[Samba] samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization
rpenny at samba.org
Thu Jul 6 20:29:48 UTC 2017
On Fri, 7 Jul 2017 00:13:16 +0500
"Stanislav N. aka pztrn via samba" <samba at lists.samba.org> wrote:
> Hello list.
> I’m using samba4 authorization with debian 8 without any problems.
> But in debian 9 very same config causes problems - unable to change
> GID. Here is my smb.conf:
> netbios name = testvm
> security = ADS
> workgroup = WRKGRP
> realm = EXAMPLE.COM
> password server = 172.24.0.253
> wins server = 172.24.0.253
> wins proxy = no
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%U
> template shell = /bin/zsh
> client use spnego = yes
> winbind use default domain = yes
> encrypt passwords = yes
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind nested groups = yes
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> inherit acls = Yes
> acl group control = yes
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config <win domain>:backend = ad
> idmap config <win domain>:schema_mode = rfc2307
> idmap config <win domain>:range = 3000000-4000000
> socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
OK, first, I would remove these lines:
password server = 172.24.0.253
wins server = 172.24.0.253
wins proxy = no
client use spnego = yes
encrypt passwords = yes
winbind nested groups = yes
inherit acls = Yes
acl group control = yes
socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
They are either default settings or shouldn't be set, 'password server'
for instance, you should allow Samba to find the DC (which, by the way,
you should really consider upgrading).
Why are you using the ranges '70001-80000' & '3000000-4000000' ?
Is this because the '3000000' range is used on the DC ?
Which leads us to the '<win domain>' , is this 'WRKGRP' or
It should be 'WRKGRP'
Have you given your users a uidNumber attribute containing a number
between '3000000-4000000' ?
Have you also given 'Domain Users' a gidNumber attribute containing a
number in the same range ?
More information about the samba