[Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
Andrew Lyon
andrew.lyon at gmail.com
Sun Oct 24 07:46:22 MDT 2010
> -----Original Message-----
> From: Andrew Lyon [mailto:andrew.lyon at gmail.com]
> Sent: Freitag, 22. Oktober 2010 11:50
> To: Oliver Weinmann
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
>
> On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann <oliver.weinmann at vega.de> wrote:
>> Hi,
>>
>> Any news regarding this problem? I have testet samba 3.5.6 and the
>> problem still persists. I had to downgrade to 3.3 on a few machines now.
>>
>> Regards,
>> Oliver
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
>> Sent: Donnerstag, 9. September 2010 13:13
>> To: samba at lists.samba.org
>> Subject: [Samba] Samba-winbind 3.5.4 primary group is always
>> domainusers!!!???
>>
>> Dear All,
>>
>> I stepped over a strange issue today. I have one installation of samba
>> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of
>> a user is updated immediately. On a newer samba 3.5.4 installation the
>> primary group is not updated at all. It always displays "domain users".
>> Is there a new setting for the smb.conf? Here is my smb.conf:
>>
>> [global]
>> netbios name = gedail1
>> realm = SOMEDOMAIN.NET
>> workgroup = SOMEDOMAIN
>> security = ADS
>> encrypt passwords = true
>> password server = server1.somedomain.net server2.somedomain.net
>> os level = 20
>> idmap backend = ad
>> idmap config SOMEDOMAIN : backend = ad
>> idmap config SOMEDOMAIN : schema_mode = sfu
>> idmap config SOMEDOMAIN : range = 0-99999999
>> winbind nss info = sfu
>> winbind enum users = yes
>> winbind enum groups = yes
>> preferred master = no
>> winbind nested groups = Yes
>> winbind use default domain = Yes
>> max log size = 50
>> log level = 10
>> log file = /var/log/samba/log.%m
>> dns proxy = no
>> wins server = 172.20.200.18 172.18.200.20
>> allow trusted domains = no
>> client use spnego = Yes
>> use kerberos keytab = true
>> winbind refresh tickets = yes
>> idmap cache time = 1
>> winbind cache time = 1
>>
>> It's a W2k3 AD Domain.
>>
>> Regards,
>> Oliver
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email
>> ______________________________________________________________________
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
> I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users.
>
> I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid:
>
> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P
>
> sAMAccountName: Domain Users
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local
> gidNumber: 10000
>
> sAMAccountName: test
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local
> uidNumber: 10009
> gidNumber: 10010
>
> The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users:
>
> wbinfo -i test
> test:*:10009:10000:test:/home/test:/bin/bash
>
> Andy
>
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
>
On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann
<oliver.weinmann at vega.de> wrote:
>> Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under >>samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when >>users of different projects create files and they are read/write for all members of domain users. The only way around this is to use >>the SGID on the folder to inherit the project group.
Hi,
I've been looking at this again and found that the primary gid is read
from the users primary windows group, not the one set in the UNIX
attributes tab which is added by registering nisprop.dll.
To change the windows primary group go to the "Member Of" tab in ADUC,
highlight the group and click "Set Primary Group", for example I set
user test to have domain admins as primary group:
uid=10009(test) gid=10010(domain_admins)
groups=10010(domain_admins),10000(domain_users)
The Primary group name/GID in UNIX Attributes seems to be unused by
winbind with sfu/rfc2307.
I have noticed other strange things with the UNIX Attributes tab, for
example adding a user to a group through the unix attribs tab or
"member of" tab does not result in the user being listed as a member
of the group in the Members section of the UNIX Attributes tab when
viewing the group properties, its as if the unix gids for a given user
and uid's which are members of a given group are stored seperately.
I'm going to read up on the Microsoft documentation for SFU...
Note that after making changes like this it is necessary to remove
cache files before the change is reflected, I usually remove all files
in /var/lib/samba and /var/cache/samba and then rejoin the machine to
the domain to make sure nothing is cached. It seems strange that this
is necessary, caching is a good thing but when would changes be
reflected if the cache files were never removed?
It would be nice to know exactly how this is supposed to work as its
not completely clear to me if this is a bug or not.
Andy
More information about the samba
mailing list