Samba package 4.9.x samba smbd not playing with winbind.

Sun Dec 2 08:06:31 UTC 2018

On pe, 30 marras 2018, Andreas Hasenack via samba-technical wrote:
> On Tue, Sep 25, 2018 at 11:20 AM Alexander Bokovoy via samba-technical
> <samba-technical at lists.samba.org> wrote:
> >
> > On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > > @Rowland
> > > Now reboot your server.
> > > And smbd isnt started anymore at boot.
> > > Dont get fooled that it started before..
> > >
> > >
> > > @Alexander
> > > Now small comment on :
> > > > With 4.9.0 we expanded guest handling to differentiate between anonymous and guest sessions.
> > > > This required a proper handling of BUILTIN\Guests and thus is now forces to be able
> > > > to have either writable backend or aliases configured properly.
> > > >
> > > Yes, that is known.
> > >
> > > And sorry, but in my opinion this is not handled properly.
> > >
> > > A "stand alone" setup does not require BUILTIN\Guests maybe COMPUTERNAME\Guests
> > > S-1-5-32-546 != SID: S-1-5-21domain-514
> > > Guests                        Domain Guests
> > All is needed is BUILTIN\Guests, not Domain Guests.
> >
> > See e8dc55d2b969 and https://bugzilla.samba.org/show_bug.cgi?id=13328
> >
> > > > Question is mostly what defaults we should have for BUILTIN\Guests.
> > > > Perhaps, we should always do the groupmap rule I added...
> > > >
> > >
> > > Well, i just follow you Samba Devs.
> > This is was a question 'into an air' to trigger Metze's answer. ;)
> >
> > > Im just an it guy and i can't programm what your guys do..  Respect for that!
> > >
> > > For now, i keep it simple an in sight for me in my smb.conf and i set the 2 : idmap *  lines.
> > > I can add that simple in the smb.conf of my debian install, but its not nice. :-/
> > An issue I see is that, unlike 'net groupmap add ..' variant, we cannot
> > really default to a working default idmap configuration without knowning
> > in advance what ID range to use there.
> 
> Why does it matter to smbd if winbind is running or not in a
> standalone-server config?  In both scenarios it is started with the
> same standalone-server config. How does it solve the problem of not
> having a group mapping from BUILTIN\Guests to some local group when
> winbind isn't running?
The above is for a domain case, not standalone server. A default for
both 'server role' and 'security' settings are AUTO.

In AUTO if 'domain logons' option is set, we consider this to be a
domain case (PDC or BDC). If not, we are standalone server.

For standalone server config smbd uses passdb modules. If your passdb
module doesn't handle BUILTIN, how is it going to work? We default to
tdbsam and tdbsam by default is responsible for mapping BUILTIN, so it
should work.

So fully default configuration without 'domain logons = yes' should work
as it is.

-- 
/ Alexander Bokovoy