samba - May 2023 - samba users at boot, the same local and samba user bug has gone

On 14/05/2023 21:05, Kees van Vloten via samba wrote:
> 
> On 14-05-2023 21:58, Rowland Penny via samba wrote:
>>
>>
>> On 14/05/2023 20:47, Kees van Vloten via samba wrote:
>>>
>>> On 14-05-2023 21:39, Rowland Penny via samba wrote:
>>>>
>>>>
>>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote:
>>>>
>>>>> The uid + gid are the unique identifier of a user in Linux,
the
>>>>> name is only relevant for the translation of number (uid)
to name.
>>>>>
>>>>> I.e. a local-user == domain-user when uid + gid are
identical.
>>>>>
>>>>> My nsswitch.conf prefers local-users over domain-users:
>>>>>
>>>>> passwd:???????? files systemd winbind
>>>>> group:????????? files systemd winbind
>>>>> shadow:???????? files
>>>>> gshadow:??????? files
>>>>>
>>>>> But when I do "id <user>" on a user that
exists locally and in the
>>>>> domain I get the list of groups of both local + domain
concatenated
>>>>> as one long list.
>>>>>
>>>>> Would it be viewed as two separate users that would not
happen.
>>>>>
>>>>> - Kees.
>>>>
>>>>>
>>>>
>>>> OK, I should have posted that as well:
>>>>
>>>> adminuser at lmde5:~$ id unixuser
>>>> uid=1001(unixuser) gid=1001(unixuser) 
>>>> groups=1001(unixuser),13105(unixuser),10513(domain 
>>>> users),3001(BUILTIN\users)
>>>>
>>>> adminuser at lmde5:~$ id SAMDOM\\unixuser
>>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain
>>>> users),13105(unixuser),3001(BUILTIN\users)
>>>>
>>>> Still think they are the same user ?
>>>>
>>>> Rowland
>>>>
>>> I do !
>>>
>>> But only when uid + gid are identical (which is not the case for
your
>>> user):
>>>
>>> id samdom\\user1
>>> uid=1114(user1) gid=1114(user1) 
>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>
>>> id user1
>>> uid=1114(user1) gid=1114(user1) 
>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>
>>> I get exactly the same list of groups for both.
>>>
>>> - Kees.
>>>
>>>
>>>
>>
>> I think that you are using the 'ad' idmap backend, but I am not
sure
>> what on, a DC ?
>>
>> What I am trying to get across is, there is no reason to have two 
>> users with the same name, one in /etc/passwd and one in AD. the one in 
>> /etc/passwd is unknown to AD, but the one in AD can very easily become 
>> a Unix user.
>>
>> Rowland
>>
> In his initial message Michael described a solution I have been looking 
> for, namely how to run a daemon as domain-user which is usually started 
> before winbind is up. By creating a local-user that also exists in AD 
> with the same uid/gid that seems to be possible.
> 
> - Kees.
> 
> 
I understand what you are trying to do, but do not understand why. Why 
do you want to start a local service as an AD user (which you aren't if 
winbind isn't running when it starts) ? What is wrong with starting the 
service as a local user ? Or why does it have to be started as an AD user ?

I am just trying to understand the reasoning here.

