[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 13 21:57:35 UTC 2018 

On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 13 Mar 2018 12:13:32 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
>> My smb.conf file looks like so
>>
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    # added because 4.6+ no longer understands
>>    # winbind nss info = rfc2307
>>    idmap config MIND:unix_nss_info = yes
>>    # left because 4.5- don’t understand
>>    # idmap config MIND:unix_nss_info = yes
>>    winbind nss info = rfc2307
>
> OK, what version Samba are using on the Unix domain member ?
> If you are using 4.6 (or later), remove the 'winbind nss info' line.
> If you are still using 4.5, then remove the 'idmap config
> MIND:unix_info' line.
>
I use both This config file is used across ubuntu 16.04 which has  4.3.11
And I am using Fedora 27 which has 4.7.5
I thought I could leave them both uncommented for both as they should
throw out what they don't understand is that not correct?

>>    winbind use default domain = yes
>>    # so that the users show up in getent
>>    winbind enum users = yes
>>    # so that the groups show up in getent
>>    winbind enum groups = yes
>
> You do not need the the two 'winbind enum' lines to gete 'getent' to
> work, 'getent passwd username' & 'getent group groupname' will work
> without them.
>
I commented out both enums
Seems to work on my Fedora I'll try on ubuntu latter I could have
sworn this was why I added them.

>>    restrict anonymous = 2
>>    #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>>    ldap server require strong auth = no
>>    client ldap sasl wrapping = plain
>>    kerberos method = secrets and keytab
>
> If you had to add the above lines after the Badlock updates, don't you
> think it is about time you fixed your DCs, it will be more secure. I
> also cannot see the reason for adding them, the first line only
> makes sense on a DC, the second turns off 'sign & seal' and the third
> only makes Kerberos look in /etc/krb5.keytab.
>
I'm not sure how to fix my DCs It may have been fixed with updates.
Also if I do fix it I don't know if it will break my Network storage
and how to roll back if it does.

I commented out "ldap server require strong auth = no", "client ldap
sasl wrapping = plain" and "kerberos method = secrets and keytab"
and restarted the winbind service in Fedora and it still works. I can
still ssh as a domain user and type a password. I will try in ubuntu
later.

Does that mean my domain is fixed?

I still am not getting the correct group for my dstephenson user.
With "id dstephenson" or "getent passwd dstephenson"

With all those changes nothing seems to have changed.

> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list