[Samba] Different primary group between 4.5.x and 4.6.x

Wed May 31 11:12:35 UTC 2017

It is not issue with the system or any pam configuration but with
winbind from Samba 4.6. I repeated it on 2 different Linux distributions
with 4.6. With 4.5 scenario works correctly.

wbinfo --pam-logon just simulate login action to Samba/winbind service
which fills netsamlogon_cache.tdb.

You can repeat it with 4.6:

1. Configure user on domain side which has default group other then
"domain users".
2. Disconnect host from ADS domain.
3. Remove your netsamlogon_cache.tdb cache file.
4. Join host to ADS.
5. Repeat the scenario with testfile which I described in previously post.

Before user login: user has "domain users" as primary group.
After user login:  user has correct primary group.

root at host:~# id DEV2+dev2user1000
uid=67638(DEV2+dev2user1000) gid=66049(DEV2+domain users)
groups=66049(DEV2+domain users)

root at host:~# wbinfo --pam-logon=DEV2+dev2user1000
Enter DEV2+dev2user1000's password:
plaintext password authentication succeeded

root at host:~# id DEV2+dev2user1000
uid=67638(DEV2+dev2user1000) gid=67748(DEV2+dev2group100)
groups=67748(DEV2+dev2group100)

On 31.05.2017 12:04, Rowland Penny wrote:
> On Wed, 31 May 2017 11:36:56 +0200
> aluno3--- via samba <samba at lists.samba.org> wrote:
> 
>> root at host:~# su DEV2+dev2user1000
>>
>> DEV2+dev2user1000 at host:/$ whoami
>> DEV2+dev2user1000
>>
>> DEV2+dev2user1000 at host:/$ echo "testpermissions" >> /testfile
>>
>> DEV2+dev2user1000 at host:/$ cat /testfile
>> testpermissions
>>
>> DEV2+dev2user1000 at host:/$ exit
>>
>> root at host:~# wbinfo --pam-logon=DEV2+dev2user1000
>> Enter DEV2+dev2user1000's password:
>> plaintext password authentication succeeded
>>
>> root at host:~# su DEV2+dev2user1000
>>
>> DEV2+dev2user1000 at host:/$ echo "testpermissions2" >> /testfile
>> bash: /testfile: Permission denied
>>
>>
> 
> This is strange, it works then it doesn't ????
> 
> Can you run 'pam-auth-update' and tell us the output ?
> 
> Rowland
> 