Reintroduce netgroups support?

Samuel Cabrero scabrero at samba.org
Fri Jun 3 11:39:54 UTC 2022


On Fri, 2022-06-03 at 12:01 +0100, Rowland Penny via samba-technical
wrote:
> On Fri, 2022-06-03 at 12:40 +0200, Samuel Cabrero wrote:
> > On Fri, 2022-06-03 at 11:10 +0100, Rowland Penny via samba-
> > technical
> > wrote:
> > > On Fri, 2022-06-03 at 12:00 +0200, Samuel Cabrero via samba-
> > > technical
> > > wrote:
> > > > Hi,
> > > > 
> > > > I have received some complains after we dropped netgroups
> > > > support
> > > > in
> > > > Samba 4.15.0. Our release notes only mention we dropped NIS but
> > > > netgroups went with it.
> > > 
> > > Well, netgroups are part of NIS
> > 
> > Nowadays you can store netgroups in LDAP.
> > 
> > https://ldapwiki.com/wiki/Netgroup
> > 
> > https://www.linux.com/news/sysadmin-sysadmin-netgroups-are-not-just-nis-anymore/
> 
> But using Samba with ldap basically requires SMBv1 and Samba is
> trying
> to remove this.
> 
> > 
> > > > Some people still use netgroups without NIS, stored in LDAP and
> > > > made
> > > > available to the system through nss_sss, but it is also
> > > > possible
> > > > to
> > > > use
> > > > /etc/netgroups.
> > > 
> > > Why and how are they using a part of NIS without NIS ?
> > 
> > The netgroups are stored in LDAP and used in the 'valid users'
> > share
> > option.
> 
> But, you really shouldn't use 'valid users' with AD, you should use
> ACL's
> 
> > 
> > > > I had a look to the removed code and I think it is possible to
> > > > reintroduce netgroups support independently from NIS, using the
> > > > getdomainname() function from glibc instead of
> > > > yp_get_default_domain()
> > > > from libnsl. 
> > > > 
> > > > Should we bring back netgroups support?
> > > 
> > > I do not see the point, AD groups can do the same thing.
> > 
> > AD is not involved here, this is a pure file server use case.
> 
> Then it definitely shouldn't be brought back, once SMBv1 is removed,
> then standard ldap will very probably not be involved, just AD and
> netgroups will not be required,
>  
> Why not get sssd to work with Windows AD groups ?
> 
> Rowland
> 

Rowland, lets remove LDAP, AD and SSSD from the equation completely.
Consider this pure file server deployment:

1. Set NIS domain name

$> nisdomainname
foonisdom
 

2. Add couple of users

/etc/passwd:
user1:x:1001:1001::/home/user1:/bin/bash
user2:x:1002:1002::/home/user2:/bin/bash

$> pdbedit -L
user1:1001:
user2:1002:


3. Setup /etc/nsswitch.conf

passwd:         compat
group:          compat
netgroup:       files nis


4. Add a netgroup

$> cat /etc/netgroup
netgrp1 (,user1,foonisdom) (,user2,barnisdom)


5. Minimal smb.conf

[global]
        workgroup = WORKGROUP
        security = user

[share]
        path = /srv/share
        valid users = @netgrp1


6. Test, samba < 4.15.0

$> smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
$> echo $?
0

$> smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
tree connect failed: NT_STATUS_ACCESS_DENIED


7. Test, samba >= 4.15.0

$ smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
tree connect failed: NT_STATUS_ACCESS_DENIED

$ smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
tree connect failed: NT_STATUS_ACCESS_DENIED


-- 
Samuel



More information about the samba-technical mailing list