Re: [Samba] Samba 4.4.8 AD member ads / nss fails to find group id
- Date: Fri, 29 Mar 2019 18:54:26 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba 4.4.8 AD member ads / nss fails to find group id
On Fri, 29 Mar 2019 14:37:07 -0400
"Thomas, David via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> On 3/29/2019 12:51 PM, Rowland Penny via samba wrote:
> > You are trying to do your user mapping in the wrong direction.
> > The nss backend was meant for the old way of doing things, when you
> > could have users in /etc/passwd and Samba. Nowadays you have all
> > your users in AD and make these into Unix users. The easiest way is
> > to use the 'rid' backend, but this will undoubtedly mean your Unix
> > ID's will change.
> So, is the nss backend no longer supported?
> I am dealing with an environment where most of the time users are
> using there existing Unix accounts across multiple Unix clients via
> NFS with several TB of data and associated backups all using their
> existing UIDs. I was hoping to do a quick switch-over to the new
> system with minimal disruption. Changing everyone's UID would involve
> a major disruption.
It is still supported in the area it was designed for, workgroups and
computers NOT joined to a domain, it ensures that the SID for a Unix
user becomes the same as an AD user. There is no need for this in a
domain, all SID's are the same.
The whole reason behind a domain is centralisation of authentication
i.e. your users are stored in the same place 'AD'. This means that your
users & groups will have the same SID-RID on all domain computers, but
depending on the winbind backend used, they may have different Unix ids.
I get the feeling that your users have different Unix ids on each Unix
computer, this just leads to trouble.
To unsubscribe from this list go to the following URL and read the