[Samba] Odd default group behaviour.
jeff.sadowski at gmail.com
Tue Mar 13 21:57:35 UTC 2018
On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 13 Mar 2018 12:13:32 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>> My smb.conf file looks like so
>> security = ads
>> realm = MIND.UNM.EDU
>> workgroup = MIND
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-7999
>> idmap config MIND:backend = ad
>> idmap config MIND:schema_mode = rfc2307
>> idmap config MIND:range = 8000-9999999
>> # added because 4.6+ no longer understands
>> # winbind nss info = rfc2307
>> idmap config MIND:unix_nss_info = yes
>> # left because 4.5- don’t understand
>> # idmap config MIND:unix_nss_info = yes
>> winbind nss info = rfc2307
> OK, what version Samba are using on the Unix domain member ?
> If you are using 4.6 (or later), remove the 'winbind nss info' line.
> If you are still using 4.5, then remove the 'idmap config
> MIND:unix_info' line.
I use both This config file is used across ubuntu 16.04 which has 4.3.11
And I am using Fedora 27 which has 4.7.5
I thought I could leave them both uncommented for both as they should
throw out what they don't understand is that not correct?
>> winbind use default domain = yes
>> # so that the users show up in getent
>> winbind enum users = yes
>> # so that the groups show up in getent
>> winbind enum groups = yes
> You do not need the the two 'winbind enum' lines to gete 'getent' to
> work, 'getent passwd username' & 'getent group groupname' will work
> without them.
I commented out both enums
Seems to work on my Fedora I'll try on ubuntu latter I could have
sworn this was why I added them.
>> restrict anonymous = 2
>> #added the following 2 for the Badlock updates that change the
>> defaults #to no longer work with my domain controllers
>> ldap server require strong auth = no
>> client ldap sasl wrapping = plain
>> kerberos method = secrets and keytab
> If you had to add the above lines after the Badlock updates, don't you
> think it is about time you fixed your DCs, it will be more secure. I
> also cannot see the reason for adding them, the first line only
> makes sense on a DC, the second turns off 'sign & seal' and the third
> only makes Kerberos look in /etc/krb5.keytab.
I'm not sure how to fix my DCs It may have been fixed with updates.
Also if I do fix it I don't know if it will break my Network storage
and how to roll back if it does.
I commented out "ldap server require strong auth = no", "client ldap
sasl wrapping = plain" and "kerberos method = secrets and keytab"
and restarted the winbind service in Fedora and it still works. I can
still ssh as a domain user and type a password. I will try in ubuntu
Does that mean my domain is fixed?
I still am not getting the correct group for my dstephenson user.
With "id dstephenson" or "getent passwd dstephenson"
With all those changes nothing seems to have changed.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba