Gary Dale
2023-Apr-28 14:17 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-28 04:07, Rowland Penny via samba wrote:> > > On 28/04/2023 07:03, Christian Naumer via samba wrote: >> Am 28.04.23 um 06:13 schrieb Gary Dale via samba: >>> Under previous versions, my Windows account mapped to my Unix >>> account. Without user mapping, I can only access Samba shares that >>> Windows-only users access through my Windows account. Unix accounts >>> can't be members of Windows groups and Windows group can't map to >>> Unix groups either. >> >> Rowland will not like to hear this but you can still do this. >> Although I agree with Rowland that you should not. If you use the >> "normal" Linux tools you can add users from AD to Linux groups. That >> only works on the machine you are doing this but it does work. >> You can even (Rowland do not read further) add local Samba users with >> smbpasswd when your server is running with AD (I accidently did this >> once) and use that to access your server. But makes everything even >> more complex and harder to understand the behaviour in my opinion. >> >>> >>> In any mixed environment, it seems that the two systems can no >>> longer co-exist. Instead you have two solitudes. If you want to >>> access things available to Windows users, you need a Windows >>> account. If you want a local Unix account, you can't access Windows >>> shares with it. User and group mapping used to bridge that gap. >> >> I think you are looking at this to strict. I have been using Samba >> for some time and going to AD simplified things for me. And I have >> absolutely no issues with Linux/Windows environment. OK I use sssd on >> workstations but the member/file servers use Samba. I log onto my >> Linux Computer with my AD account and can ssh, rsync or do smb file >> access without having to use a password. >> >> >> Regards >> >> Christian >> >> >> > > Never said you couldn't do it, I am just saying you shouldn't do it > because there is no point to it. The whole idea of AD is to have a > single point of maintenance and having local users & groups (except in > exceptional cases) totally defeats that idea. >Not exactly correct. You can achieve a "single point of maintenance" through having only a single instance of everything or by propagating changes between authorities. AD actually uses the latter strategy when it recommends maintaining more than one DC. What you are arguing for (and what Samba is now doing) is the former - a single instance of everything - instead of extending the AD strategy to propagate changes between domain controllers and Unix authentication. Given that the AD propagation strategy provides redundancy and better performance, this seems like a strange choice. When you combine this with the harm it does to existing Unix infrastructure, the idea appears indefensible.
Rowland Penny
2023-Apr-28 15:51 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 28/04/2023 15:17, Gary Dale via samba wrote:> What you are arguing for (and what Samba is now doing) is the former - a > single instance of everything - instead of extending the AD strategy to > propagate changes between domain controllers and Unix authentication. > Given that the AD propagation strategy provides redundancy and better > performance, this seems like a strange choice. > > When you combine this with the harm it does to existing Unix > infrastructure, the idea appears indefensible. > >Whilst looking through my deleted bin for an email that got deleted by mistake, I found this post. Gary, These are just my personal thoughts and have nothing to do with any other person or entity. Samba was from the very start an attempt to emulate the SMB protocol, it is in its very name: SaMBa. It was an attempt to connect Windows and Unix. Now some of what was done in the past was probably not a good idea, but you cannot change the past. Samba (at the moment) can operate as an NT4-style PDC, but they rely on SMBv1 and Microsoft stopped supporting NT4 over 20 years ago, they replaced it with AD and they are doing all they can to remove SMBv1. Samba, after a lot of hard work, released their version of AD about 10 years ago and it was and is a success. It is a success because it closely follows Microsoft AD, it has to, or it wouldn't be AD. This means that a lot of what used to work is either not required any more (local users on Linux) or just doesn't work or make sense. Running a Samba AD domain is a lot easier than running an NT4-style domain, where you could have just one PDC and multiple BDC's, which may or not take over (after you make them do it) if the PDC failed. You can have multiple AD DC's where the only difference is the FSMO roles and they can be easily moved to any DC. You want Samba changing to do what you want, but I am sorry, this isn't likely to happen, you need to change the way you do things and if you do, I think you will find things are easier than you think, want to change a password ? Just do it in one place, AD, rather than multiple places. Want to create users or groups on multiple machines, do it in AD. I could go on and on, but I think you get the point, AD beats anything else, hands down. Now, unless you are prepared to accept that Samba AD is never going to work like an NT4-style domain, I suggest you go and find another way of doing things. Rowland PS you are still on my banned list