samba - May 2023 - samba users at boot, the same local and samba user bug has gone

On 14-05-2023 21:58, Rowland Penny via samba wrote:
>
>
> On 14/05/2023 20:47, Kees van Vloten via samba wrote:
>>
>> On 14-05-2023 21:39, Rowland Penny via samba wrote:
>>>
>>>
>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote:
>>>
>>>> The uid + gid are the unique identifier of a user in Linux, the
>>>> name is only relevant for the translation of number (uid) to
name.
>>>>
>>>> I.e. a local-user == domain-user when uid + gid are identical.
>>>>
>>>> My nsswitch.conf prefers local-users over domain-users:
>>>>
>>>> passwd:???????? files systemd winbind
>>>> group:????????? files systemd winbind
>>>> shadow:???????? files
>>>> gshadow:??????? files
>>>>
>>>> But when I do "id <user>" on a user that exists
locally and in the
>>>> domain I get the list of groups of both local + domain
concatenated
>>>> as one long list.
>>>>
>>>> Would it be viewed as two separate users that would not happen.
>>>>
>>>> - Kees.
>>>
>>>>
>>>
>>> OK, I should have posted that as well:
>>>
>>> adminuser at lmde5:~$ id unixuser
>>> uid=1001(unixuser) gid=1001(unixuser) 
>>> groups=1001(unixuser),13105(unixuser),10513(domain 
>>> users),3001(BUILTIN\users)
>>>
>>> adminuser at lmde5:~$ id SAMDOM\\unixuser
>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain 
>>> users),13105(unixuser),3001(BUILTIN\users)
>>>
>>> Still think they are the same user ?
>>>
>>> Rowland
>>>
>> I do !
>>
>> But only when uid + gid are identical (which is not the case for your 
>> user):
>>
>> id samdom\\user1
>> uid=1114(user1) gid=1114(user1) 
>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>
>> id user1
>> uid=1114(user1) gid=1114(user1) 
>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>
>> I get exactly the same list of groups for both.
>>
>> - Kees.
>>
>>
>>
>
> I think that you are using the 'ad' idmap backend, but I am not
sure
> what on, a DC ?
>
> What I am trying to get across is, there is no reason to have two 
> users with the same name, one in /etc/passwd and one in AD. the one in 
> /etc/passwd is unknown to AD, but the one in AD can very easily become 
> a Unix user.
>
> Rowland
>
In his initial message Michael described a solution I have been looking 
for, namely how to run a daemon as domain-user which is usually started 
before winbind is up. By creating a local-user that also exists in AD 
with the same uid/gid that seems to be possible.

- Kees.

On 14/05/2023 21:05, Kees van Vloten via samba wrote:
> 
> On 14-05-2023 21:58, Rowland Penny via samba wrote:
>>
>>
>> On 14/05/2023 20:47, Kees van Vloten via samba wrote:
>>>
>>> On 14-05-2023 21:39, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote:
>>>>
>>>>> The uid + gid are the unique identifier of a user in Linux,
the
>>>>> name is only relevant for the translation of number (uid)
to name.
>>>>>
>>>>> I.e. a local-user == domain-user when uid + gid are
identical.
>>>>>
>>>>> My nsswitch.conf prefers local-users over domain-users:
>>>>>
>>>>> passwd:???????? files systemd winbind
>>>>> group:????????? files systemd winbind
>>>>> shadow:???????? files
>>>>> gshadow:??????? files
>>>>>
>>>>> But when I do "id <user>" on a user that
exists locally and in the
>>>>> domain I get the list of groups of both local + domain
concatenated
>>>>> as one long list.
>>>>>
>>>>> Would it be viewed as two separate users that would not
happen.
>>>>>
>>>>> - Kees.
>>>>
>>>>>
>>>>
>>>> OK, I should have posted that as well:
>>>>
>>>> adminuser at lmde5:~$ id unixuser
>>>> uid=1001(unixuser) gid=1001(unixuser) 
>>>> groups=1001(unixuser),13105(unixuser),10513(domain 
>>>> users),3001(BUILTIN\users)
>>>>
>>>> adminuser at lmde5:~$ id SAMDOM\\unixuser
>>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain
>>>> users),13105(unixuser),3001(BUILTIN\users)
>>>>
>>>> Still think they are the same user ?
>>>>
>>>> Rowland
>>>>
>>> I do !
>>>
>>> But only when uid + gid are identical (which is not the case for
your
>>> user):
>>>
>>> id samdom\\user1
>>> uid=1114(user1) gid=1114(user1) 
>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>
>>> id user1
>>> uid=1114(user1) gid=1114(user1) 
>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>
>>> I get exactly the same list of groups for both.
>>>
>>> - Kees.
>>>
>>>
>>>
>>
>> I think that you are using the 'ad' idmap backend, but I am not
sure
>> what on, a DC ?
>>
>> What I am trying to get across is, there is no reason to have two 
>> users with the same name, one in /etc/passwd and one in AD. the one in 
>> /etc/passwd is unknown to AD, but the one in AD can very easily become 
>> a Unix user.
>>
>> Rowland
>>
> In his initial message Michael described a solution I have been looking 
> for, namely how to run a daemon as domain-user which is usually started 
> before winbind is up. By creating a local-user that also exists in AD 
> with the same uid/gid that seems to be possible.
> 
> - Kees.
> 
> 
I understand what you are trying to do, but do not understand why. Why 
do you want to start a local service as an AD user (which you aren't if 
winbind isn't running when it starts) ? What is wrong with starting the 
service as a local user ? Or why does it have to be started as an AD user ?

I am just trying to understand the reasoning here.

Rowland