[Samba] Winbind rid + SID History creating duplicate per-user groups

Josh Kelley joshkel at gmail.com
Mon Jul 28 08:52:39 MDT 2014 

I had seen that the idmap directives were deprecated, and I tried
updating them, but it didn't help.  I tried both
    idmap config * : backend  = rid
    idmap config * : range = 10000-30000
and
    idmap config MYDOMAIN : backend = rid
    idmap config MYDOMAIN : range = 10000-30000

Users are created on the Active Directory servers (by another
department at our company).  As far as I can tell, the user groups
(like my jkelley group) are coming from winbind itself: they're not in
/etc/group or /etc/gshadow, they don't show up in Active Directory
Users and Computers, but they do show up if I run wbinfo --group-info.

Here's my complete smb.conf.

[global]
   workgroup = MYDOMAIN
   realm = MYDOMAIN.LOCAL
   server string = %h server (Samba, Ubuntu)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = ads
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user
   idmap backend = rid
   idmap uid = 10000-30000
   idmap gid = 10000-30000
   template homedir = /home/%U
   template shell = /bin/bash
   winbind enum groups = yes
   winbind enum users = yes
   winbind use default domain = yes
   winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
   usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700
   directory mask = 0700
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

And /etc/nsswitch.conf, just in case it helps:
passwd:         compat winbind
group:          compat winbind
shadow:         compat

#hosts:          files dns
hosts:          files dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-- 
Josh Kelley

On Mon, Jul 28, 2014 at 10:00 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
> On 28/07/14 14:29, Josh Kelley wrote:
>>
>> Since upgrading from Ubuntu 12.04 (Samba 3.6.3) to Ubuntu 14.04 (Samba
>> 4.1.6), I've noticed some strange problems with our group mappings:
>>
>> First, each of our Active Directory users now has a corresponding
>> group in Linux. I don't remember ever noticing this in Ubuntu 12.04 /
>> Samba 3.6.3.  Is this feature new?  Is it documented anywhere?  (I
>> tried searching online and couldn't find anything relevant.)
>>
>> Second, duplicate per-user groups are being created, and this is
>> causing us lots of problems.  For example, my username jkelley is
>> assigned a uid of 14504 (based on its RID in AD), and so a jkelley
>> group with gid 14504 is also created, but the jkelley user is actually
>> a member of a second jkelley group with a different gid.
>>
>> By poking around with wbinfo, I determined that the duplicate groups
>> are being created by SID history; one gid corresponds to the SID in
>> the sIDHistory attribute, while the other corresponds to the current
>> SID in the Active Directory domain.  Is there a way to fix this
>> without simply deleting the sIDHistory attributes from Active
>> Directory?
>>
>> Winbind config from smb.conf:
>>
>> idmap backend = rid
>> idmap uid = 10000-30000
>> idmap gid = 10000-30000
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind use default domain = yes
>> winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
>>
> Hi, the type of winbind that you posted was depreciated before samba 3.6.3
> and even if it wasn't, there isn't enough lines there, any chance you could
> post your entire (sanitized) smb.conf
>
> Could you also tell us how you are creating users, something you are doing
> (and probably shouldn't be) is creating user groups, these are usually not
> used with AD.
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list