[Samba] Different behaviour of winbind in 4.8.3
Rowland Penny
rpenny at samba.org
Mon Jul 2 08:20:37 UTC 2018
On Mon, 2 Jul 2018 08:53:31 +0200
Tino Müller via samba <samba at lists.samba.org> wrote:
> Hi list,
>
> the behaviour of winbind changed in Samba version 4.8.3.
>
> Having this nsswitch.conf:
> # cat /etc/nsswitch.conf
> passwd: compat winbind cache
> group: compat winbind cache
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> and this smb.conf:
> # cat /etc/samba/smb.conf
> [global]
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> max log size = 1000
> realm = SPREADSHIRT.PRIVATE
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> winbind expand groups = 5
> winbind offline logon = Yes
> winbind separator = +
> workgroup = SPREADSHIRT
> idmap config * : range = 10000 - 19999
> idmap config spreadshirt : range = 1000000 - 19999999
> idmap config spreadshirt : backend = rid
> idmap config * : backend = tdb
>
> There is a user in the domain SPREADSHIRT with the name tmutest.
>
> With Samba 4.8.2 and lower:
> # id tmutest
> id: ‘tmutest’: no such user
>
> # id SPREADSHIRT+tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
>
>
> With Samba 4.8.3:
> # id tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
>
> root at toolbox01 [lej] ~ # id SPREADSHIRT+tmutest
> uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
> groups=1000513(SPREADSHIRT+domain
> users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
>
> Is this intended?
> Is it possible to change the behaviour back to pre-4.8.3 by
> configuration change?
>
> Thank you.
>
> Best,
> Tino
>
You don't have 'winbind use default domain = yes' so you should have to
use the domain name to get a result.
Can you try this with 'getent passwd tmutest', if this returns output
on 4.8.3, then it is a Samba problem, if it doesn't, it is an 'id'
problem.
The only thing that changed between 4.8.2 & 4.8.3 and seems to be
possibly relevant is this:
https://bugzilla.samba.org/show_bug.cgi?id=13369
Unless you can see something I missed here:
https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Changes_since_4.8.2:
Rowland
More information about the samba
mailing list