[Samba] Winbind issue after upgrading from 4.7.5 to 4.8.3

miguel.sanders.external at arcelormittal.com miguel.sanders.external at arcelormittal.com
Tue Aug 7 10:53:23 UTC 2018


Hi

This is the global section of smb.conf.

[global]
         workgroup = DOMAIN
         realm = DOMAIN.COM
         netbios name = SAMBA
         security = ads
         clustering = yes
         idmap config * : backend = tdb2
         idmap config * : range = 30000-50000
         passdb backend = tdbsam
         ctdbd socket = /usr/samba/var/run/ctdb/ctdbd.socket
         winbind separator = +
         unix extensions = no
         follow symlinks = yes
         wide links = yes
         log level = 2
         log file = /usr/samba/var/log/log.%m
         max log size = 500

I understand your point but this has been the setup for many years now 
(this XYZ Linux user is in fact an LDAP user (not AD)) without any issue.
We also have other UNIX distributions and therefore we have a dedicated 
LDAP infrastructure for them (hosting users, groups, services, sudo 
roles, ...)
Moreover in the past you always had to specify the domain when running 
NSS queries

f.e.
# id DOMAIN+XYZ
uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users)

This doesn't seem to be needed anymore and is therefore the root cause 
of this I believe.
Can this be configured somehow or, if not, any pointer to the source 
file where I could have a look at?

Many thanks.


Met vriendelijke groeten
Best regards

*Miguel Sanders*
ArcelorMittal Europe – Flat Products – Business Division North

External collaborator | Midrange UNIX
John Kennedylaan 51 B-9042 Gent
*T* +32 9 347 52 78
*E* gen-sid-ism-cbi-sig at arcelormittal.com
*E* miguel.sanders.external at arcelormittal.com
On 06-08-18 20:05, Rowland Penny via samba wrote:
> **This Message originated from a Non-ArcelorMittal source**
>
>
> On Mon, 6 Aug 2018 14:38:33 +0200
> Miguel Sanders via samba <samba at lists.samba.org> wrote:
>
>> Hi guys
>>
>> We recently upgraded our Samba clusters from 4.7.5 to 4.8.3 and
>> noticed a difference in behavior for winbind.
>> The situation is as follows
>> Assume we have a local Linux user XYZ (UID 519) as well as a AD user
>> object XYZ (UID 30001).
>>       idmap config * : backend = tdb2
>>       idmap config * : range = 30000-50000
>>
>> In our share definitions we regularly use the "force user" directive.
>> In 4.8.3, when using "force user = XYZ", we are forcing the UID of
>> the AD user object XYZ (UID 30001) and not the local Linux user XYZ
>> (UID 519). In 4.7.5 this worked fine.
>> Is this change intentional or a defect?
>>
>> Moreover, when running "id XYZ", the correct UID 519 is given.
>> The groups, however, are a mix of local groups and AD groups. This
>> behavior was also different in 4.7.5.
>>
>> 4.8.3
>> # id XYZ
>> uid=519(XYZ) gid=1(bin) groups=1(bin),30004(DOSIM000+domain users)
>> # id xyz
>> uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users)
>>
>> 4.7.5
>> # id XYZ
>> uid=519(XYZ) gid=1(bin) groups=1(bin)
>> # id xyz
>> id: ‘xyz’: no such user
>>
>> Thanks for your help
>>
> How are you running Samba ? can you post your smb.conf
>
> What OS is this on ?
>
> The problem is, you shouldn't have a local user called 'XYZ' and an AD
> user called 'XYZ', you should just have the AD user.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.samba.org_mailman_options_samba&d=DwIDaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=-jarnr4YmBQFoNnIGAjHDx81m61Dvp1EaoZlwqmtvF74kGNWdeWU__tBrcfos55v&m=0B7Q7l4zP1E762SVutQVnMG9gNm7FkWRA96xha9cD6c&s=vKsAIQwQt5hp5myc-Y_UfopXrTQ81WLTp5tCBz4S7vA&e=



More information about the samba mailing list