Rowland Penny
2023-May-14 20:15 UTC
[Samba] samba users at boot, the same local and samba user bug has gone
On 14/05/2023 21:05, Kees van Vloten via samba wrote:> > On 14-05-2023 21:58, Rowland Penny via samba wrote: >> >> >> On 14/05/2023 20:47, Kees van Vloten via samba wrote: >>> >>> On 14-05-2023 21:39, Rowland Penny via samba wrote: >>>> >>>> >>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote: >>>> >>>>> The uid + gid are the unique identifier of a user in Linux, the >>>>> name is only relevant for the translation of number (uid) to name. >>>>> >>>>> I.e. a local-user == domain-user when uid + gid are identical. >>>>> >>>>> My nsswitch.conf prefers local-users over domain-users: >>>>> >>>>> passwd:???????? files systemd winbind >>>>> group:????????? files systemd winbind >>>>> shadow:???????? files >>>>> gshadow:??????? files >>>>> >>>>> But when I do "id <user>" on a user that exists locally and in the >>>>> domain I get the list of groups of both local + domain concatenated >>>>> as one long list. >>>>> >>>>> Would it be viewed as two separate users that would not happen. >>>>> >>>>> - Kees. >>>> >>>>> >>>> >>>> OK, I should have posted that as well: >>>> >>>> adminuser at lmde5:~$ id unixuser >>>> uid=1001(unixuser) gid=1001(unixuser) >>>> groups=1001(unixuser),13105(unixuser),10513(domain >>>> users),3001(BUILTIN\users) >>>> >>>> adminuser at lmde5:~$ id SAMDOM\\unixuser >>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain >>>> users),13105(unixuser),3001(BUILTIN\users) >>>> >>>> Still think they are the same user ? >>>> >>>> Rowland >>>> >>> I do ! >>> >>> But only when uid + gid are identical (which is not the case for your >>> user): >>> >>> id samdom\\user1 >>> uid=1114(user1) gid=1114(user1) >>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>> >>> id user1 >>> uid=1114(user1) gid=1114(user1) >>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>> >>> I get exactly the same list of groups for both. >>> >>> - Kees. >>> >>> >>> >> >> I think that you are using the 'ad' idmap backend, but I am not sure >> what on, a DC ? >> >> What I am trying to get across is, there is no reason to have two >> users with the same name, one in /etc/passwd and one in AD. the one in >> /etc/passwd is unknown to AD, but the one in AD can very easily become >> a Unix user. >> >> Rowland >> > In his initial message Michael described a solution I have been looking > for, namely how to run a daemon as domain-user which is usually started > before winbind is up. By creating a local-user that also exists in AD > with the same uid/gid that seems to be possible. > > - Kees. > >I understand what you are trying to do, but do not understand why. Why do you want to start a local service as an AD user (which you aren't if winbind isn't running when it starts) ? What is wrong with starting the service as a local user ? Or why does it have to be started as an AD user ? I am just trying to understand the reasoning here. Rowland
Rowland Penny
2023-May-15 07:22 UTC
[Samba] samba users at boot, the same local and samba user bug has gone
On 14/05/2023 21:15, Rowland Penny via samba wrote:> > > On 14/05/2023 21:05, Kees van Vloten via samba wrote: >> >> On 14-05-2023 21:58, Rowland Penny via samba wrote: >>> >>> >>> On 14/05/2023 20:47, Kees van Vloten via samba wrote: >>>> >>>> On 14-05-2023 21:39, Rowland Penny via samba wrote: >>>>> >>>>> >>>>> On 14/05/2023 20:32, Kees van Vloten via samba wrote: >>>>> >>>>>> The uid + gid are the unique identifier of a user in Linux, the >>>>>> name is only relevant for the translation of number (uid) to name. >>>>>> >>>>>> I.e. a local-user == domain-user when uid + gid are identical. >>>>>> >>>>>> My nsswitch.conf prefers local-users over domain-users: >>>>>> >>>>>> passwd:???????? files systemd winbind >>>>>> group:????????? files systemd winbind >>>>>> shadow:???????? files >>>>>> gshadow:??????? files >>>>>> >>>>>> But when I do "id <user>" on a user that exists locally and in the >>>>>> domain I get the list of groups of both local + domain >>>>>> concatenated as one long list. >>>>>> >>>>>> Would it be viewed as two separate users that would not happen. >>>>>> >>>>>> - Kees. >>>>> >>>>>> >>>>> >>>>> OK, I should have posted that as well: >>>>> >>>>> adminuser at lmde5:~$ id unixuser >>>>> uid=1001(unixuser) gid=1001(unixuser) >>>>> groups=1001(unixuser),13105(unixuser),10513(domain >>>>> users),3001(BUILTIN\users) >>>>> >>>>> adminuser at lmde5:~$ id SAMDOM\\unixuser >>>>> uid=13105(unixuser) gid=10513(domain users) groups=10513(domain >>>>> users),13105(unixuser),3001(BUILTIN\users) >>>>> >>>>> Still think they are the same user ? >>>>> >>>>> Rowland >>>>> >>>> I do ! >>>> >>>> But only when uid + gid are identical (which is not the case for >>>> your user): >>>> >>>> id samdom\\user1 >>>> uid=1114(user1) gid=1114(user1) >>>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>>> >>>> id user1 >>>> uid=1114(user1) gid=1114(user1) >>>> groups=1114(user1),100(users),978(ssh-users),10000(domain >>>> users),10123(acl-app_group-access),1000001(BUILTIN\users) >>>> >>>> I get exactly the same list of groups for both. >>>> >>>> - Kees. >>>> >>>> >>>> >>> >>> I think that you are using the 'ad' idmap backend, but I am not sure >>> what on, a DC ? >>> >>> What I am trying to get across is, there is no reason to have two >>> users with the same name, one in /etc/passwd and one in AD. the one >>> in /etc/passwd is unknown to AD, but the one in AD can very easily >>> become a Unix user. >>> >>> Rowland >>> >> In his initial message Michael described a solution I have been >> looking for, namely how to run a daemon as domain-user which is >> usually started before winbind is up. By creating a local-user that >> also exists in AD with the same uid/gid that seems to be possible. >> >> - Kees. >> >> > > I understand what you are trying to do, but do not understand why. Why > do you want to start a local service as an AD user (which you aren't if > winbind isn't running when it starts) ? What is wrong with starting the > service as a local user ? Or why does it have to be started as an AD user ? > > I am just trying to understand the reasoning here. > > Rowland > >Trying to think my way around this, it sounds like it is required for a domain user to run a local service, but this is hard because the service starts before winbind. The 'fix' is to have a user in /etc/passwd and another user (with the same name) in AD with the same Unix ID as the local user. Several problems with that, if the service is started before winbind, then it must be starting as the local user, because at that point the AD user will be unknown. Also, as far as the OS is concerned, the local user will be used over the AD user because it will be found first. It could be that what is really required is for an AD user to operate on Linux as if they were a local user ? If so, doesn't this sound familiar ? Administrator --> root Two different names, ID etc, but if set up correctly, Administrator becomes root on a Unix domain member. Now I do not know which user is required to be duplicated, but lets say it is www-data, then all that would be required is a user in AD called something like WebAdmin and this line added to the user.map: !www-data = SAMDOM\WebAdmin I haven't tested this, but it works for Administrator and there is nothing in 'man smb.conf' that says it will not work. Rowland
Maybe Matching Threads
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone
- samba users at boot, the same local and samba user bug has gone