Web lists-archives.com

Re: [Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all




On Mon, 20 Feb 2017 09:32:23 -0800
L A Walsh via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Emmanuel Florac wrote:
> > id TESTAD\\testuser
> > returns "no such user" and 
> >
> > getent passwd TESTAD\\testuser
> >
> > returns a "2" code.
> >   
> ----
> On linux, to get 'domain\user' to resolve, I had to have
> those entries in my /etc/passwd (and /etc/group for groups).

If You upgrade to AD, you will not not need the users and groups
in /etc/passwd & /etc/group, in fact you would have to remove them.

> 
> I.e. *w/o krb*, (in samba 3.x), I had entries like:
> 
> linda:x:1001:201:xxx:/home/linda:/bin/bash
>     and
> Domain\linda:x:1001:201:xxx:/home/linda:/bin/bash
> 
> So if something ever looked up w/'Domain\linda' on my
> PDC, it would resolve to the same UID+GID as the
> entry w/o the domain (since, theoretically, on the PDC,
> users == 'Domain\\users').

I take it 'PDC' means an NT4-style PDC and using such low ID numbers is
going to come back and bite, if and when you upgrade to AD.

> 
> I also had idmap config for the '*' range set the same as for
> the 'Domain\' range (where the PDC is in 'Domain') as well as
> for the BUILTIN range (the UID's I allocate for the 3 'domains'
> are designed not to clash). 

That it is just wrong, or will be if you upgrade to AD.

> 
> It's my intent that name 'x' & 'domain\x' would map to the same UID
> (and windows RID) -- which is what happens on samba3.x.  Haven't
> upgraded yet, since, with it working for me, I have other issues that
> are more pressing.

I would suggest that you do not use the RID for the users uidNumber
if you upgrade to AD , it was only because it was easiest to use the
RID that it was used, with hind-sight, it was a very bad idea.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba