Reintroduce netgroups support?

L. van Belle belle at samba.org
Fri Jun 3 12:53:02 UTC 2022 


> -----Oorspronkelijk bericht-----
> Van: samba-technical <samba-technical-bounces at lists.samba.org> Namens
> Rowland Penny via samba-technical
> Verzonden: vrijdag 3 juni 2022 14:12
> Aan: samba-technical <samba-technical at lists.samba.org>
> CC: Rowland Penny <rpenny at samba.org>
> Onderwerp: Re: Reintroduce netgroups support?
> 
> On Fri, 2022-06-03 at 13:39 +0200, Samuel Cabrero wrote:
> > On Fri, 2022-06-03 at 12:01 +0100, Rowland Penny via samba-technical
> > wrote:
> > > On Fri, 2022-06-03 at 12:40 +0200, Samuel Cabrero wrote:
> > > > On Fri, 2022-06-03 at 11:10 +0100, Rowland Penny via samba-
> > > > technical
> > > > wrote:
> > > > > On Fri, 2022-06-03 at 12:00 +0200, Samuel Cabrero via samba-
> > > > > technical
> > > > > wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I have received some complains after we dropped netgroups
> > > > > > support in Samba 4.15.0. Our release notes only mention we
> > > > > > dropped NIS but netgroups went with it.
> > > > >
> > > > > Well, netgroups are part of NIS
> > > >
> > > > Nowadays you can store netgroups in LDAP.
> > > >
> > > > https://ldapwiki.com/wiki/Netgroup
> > > >
> > > > https://www.linux.com/news/sysadmin-sysadmin-netgroups-are-not-
> jus
> > > > t-nis-anymore/
> > >
> > > But using Samba with ldap basically requires SMBv1 and Samba is
> > > trying to remove this.
> > >
> > > > > > Some people still use netgroups without NIS, stored in LDAP
> > > > > > and made available to the system through nss_sss, but it is
> > > > > > also possible to use /etc/netgroups.
> > > > >
> > > > > Why and how are they using a part of NIS without NIS ?
> > > >
> > > > The netgroups are stored in LDAP and used in the 'valid users'
> > > > share
> > > > option.
> > >
> > > But, you really shouldn't use 'valid users' with AD, you should use
> > > ACL's
> > >
> > > > > > I had a look to the removed code and I think it is possible to
> > > > > > reintroduce netgroups support independently from NIS, using
> > > > > > the
> > > > > > getdomainname() function from glibc instead of
> > > > > > yp_get_default_domain()
> > > > > > from libnsl.
> > > > > >
> > > > > > Should we bring back netgroups support?
> > > > >
> > > > > I do not see the point, AD groups can do the same thing.
> > > >
> > > > AD is not involved here, this is a pure file server use case.
> > >
> > > Then it definitely shouldn't be brought back, once SMBv1 is removed,
> > > then standard ldap will very probably not be involved, just AD and
> > > netgroups will not be required,
> > >
> > > Why not get sssd to work with Windows AD groups ?
> > >
> > > Rowland
> > >
> >
> > Rowland, lets remove LDAP, AD and SSSD from the equation completely.
> > Consider this pure file server deployment:
> >
> > 1. Set NIS domain name
> >
> > $> nisdomainname
> > foonisdom
> >
> >
> > 2. Add couple of users
> >
> > /etc/passwd:
> > user1:x:1001:1001::/home/user1:/bin/bash
> > user2:x:1002:1002::/home/user2:/bin/bash
> >
> > $> pdbedit -L
> > user1:1001:
> > user2:1002:
> >
> >
> > 3. Setup /etc/nsswitch.conf
> >
> > passwd:         compat
> > group:          compat
> > netgroup:       files nis
> >
> >
> > 4. Add a netgroup
> >
> > $> cat /etc/netgroup
> > netgrp1 (,user1,foonisdom) (,user2,barnisdom)
> >
> >
> > 5. Minimal smb.conf
> >
> > [global]
> >         workgroup = WORKGROUP
> >         security = user
> >
> > [share]
> >         path = /srv/share
> >         valid users = @netgrp1
> >
> >
> > 6. Test, samba < 4.15.0
> >
> > $> smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
> > $> echo $?
> > 0
> >
> > $> smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> >
> > 7. Test, samba >= 4.15.0
> >
> > $ smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
> > tree connect failed: NT_STATUS_ACCESS_DENIED
> >
> > $ smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
> > tree connect failed: NT_STATUS_ACCESS_DENIED

I also would say, stop using/abusing localhost. 
localhost != hostname 
hostname != hostname.fq.dn 
REALM != dnsdomain 
REALM = YOU.REALM.TLD 
And make sure hostname -s /-f /-d always give back you first and primay
hostname/dnsdomain
Kerberos needs a correct SPN/hostname.fq.dn 

So bases on these things above, I suggest try with : 

smbclient //hostname.fq.dn /share -Uuser2 at REALM.TLD%<pwd> -c 'quit' 
and
smbclient //hostname.fq.dn /share -UADDOM/user2%<pwd> -c 'quit'
and
smbclient //hostname.fq.dn /share -UADDOM/user2 at REALM.TLD%<pwd> -c 'quit'

Basicly all 3 should work, but depends on client server and samba versions
and your settings. 

I hope that this at least helps a bit. 

Greetz, 

Louis

More information about the samba-technical mailing list