Web lists-archives.com

Re: [Samba] Samba 4.4.8 AD member ads / nss fails to find group id




On Fri, 29 Mar 2019 14:37:07 -0400
"Thomas, David via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> On 3/29/2019 12:51 PM, Rowland Penny via samba wrote:
> > You are trying to do your user mapping in the wrong direction.
> >
> > The nss backend was meant for the old way of doing things, when you
> > could have users in /etc/passwd and Samba. Nowadays you have all
> > your users in AD and make these into Unix users. The easiest way is
> > to use the 'rid' backend, but this will undoubtedly mean your Unix
> > ID's will change.  
> So, is the nss backend no longer supported?
> 
> I am dealing with an environment where most of the time users are
> using there existing Unix accounts across multiple Unix clients via
> NFS with several TB of data and associated backups all using their
> existing UIDs. I was hoping to do a quick switch-over to the new
> system with minimal disruption. Changing everyone's UID would involve
> a major disruption.
> 
> Thanks,
> David.
> 

It is still supported in the area it was designed for, workgroups and
computers NOT joined to a domain, it ensures that the SID for a Unix
user becomes the same as an AD user. There is no need for this in a
domain, all SID's are the same.

The whole reason behind a domain is centralisation of authentication
i.e. your users are stored in the same place 'AD'. This means that your
users & groups will have the same SID-RID on all domain computers, but
depending on the winbind backend used, they may have different Unix ids.

I get the feeling that your users have different Unix ids on each Unix
computer, this just leads to trouble.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba