[Samba] Odd default group behaviour.

[Rowland Penny]

On Tue, 13 Mar 2018 12:13:32 -0600
Jeff Sadowski via samba <samba at lists.samba.org> wrote:

> My smb.conf file looks like so
> 
> [global]
>    security = ads
>    realm = MIND.UNM.EDU
>    workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    # added because 4.6+ no longer understands 
>    # winbind nss info = rfc2307 
>    idmap config MIND:unix_nss_info = yes
>    # left because 4.5- don’t understand 
>    # idmap config MIND:unix_nss_info = yes 
>    winbind nss info = rfc2307

OK, what version Samba are using on the Unix domain member ?
If you are using 4.6 (or later), remove the 'winbind nss info' line.
If you are still using 4.5, then remove the 'idmap config
MIND:unix_info' line.
 
>    winbind use default domain = yes
>    # so that the users show up in getent
>    winbind enum users = yes
>    # so that the groups show up in getent
>    winbind enum groups = yes

You do not need the the two 'winbind enum' lines to gete 'getent' to
work, 'getent passwd username' & 'getent group groupname' will work
without them.

>    restrict anonymous = 2
>    #added the following 2 for the Badlock updates that change the
> defaults #to no longer work with my domain controllers
>    ldap server require strong auth = no
>    client ldap sasl wrapping = plain
>    kerberos method = secrets and keytab

If you had to add the above lines after the Badlock updates, don't you
think it is about time you fixed your DCs, it will be more secure. I
also cannot see the reason for adding them, the first line only
makes sense on a DC, the second turns off 'sign & seal' and the third
only makes Kerberos look in /etc/krb5.keytab.
 
Rowland