current topic. > > What is the _correct_ way of exposing the users defined in the AD to > unix systems? I'm confused on that, and others are too. > > Someone I expect knows much more about samba than I do has stated > that winbind emum is incorrect for exposing that user and group list > to NSS services (so that they're shown with getent passwd and getent > group; as well as any programs that want to validate usernames / > etc): So what should I and others do instead?All that the 'enum' lines do is to allow nsswitch to display all users and group, but this requires Samba to search the entire ldap and this could be cpu extensive. Samba and the OS, will work without the 'enum' lines. Rowland