[Samba] winbind behavior question

d tbsky tbskyd at gmail.com
Mon Jul 23 06:48:00 UTC 2018 

2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>:
> 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:
>>
>> Please see inline comments.
>>
>> On Thu, 19 Jul 2018 23:44:48 +0800
>> d tbsky <tbskyd at gmail.com> wrote:
>>
>>>   thanks a lot for the quick help. I remember in old days it happened
>>> sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and
>>> samba DC 4.7/4.8 it now happens every time.
>>> below is the smb.conf configuration from member server
>>>
>>> [global]
>>>    workgroup = SAMDOM
>>>    netbios name = backup
>>>    realm = AD.SAMDOM.EXAMPLE.COM
>>>    security = ads
>>>
>>>    idmap backend = tdb
>>
>> Remove the above line
>>
>>>    idmap config *:backend = tdb
>>>    idmap config *:range = 1000000-1999999
>>>
>>>    idmap config SAMDOM:backend = ad
>>>    idmap config SAMDOM:default = yes
>>
>> You do not need the above line.
>>
>>>    idmap config SAMDOM:range = 1000-999999
>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>
>>>    winbind enum users = yes
>>>    winbind enum groups = yes
>>>    winbind nested groups = no
>>>    winbind use default domain = yes
>>>    winbind offline logon = no
>>
>> You do not need the above line.
>>
>> I know you said in your other email that you are using samba-tool to
>> create the users, but how, please provide an example.
>>
>
> Hi:
>     sorry for the late reply. I was busy downgrade/upgrade samba
> versions of dc and member servers. try to tune the configuration and
> watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and
> recompile samba of member servers myself. both 4.7.1 and 4.7.8 are
> working fine.
>
>    so there are some problems with recent RHEL samba packages,
> although they work fine years ago.  maybe mit kerberos or some other
> issue I don't know(is samba file server without ad-dc also infected by
> kerberos type?). I will try to report to RedHat bugzilla.
>
>   thanks a lot for your help!

Hi:
   after more testing, my previous conclusion is wrong. it's not RHEL
package problem, but a samba bug/feature. I have tried samba 4.7.1 and
4.7.8.
with configuration below(which is a new config option after samba
4.6), then everything is fine. without the configuration, samba
4.6/4.7 seems can not find primary group id, although they are already
set and shows correctly if the user try to authenticate.

   idmap config SAMDOM:unix_primary_group = yes

More information about the samba mailing list