Rowland

On 14/05/2023 21:15, Rowland Penny via samba wrote:
> 
> 
> On 14/05/2023 21:05, Kees van Vloten via samba wrote:
>>
>> On 14-05-2023 21:58, Rowland Penny via samba wrote:
>>>
>>>
>>> On 14/05/2023 20:47, Kees van Vloten via samba wrote:
>>>>
>>>> On 14-05-2023 21:39, Rowland Penny via samba wrote:
>>>>>
>>>>>
>>>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote:
>>>>>
>>>>>> The uid + gid are the unique identifier of a user in
Linux, the
>>>>>> name is only relevant for the translation of number
(uid) to name.
>>>>>>
>>>>>> I.e. a local-user == domain-user when uid + gid are
identical.
>>>>>>
>>>>>> My nsswitch.conf prefers local-users over domain-users:
>>>>>>
>>>>>> passwd:???????? files systemd winbind
>>>>>> group:????????? files systemd winbind
>>>>>> shadow:???????? files
>>>>>> gshadow:??????? files
>>>>>>
>>>>>> But when I do "id <user>" on a user
that exists locally and in the
>>>>>> domain I get the list of groups of both local + domain 
>>>>>> concatenated as one long list.
>>>>>>
>>>>>> Would it be viewed as two separate users that would not
happen.
>>>>>>
>>>>>> - Kees.
>>>>>
>>>>>>
>>>>>
>>>>> OK, I should have posted that as well:
>>>>>
>>>>> adminuser at lmde5:~$ id unixuser
>>>>> uid=1001(unixuser) gid=1001(unixuser) 
>>>>> groups=1001(unixuser),13105(unixuser),10513(domain 
>>>>> users),3001(BUILTIN\users)
>>>>>
>>>>> adminuser at lmde5:~$ id SAMDOM\\unixuser
>>>>> uid=13105(unixuser) gid=10513(domain users)
groups=10513(domain
>>>>> users),13105(unixuser),3001(BUILTIN\users)
>>>>>
>>>>> Still think they are the same user ?
>>>>>
>>>>> Rowland
>>>>>
>>>> I do !
>>>>
>>>> But only when uid + gid are identical (which is not the case
for
>>>> your user):
>>>>
>>>> id samdom\\user1
>>>> uid=1114(user1) gid=1114(user1) 
>>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>>
>>>> id user1
>>>> uid=1114(user1) gid=1114(user1) 
>>>> groups=1114(user1),100(users),978(ssh-users),10000(domain 
>>>> users),10123(acl-app_group-access),1000001(BUILTIN\users)
>>>>
>>>> I get exactly the same list of groups for both.
>>>>
>>>> - Kees.
>>>>
>>>>
>>>>
>>>
>>> I think that you are using the 'ad' idmap backend, but I am
not sure
>>> what on, a DC ?
>>>
>>> What I am trying to get across is, there is no reason to have two 
>>> users with the same name, one in /etc/passwd and one in AD. the one
>>> in /etc/passwd is unknown to AD, but the one in AD can very easily 
>>> become a Unix user.
>>>
>>> Rowland
>>>
>> In his initial message Michael described a solution I have been 
>> looking for, namely how to run a daemon as domain-user which is 
>> usually started before winbind is up. By creating a local-user that 
>> also exists in AD with the same uid/gid that seems to be possible.
>>
>> - Kees.
>>
>>
> 
> I understand what you are trying to do, but do not understand why. Why 
> do you want to start a local service as an AD user (which you aren't if
> winbind isn't running when it starts) ? What is wrong with starting the
> service as a local user ? Or why does it have to be started as an AD user ?
> 
> I am just trying to understand the reasoning here.
> 
> Rowland
> 
> 
Trying to think my way around this, it sounds like it is required for a 
domain user to run a local service, but this is hard because the service 
starts before winbind.

The 'fix' is to have a user in /etc/passwd and another user (with the 
same name) in AD with the same Unix ID as the local user.

Several problems with that, if the service is started before winbind, 
then it must be starting as the local user, because at that point the AD 
user will be unknown. Also, as far as the OS is concerned, the local 
user will be used over the AD user because it will be found first.

It could be that what is really required is for an AD user to operate on 
Linux as if they were a local user ? If so, doesn't this sound familiar 
? Administrator --> root
Two different names, ID etc, but if set up correctly, Administrator 
becomes root on a Unix domain member.

Now I do not know which user is required to be duplicated, but lets say 
it is www-data, then all that would be required is a user in AD called 
something like WebAdmin and this line added to the user.map:
!www-data = SAMDOM\WebAdmin

I haven't tested this, but it works for Administrator and there is 
nothing in 'man smb.conf' that says it will not work.

Rowland