[Samba] winbind behavior question

Rowland Penny rpenny at samba.org
Mon Jul 23 08:04:19 UTC 2018 

On Mon, 23 Jul 2018 14:48:00 +0800
d tbsky <tbskyd at gmail.com> wrote:

> 2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>:
> > 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >>
> >> Please see inline comments.
> >>
> >> On Thu, 19 Jul 2018 23:44:48 +0800
> >> d tbsky <tbskyd at gmail.com> wrote:
> >>
> >>>   thanks a lot for the quick help. I remember in old days it
> >>> happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x
> >>> to 4.7.1) and samba DC 4.7/4.8 it now happens every time.
> >>> below is the smb.conf configuration from member server
> >>>
> >>> [global]
> >>>    workgroup = SAMDOM
> >>>    netbios name = backup
> >>>    realm = AD.SAMDOM.EXAMPLE.COM
> >>>    security = ads
> >>>
> >>>    idmap backend = tdb
> >>
> >> Remove the above line
> >>
> >>>    idmap config *:backend = tdb
> >>>    idmap config *:range = 1000000-1999999
> >>>
> >>>    idmap config SAMDOM:backend = ad
> >>>    idmap config SAMDOM:default = yes
> >>
> >> You do not need the above line.
> >>
> >>>    idmap config SAMDOM:range = 1000-999999
> >>>    idmap config SAMDOM:schema_mode = rfc2307
> >>>
> >>>    winbind enum users = yes
> >>>    winbind enum groups = yes
> >>>    winbind nested groups = no
> >>>    winbind use default domain = yes
> >>>    winbind offline logon = no
> >>
> >> You do not need the above line.
> >>
> >> I know you said in your other email that you are using samba-tool
> >> to create the users, but how, please provide an example.
> >>
> >
> > Hi:
> >     sorry for the late reply. I was busy downgrade/upgrade samba
> > versions of dc and member servers. try to tune the configuration and
> > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and
> > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are
> > working fine.
> >
> >    so there are some problems with recent RHEL samba packages,
> > although they work fine years ago.  maybe mit kerberos or some other
> > issue I don't know(is samba file server without ad-dc also infected
> > by kerberos type?). I will try to report to RedHat bugzilla.
> >
> >   thanks a lot for your help!
> 
> Hi:
>    after more testing, my previous conclusion is wrong. it's not RHEL
> package problem, but a samba bug/feature. I have tried samba 4.7.1 and
> 4.7.8.
> with configuration below(which is a new config option after samba
> 4.6), then everything is fine. without the configuration, samba
> 4.6/4.7 seems can not find primary group id, although they are already
> set and shows correctly if the user try to authenticate.
> 
>    idmap config SAMDOM:unix_primary_group = yes

That isn't a bug, it is a feature ;-)
Before 4.6.0 everyone got 'Domain Users' as their primary Unix group,
but from 4.6.0, you can give users a gidNumber attribute and, with the
line above, this will be used for the users primary Unix group.
Whatever gidNumber is used, this must point to a group i.e. the group
must have the same gidNumber.
If the line doesn't exist, it falls back to using Domain Users, so
Domain Users must have a gidNUmber.

Rowland

More information about the samba mailing list