[Samba] Samba winbind getgroups lookup

[Rowland penny]

On 03/10/2019 15:05, Satay Epic via samba wrote:
> We have winbind client running on CentOS 7.3.1611 host connected to MS
> active directory. It is working normal for local and AD users. However
> in the logs, I see that NSS is throwing call to winbind to retrieve
> the groups for "root" user. I wonder why it does and what can be done
> to make it stop doing that. I believe it should do the lookup only for
> the domain/AD users.
>
> [2019/10/02 17:00:01.952225, 3]
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> getgroups root
>
>
> samba-winbind-4.4.4-14.el7_3.x86_64
>
>
> # cat /etc/nsswitch.conf | grep winbind
> passwd: files winbind
> shadow: files winbind
> group: files winbind
>
>
>
>
> cat /etc/samba/smb.conf
> [global]
>
> workgroup = DOMAIN
> realm = DOMAIN.COM
> preferred master = no
> server string = Samba Server Version %v
> security = ADS
> encrypt passwords = yes
> log level = 3
> log file = /var/log/samba/%m
> max log size = 50
> printcap name = cups
> printing = cups
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind nested groups = Yes
> winbind separator = +
> winbind max clients = 1000
> template shell = /bin/bash
>
> idmap domains = DOMAIN
> idmap config DOMAIN:range = 10000 - 49999
> idmap config DOMAIN:base_rid = 0
> idmap config DOMAIN:backend = rid
>
> ################################################
> # Required for Samba/Winbind 3.4+
> # Note that local tdb idmap backend
> # required now for Samba/Winbind 3.4+
> idmap backend = tdb
> idmap uid = 10000 - 49999
> idmap gid = 10000 - 49999
> #################################################
>
>
> Thanks in advance.
>
You could start by setting up smb.conf correctly ;-)

Replace:

idmap backend = tdb
idmap uid = 10000 - 49999
idmap gid = 10000 - 49999

With:

idmap backend = tdb
idmap config * : range = 3000 - 7999

Also, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf

Rowland