[Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???

Oliver Weinmann oliver.weinmann at vega.de
Fri Oct 22 03:55:03 MDT 2010 

Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when users of different projects create files and they are read/write for all members of domain users. The only way around this is to use the SGID on the folder to inherit the project group. 

-----Original Message-----
From: Andrew Lyon [mailto:andrew.lyon at gmail.com] 
Sent: Freitag, 22. Oktober 2010 11:50
To: Oliver Weinmann
Cc: samba at lists.samba.org
Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???

On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann <oliver.weinmann at vega.de> wrote:
> Hi,
>
> Any news regarding this problem? I have testet samba 3.5.6 and the 
> problem still persists. I had to downgrade to 3.3 on a few machines now.
>
> Regards,
> Oliver
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org
> [mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
> Sent: Donnerstag, 9. September 2010 13:13
> To: samba at lists.samba.org
> Subject: [Samba] Samba-winbind 3.5.4 primary group is always 
> domainusers!!!???
>
> Dear All,
>
> I stepped over a strange issue today. I have one installation of samba 
> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of 
> a user is updated immediately. On a newer samba 3.5.4 installation the 
> primary group is not updated at all. It always displays "domain users".
> Is there a new setting for the smb.conf? Here is my smb.conf:
>
> [global]
>        netbios name = gedail1
>        realm = SOMEDOMAIN.NET
>        workgroup = SOMEDOMAIN
>        security = ADS
>        encrypt passwords = true
>        password server = server1.somedomain.net server2.somedomain.net
>        os level = 20
>        idmap backend = ad
>        idmap config SOMEDOMAIN : backend = ad
>        idmap config SOMEDOMAIN : schema_mode = sfu
>        idmap config SOMEDOMAIN : range = 0-99999999
>        winbind nss info = sfu
>        winbind enum users = yes
>        winbind enum groups = yes
>        preferred master = no
>        winbind nested groups = Yes
>        winbind use default domain = Yes
>        max log size = 50
>        log level = 10
>        log file = /var/log/samba/log.%m
>        dns proxy = no
>        wins server = 172.20.200.18 172.18.200.20
>        allow trusted domains = no
>        client use spnego = Yes
>        use kerberos keytab = true
>        winbind refresh tickets = yes
>        idmap cache time = 1
>        winbind cache time = 1
>
> It's a W2k3 AD Domain.
>
> Regards,
> Oliver
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users.

I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid:

net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P

sAMAccountName: Domain Users
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local
gidNumber: 10000

sAMAccountName: test
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local
uidNumber: 10009
gidNumber: 10010

The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users:

 wbinfo -i test
test:*:10009:10000:test:/home/test:/bin/bash

Andy

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email ______________________________________________________________________

More information about the samba mailing list