[Samba] winbind behavior question

d tbsky tbskyd at gmail.com
Mon Jul 23 08:46:50 UTC 2018 

2018-07-23 16:04 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Mon, 23 Jul 2018 14:48:00 +0800
> d tbsky <tbskyd at gmail.com> wrote:
>
>> 2018-07-22 17:44 GMT+08:00 d tbsky <tbskyd at gmail.com>:
>> > 2018-07-19 23:59 GMT+08:00 Rowland Penny via samba
>> > <samba at lists.samba.org>:
>> >>
>> >> Please see inline comments.
>> >>
>> >> On Thu, 19 Jul 2018 23:44:48 +0800
>> >> d tbsky <tbskyd at gmail.com> wrote:
>> >>
>> >>>   thanks a lot for the quick help. I remember in old days it
>> >>> happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x
>> >>> to 4.7.1) and samba DC 4.7/4.8 it now happens every time.
>> >>> below is the smb.conf configuration from member server
>> >>>
>> >>> [global]
>> >>>    workgroup = SAMDOM
>> >>>    netbios name = backup
>> >>>    realm = AD.SAMDOM.EXAMPLE.COM
>> >>>    security = ads
>> >>>
>> >>>    idmap backend = tdb
>> >>
>> >> Remove the above line
>> >>
>> >>>    idmap config *:backend = tdb
>> >>>    idmap config *:range = 1000000-1999999
>> >>>
>> >>>    idmap config SAMDOM:backend = ad
>> >>>    idmap config SAMDOM:default = yes
>> >>
>> >> You do not need the above line.
>> >>
>> >>>    idmap config SAMDOM:range = 1000-999999
>> >>>    idmap config SAMDOM:schema_mode = rfc2307
>> >>>
>> >>>    winbind enum users = yes
>> >>>    winbind enum groups = yes
>> >>>    winbind nested groups = no
>> >>>    winbind use default domain = yes
>> >>>    winbind offline logon = no
>> >>
>> >> You do not need the above line.
>> >>
>> >> I know you said in your other email that you are using samba-tool
>> >> to create the users, but how, please provide an example.
>> >>
>> >
>> > Hi:
>> >     sorry for the late reply. I was busy downgrade/upgrade samba
>> > versions of dc and member servers. try to tune the configuration and
>> > watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and
>> > recompile samba of member servers myself. both 4.7.1 and 4.7.8 are
>> > working fine.
>> >
>> >    so there are some problems with recent RHEL samba packages,
>> > although they work fine years ago.  maybe mit kerberos or some other
>> > issue I don't know(is samba file server without ad-dc also infected
>> > by kerberos type?). I will try to report to RedHat bugzilla.
>> >
>> >   thanks a lot for your help!
>>
>> Hi:
>>    after more testing, my previous conclusion is wrong. it's not RHEL
>> package problem, but a samba bug/feature. I have tried samba 4.7.1 and
>> 4.7.8.
>> with configuration below(which is a new config option after samba
>> 4.6), then everything is fine. without the configuration, samba
>> 4.6/4.7 seems can not find primary group id, although they are already
>> set and shows correctly if the user try to authenticate.
>>
>>    idmap config SAMDOM:unix_primary_group = yes
>
> That isn't a bug, it is a feature ;-)
> Before 4.6.0 everyone got 'Domain Users' as their primary Unix group,
> but from 4.6.0, you can give users a gidNumber attribute and, with the
> line above, this will be used for the users primary Unix group.
> Whatever gidNumber is used, this must point to a group i.e. the group
> must have the same gidNumber.
> If the line doesn't exist, it falls back to using Domain Users, so
> Domain Users must have a gidNUmber.
>
> Rowland

Hi:
    yes I like this feature and from now on I will use this feature.
but unfortunately the fall back (default setting) is not working.
I think it is a bug because " idmap config SAMDOM:unix_primary_group =
no" is not working as expected, although I will never use that again.

More information about the samba mailing list