Samba package 4.9.x samba smbd not playing with winbind.

[Rowland Penny]

On Sun, 2 Dec 2018 10:06:31 +0200
Alexander Bokovoy via samba-technical <samba-technical at lists.samba.org>
wrote:

> On pe, 30 marras 2018, Andreas Hasenack via samba-technical wrote:
> > On Tue, Sep 25, 2018 at 11:20 AM Alexander Bokovoy via
> > samba-technical <samba-technical at lists.samba.org> wrote:
> > >
> > > On ti, 25 syys 2018, L.P.H. van Belle via samba-technical wrote:
> > > > @Rowland
> > > > Now reboot your server.
> > > > And smbd isnt started anymore at boot.
> > > > Dont get fooled that it started before..
> > > >
> > > >
> > > > @Alexander
> > > > Now small comment on :
> > > > > With 4.9.0 we expanded guest handling to differentiate
> > > > > between anonymous and guest sessions. This required a proper
> > > > > handling of BUILTIN\Guests and thus is now forces to be able
> > > > > to have either writable backend or aliases configured
> > > > > properly.
> > > > >
> > > > Yes, that is known.
> > > >
> > > > And sorry, but in my opinion this is not handled properly.
> > > >
> > > > A "stand alone" setup does not require BUILTIN\Guests maybe
> > > > COMPUTERNAME\Guests S-1-5-32-546 != SID: S-1-5-21domain-514
> > > > Guests                        Domain Guests
> > > All is needed is BUILTIN\Guests, not Domain Guests.
> > >
> > > See e8dc55d2b969 and
> > > https://bugzilla.samba.org/show_bug.cgi?id=13328
> > >
> > > > > Question is mostly what defaults we should have for
> > > > > BUILTIN\Guests. Perhaps, we should always do the groupmap
> > > > > rule I added...
> > > > >
> > > >
> > > > Well, i just follow you Samba Devs.
> > > This is was a question 'into an air' to trigger Metze's answer. ;)
> > >
> > > > Im just an it guy and i can't programm what your guys do..
> > > > Respect for that!
> > > >
> > > > For now, i keep it simple an in sight for me in my smb.conf and
> > > > i set the 2 : idmap *  lines. I can add that simple in the
> > > > smb.conf of my debian install, but its not nice. :-/
> > > An issue I see is that, unlike 'net groupmap add ..' variant, we
> > > cannot really default to a working default idmap configuration
> > > without knowning in advance what ID range to use there.
> > 
> > Why does it matter to smbd if winbind is running or not in a
> > standalone-server config?  In both scenarios it is started with the
> > same standalone-server config. How does it solve the problem of not
> > having a group mapping from BUILTIN\Guests to some local group when
> > winbind isn't running?
> The above is for a domain case, not standalone server. A default for
> both 'server role' and 'security' settings are AUTO.

Ah, but the default on Debian for server role is 'standalone server'

> 
> In AUTO if 'domain logons' option is set, we consider this to be a
> domain case (PDC or BDC). If not, we are standalone server.
> 
> For standalone server config smbd uses passdb modules. If your passdb
> module doesn't handle BUILTIN, how is it going to work? We default to
> tdbsam and tdbsam by default is responsible for mapping BUILTIN, so it
> should work.

It doesn't

This is the [global] section from the default Debian smb.conf (without
all the comments):

[global]
   workgroup = WORKGROUP
   log file = /var/log/samba/log.%m
   max log size = 1000
   logging = file
   panic action = /usr/share/samba/panic-action %d
   server role = standalone server
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   usershare allow guests = yes

If you install Samba without winbind, the install tries to start smbd
and it fails, this problem may have been there for some time, but was
masked because Debian used to install (and start) winbind with Samba.
This is no longer the case, you now have to install winbind separately.

> 
> So fully default configuration without 'domain logons = yes' should
> work as it is.

Again, it doesn't ;-)

Rowland