[Samba] Winbind rid + SID History creating duplicate per-user groups
Rowland Penny
rowlandpenny at googlemail.com
Mon Jul 28 09:42:47 MDT 2014
On 28/07/14 15:52, Josh Kelley wrote:
> I had seen that the idmap directives were deprecated, and I tried
> updating them, but it didn't help. I tried both
> idmap config * : backend = rid
> idmap config * : range = 10000-30000
> and
> idmap config MYDOMAIN : backend = rid
> idmap config MYDOMAIN : range = 10000-30000
>
> Users are created on the Active Directory servers (by another
> department at our company). As far as I can tell, the user groups
> (like my jkelley group) are coming from winbind itself: they're not in
> /etc/group or /etc/gshadow, they don't show up in Active Directory
> Users and Computers, but they do show up if I run wbinfo --group-info.
>
> Here's my complete smb.conf.
>
> [global]
> workgroup = MYDOMAIN
> realm = MYDOMAIN.LOCAL
> server string = %h server (Samba, Ubuntu)
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = ads
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = bad user
> idmap backend = rid
> idmap uid = 10000-30000
> idmap gid = 10000-30000
> template homedir = /home/%U
> template shell = /bin/bash
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> winbind:ignore domains = OLDDOMAIN EXTERNALDOMAIN
> usershare allow guests = yes
>
> [homes]
> comment = Home Directories
> browseable = no
> read only = no
> create mask = 0700
> directory mask = 0700
> valid users = %S
>
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
>
> And /etc/nsswitch.conf, just in case it helps:
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> #hosts: files dns
> hosts: files dns mdns4
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
There is quite a lot of your smb.conf that is not really required any
more, have a look here:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
I know it says that it is for a member server, but the same setup can be
used for a linux client.
I do not think that winbind itself can create users and groups,
simplifying things a lot, it just pulls info from somewhere, in this
case the AD database, so if your users have a group with the same name
as their username, somebody or something is creating them.
Rowland
More information about the samba
mailing list