[Samba] samba 4.5.8 @ debian 9 - wrong groups IDs for PAM authorization

Thu Jul 6 20:29:48 UTC 2017

On Fri, 7 Jul 2017 00:13:16 +0500
"Stanislav N. aka pztrn via samba" <samba at lists.samba.org> wrote:

> Hello list.
> 
> I’m using samba4 authorization with debian 8 without any problems.
> But in debian 9 very same config causes problems - unable to change
> GID. Here is my smb.conf:
> 
> [global]
>         netbios name = testvm
>         security = ADS
>         workgroup = WRKGRP
>         realm = EXAMPLE.COM
>         password server = 172.24.0.253
>         wins server = 172.24.0.253
>         wins proxy = no
>         winbind enum users = yes
>         winbind enum groups = yes
>         template homedir = /home/%U
>         template shell = /bin/zsh
>         client use spnego = yes
>         winbind use default domain = yes
>         encrypt passwords = yes
>         winbind nss info = rfc2307
>         winbind refresh tickets = Yes
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         winbind nested groups = yes
> 
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         inherit acls = Yes
>         acl group control = yes
> 
>         idmap config *:backend = tdb
>         idmap config *:range = 70001-80000
>         idmap config <win domain>:backend = ad
>         idmap config <win domain>:schema_mode = rfc2307
>         idmap config <win domain>:range = 3000000-4000000
> 
>         socket options = SO_RCVBUF=262144 SO_SNDBUF=262144
> SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> 

OK, first, I would remove these lines:

        password server = 172.24.0.253
        wins server = 172.24.0.253
        wins proxy = no
        client use spnego = yes
        encrypt passwords = yes
        winbind nested groups = yes
        inherit acls = Yes
        acl group control = yes
        socket options = SO_RCVBUF=262144 SO_SNDBUF=262144 SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY

They are either default settings or shouldn't be set, 'password server'
for instance, you should allow Samba to find the DC (which, by the way,
you should really consider upgrading).

Why are you using the ranges '70001-80000' & '3000000-4000000' ?
Is this because the '3000000' range is used on the DC ?
Which leads us to the '<win domain>' , is this 'WRKGRP' or
'EXAMPLE.COM' ?
It should be 'WRKGRP'

Have you given your users a uidNumber attribute containing a number
between '3000000-4000000' ?
Have you also given 'Domain Users' a gidNumber attribute containing a
number in the same range ?

Rowland