Kees van Vloten
2023-May-14 20:05 UTC
[Samba] samba users at boot, the same local and samba user bug has gone
On 14-05-2023 21:58, Rowland Penny via samba wrote:> > > On 14/05/2023 20:47, Kees van Vloten via samba wrote: >> >> On 14-05-2023 21:39, Rowland Penny via samba wrote: >>> >>> >>> On 14/05/2023 20:32, Kees van Vloten via samba wrote: >>> >>>> The uid + gid are the unique identifier of a user in Linux, the >>>> name is only relevant for the translation of number (uid) to name. >>>> >>>> I.e. a local-user == domain-user when uid + gid are identical. >>>> >>>> My nsswitch.conf prefers local-users over domain-users: >>>> >>>> passwd:???????? files systemd winbind >>>> group:????????? files systemd winbind >>>> shadow:???????? files >>>> gshadow:??????? files >>>> >>>> But when I do "id <user>" on a user that exists locally and in the >>>> domain I get the list of groups of both local + domain concatenated >>>> as one long list. >>>> >>>> Would it be viewed as two separate users that would not happen. >>>> >>>> - Kees. >>> >>>> >>> >>> OK, I should have posted that as well: >>> >>> adminuser at lmde5:~$ id unixuser >>> uid=1001(unixuser) gid=1001(unixuser) >>> groups=1001(unixuser),13105(unixuser),10513(domain >>> users),3001(BUILTIN\users) >>> >>> adminuser at lmde5:~$ id SAMDOM\\unixuser >>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain >>> users),13105(unixuser),3001(BUILTIN\users) >>> >>> Still think they are the same user ? >>> >>> Rowland >>> >> I do ! >> >> But only when uid + gid are identical (which is not the case for your >> user): >> >> id samdom\\user1 >> uid=1114(user1) gid=1114(user1) >> groups=1114(user1),100(users),978(ssh-users),10000(domain >> users),10123(acl-app_group-access),1000001(BUILTIN\users) >> >> id user1 >> uid=1114(user1) gid=1114(user1) >> groups=1114(user1),100(users),978(ssh-users),10000(domain >> users),10123(acl-app_group-access),1000001(BUILTIN\users) >> >> I get exactly the same list of groups for both. >> >> - Kees. >> >> >> > > I think that you are using the 'ad' idmap backend, but I am not sure > what on, a DC ? > > What I am trying to get across is, there is no reason to have two > users with the same name, one in /etc/passwd and one in AD. the one in > /etc/passwd is unknown to AD, but the one in AD can very easily become > a Unix user. > > Rowland >In his initial message Michael described a solution I have been looking for, namely how to run a daemon as domain-user which is usually started before winbind is up. By creating a local-user that also exists in AD with the same uid/gid that seems to be possible. - Kees.
Rowland Penny
2023-May-14 20:15 UTC
[Samba] samba users at boot, the same local and samba user bug has gone
On 14/05/2023 21:05, Kees van Vloten via samba wrote:> > On 14-05-2023 21:58, Rowland Penny via samba wrote: >> >> >> On 14/05/2023 20:47, Kees van Vloten via samba wrote: >>> >>> On 14-05-2023 21:39, Rowland Penny via samba wrote: >>>> >>>> >>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote: >>>> >>>>> The uid + gid are the unique identifier of a user in Linux, the >>>>> name is only relevant for the translation of number (uid) to name. >>>>> >>>>> I.e. a local-user == domain-user when uid + gid are identical. >>>>> >>>>> My nsswitch.conf prefers local-users over domain-users: >>>>> >>>>> passwd:???????? files systemd winbind >>>>> group:????????? files systemd winbind >>>>> shadow:???????? files >>>>> gshadow:??????? files >>>>> >>>>> But when I do "id <user>" on a user that exists locally and in the >>>>> domain I get the list of groups of both local + domain concatenated >>>>> as one long list. >>>>> >>>>> Would it be viewed as two separate users that would not happen. >>>>> >>>>> - Kees. >>>> >>>>> >>>> >>>> OK, I should have posted that as well: >>>> >>>> adminuser at lmde5:~$ id unixuser >>>> uid=1001(unixuser) gid=1001(unixuser) >>>> groups=1001(unixuser),13105(unixuser),10513(domain >>>> users),3001(BUILTIN\users) >>>> >>>> adminuser at lmde5:~$ id SAMDOM\\unixuser >>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain >>>> users),13105(unixuser),3001(BUILTIN\users) >>>> >>>> Still think they are the same user ? >>>> >>>> Rowland >>>> >>> I do ! >>> >>> But only when uid + gid are identical (which is not the case for your >>> user): >>> >>> id samdom\\user1 >>> uid=1114(user1) gid=1114(user1) >>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>> >>> id user1 >>> uid=1114(user1) gid=1114(user1) >>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>> >>> I get exactly the same list of groups for both. >>> >>> - Kees. >>> >>> >>> >> >> I think that you are using the 'ad' idmap backend, but I am not sure >> what on, a DC ? >> >> What I am trying to get across is, there is no reason to have two >> users with the same name, one in /etc/passwd and one in AD. the one in >> /etc/passwd is unknown to AD, but the one in AD can very easily become >> a Unix user. >> >> Rowland >> > In his initial message Michael described a solution I have been looking > for, namely how to run a daemon as domain-user which is usually started > before winbind is up. By creating a local-user that also exists in AD > with the same uid/gid that seems to be possible. > > - Kees. > >I understand what you are trying to do, but do not understand why. Why do you want to start a local service as an AD user (which you aren't if winbind isn't running when it starts) ? What is wrong with starting the service as a local user ? Or why does it have to be started as an AD user ? I am just trying to understand the reasoning here. Rowland
Possibly Parallel Threads
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone