[Samba] Different primary group between 4.5.x and 4.6.x
aluno3 at poczta.onet.pl
aluno3 at poczta.onet.pl
Wed May 31 09:36:56 UTC 2017
Below I post the scenario where user can lost access to the file with
winbindd 4.6.x (DEV2+dev2user1000 has default group other then "domain
users"):
root at host:~# su DEV2+dev2user105
DEV2+dev2user105 at host:/$ whoami
DEV2+dev2user105
DEV2+dev2user105 at host:/$ > /testfile
DEV2+dev2user105 at host:/$ ls -al /testfile
-rw-r--r-- 1 DEV2+dev2user105 DEV2+domain users 0 May 31 11:27 /testfile
DEV2+dev2user105 at host:/$ chmod 660 /testfile
DEV2+dev2user105 at host:/$ ls -al /testfile
-rw-rw---- 1 DEV2+dev2user105 DEV2+domain users 0 May 31 11:27 /testfile
DEV2+dev2user105 at host:/$ exit
root at host:~# su DEV2+dev2user1000
DEV2+dev2user1000 at host:/$ whoami
DEV2+dev2user1000
DEV2+dev2user1000 at host:/$ echo "testpermissions" >> /testfile
DEV2+dev2user1000 at host:/$ cat /testfile
testpermissions
DEV2+dev2user1000 at host:/$ exit
root at host:~# wbinfo --pam-logon=DEV2+dev2user1000
Enter DEV2+dev2user1000's password:
plaintext password authentication succeeded
root at host:~# su DEV2+dev2user1000
DEV2+dev2user1000 at host:/$ echo "testpermissions2" >> /testfile
bash: /testfile: Permission denied
On 30.05.2017 16:02, aluno3 at poczta.onet.pl wrote:
> Additionally if I authenticate to user using wbinfo -a it seems to works
> correctly:
>
> root at root:~$ id DEV2+guest uid=2000501(DEV2+guest)
> gid=2000513(DEV2+domain users) groups=2000513(DEV2+domain
> users),2000501(DEV2+guest),2000514(DEV2+domain guests)
>
> root at root:~$ wbinfo -a DEV2+guest
> Enter DEV2+guest's password:
> plaintext password authentication succeeded
> Enter DEV2+guest's password:
> challenge/response password authentication succeeded
>
> root at root:~$ id DEV2+guest
> uid=2000501(DEV2+guest) gid=2000514(DEV2+domain guests)
> groups=2000514(DEV2+domain guests),2000501(DEV2+guest)
>
> so seems that if samlogon cache is filled then primary group is returned
> correctly.
>
> But I suppose that if I use share using NFS (without Samba
> authentication) and have some ACL to files or directories I will
> probably have issues with access denied.
>
>
> On 30.05.2017 11:54, aluno3 at poczta.onet.pl wrote:
>> I changed default/primary group for other user than guest and issue also
>> occurred so if domain user has default group other than "domain users",
>> 'id <username>' always shows "domain users" as primary group.
>>
>> On 29.05.2017 12:30, aluno3 at poczta.onet.pl wrote:
>>> On 29.05.2017 12:03, Rowland Penny via samba wrote:
>>>> On Mon, 29 May 2017 11:33:21 +0200
>>>> aluno3--- via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> My configuration for idmap backend is:
>>>>>
>>>>> idmap config dev2 : range = 65536-19999999
>>>>> idmap config dev2 : backend = rid
>>>>> idmap config * : range = 20000000-39999999
>>>>> idmap config * : backend = autorid
>>>>
>>>> It is recommended to use the tdb backend for the '*' domain
>>>
>>> I will try to use tdb backend but in relative to issue with primary
>>> group it will not help.
>>>
>>>>
>>>>>
>>>>> Does it mean that functionality is not fully reverted?
>>>>>
>>>>
>>>> No, it means that a patch was added and then removed, as far as the code
>>>> is concerned, it is just as if the patch had never existed.
>>>>
>>>> Rowland
>>>>
>>>
>>> I suppose that not all commits from 2017-01-04 from Volker was reverted
>>> on 2017-03-06. Am I wrong ?
>>>
>>> Additionally in commit:
>>>
>>> https://git.samba.org/?p=samba.git;a=commitdiff;h=93e804a8b0e63f90c166f063fa16a1238cd8f8f3
>>>
>>>
>>> we have updated release notes regarding to 'id <username>' but on:
>>>
>>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes
>>>
>>> this information is not updated so it can bring the confusion.
>>>
>>>
>>
>
More information about the samba
mailing list