[Samba] winbind behavior question
d tbsky
tbskyd at gmail.com
Mon Jul 23 06:48:00 UTC 2018
2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>:
> 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:
>>
>> Please see inline comments.
>>
>> On Thu, 19 Jul 2018 23:44:48 +0800
>> d tbsky <tbskyd at gmail.com> wrote:
>>
>>> thanks a lot for the quick help. I remember in old days it happened
>>> sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and
>>> samba DC 4.7/4.8 it now happens every time.
>>> below is the smb.conf configuration from member server
>>>
>>> [global]
>>> workgroup = SAMDOM
>>> netbios name = backup
>>> realm = AD.SAMDOM.EXAMPLE.COM
>>> security = ads
>>>
>>> idmap backend = tdb
>>
>> Remove the above line
>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 1000000-1999999
>>>
>>> idmap config SAMDOM:backend = ad
>>> idmap config SAMDOM:default = yes
>>
>> You do not need the above line.
>>
>>> idmap config SAMDOM:range = 1000-999999
>>> idmap config SAMDOM:schema_mode = rfc2307
>>>
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind nested groups = no
>>> winbind use default domain = yes
>>> winbind offline logon = no
>>
>> You do not need the above line.
>>
>> I know you said in your other email that you are using samba-tool to
>> create the users, but how, please provide an example.
>>
>
> Hi:
> sorry for the late reply. I was busy downgrade/upgrade samba
> versions of dc and member servers. try to tune the configuration and
> watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and
> recompile samba of member servers myself. both 4.7.1 and 4.7.8 are
> working fine.
>
> so there are some problems with recent RHEL samba packages,
> although they work fine years ago. maybe mit kerberos or some other
> issue I don't know(is samba file server without ad-dc also infected by
> kerberos type?). I will try to report to RedHat bugzilla.
>
> thanks a lot for your help!
Hi:
after more testing, my previous conclusion is wrong. it's not RHEL
package problem, but a samba bug/feature. I have tried samba 4.7.1 and
4.7.8.
with configuration below(which is a new config option after samba
4.6), then everything is fine. without the configuration, samba
4.6/4.7 seems can not find primary group id, although they are already
set and shows correctly if the user try to authenticate.
idmap config SAMDOM:unix_primary_group = yes
More information about the samba
mailing list