[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 13 22:05:53 UTC 2018 

On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 13 Mar 2018 15:57:35 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
>> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>> > On Tue, 13 Mar 2018 12:13:32 -0600
>> > Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>> >
>> >> My smb.conf file looks like so
>> >>
>> >> [global]
>> >>    security = ads
>> >>    realm = MIND.UNM.EDU
>> >>    workgroup = MIND
>> >>    idmap config * : backend = tdb
>> >>    idmap config * : range = 2000-7999
>> >>    idmap config MIND:backend = ad
>> >>    idmap config MIND:schema_mode = rfc2307
>> >>    idmap config MIND:range = 8000-9999999
>> >>    # added because 4.6+ no longer understands
>> >>    # winbind nss info = rfc2307
>> >>    idmap config MIND:unix_nss_info = yes
>> >>    # left because 4.5- don’t understand
>> >>    # idmap config MIND:unix_nss_info = yes
>> >>    winbind nss info = rfc2307
>> >
>> > OK, what version Samba are using on the Unix domain member ?
>> > If you are using 4.6 (or later), remove the 'winbind nss info' line.
>> > If you are still using 4.5, then remove the 'idmap config
>> > MIND:unix_info' line.
>> >
>> I use both This config file is used across ubuntu 16.04 which has
>> 4.3.11 And I am using Fedora 27 which has 4.7.5
>> I thought I could leave them both uncommented for both as they should
>> throw out what they don't understand is that not correct?
>
> No, you should use one or the other (depending on the Samba version),
> you cannot use both.
>
>> >>    restrict anonymous = 2
>> >>    #added the following 2 for the Badlock updates that change the
>> >> defaults #to no longer work with my domain controllers
>> >>    ldap server require strong auth = no
>> >>    client ldap sasl wrapping = plain
>> >>    kerberos method = secrets and keytab
>> >
>> > If you had to add the above lines after the Badlock updates, don't
>> > you think it is about time you fixed your DCs, it will be more
>> > secure. I also cannot see the reason for adding them, the first
>> > line only makes sense on a DC, the second turns off 'sign & seal'
>> > and the third only makes Kerberos look in /etc/krb5.keytab.
>> >
>> I'm not sure how to fix my DCs It may have been fixed with updates.
>> Also if I do fix it I don't know if it will break my Network storage
>> and how to roll back if it does.
>>
>> I commented out "ldap server require strong auth = no", "client ldap
>> sasl wrapping = plain" and "kerberos method = secrets and keytab"
>> and restarted the winbind service in Fedora and it still works. I can
>> still ssh as a domain user and type a password. I will try in ubuntu
>> later.
>>
>> Does that mean my domain is fixed?
>
> Probably
>
>>
>> I still am not getting the correct group for my dstephenson user.
>> With "id dstephenson" or "getent passwd dstephenson"
>>
>> With all those changes nothing seems to have changed.
>
> Have you run 'net cache flush' ?
>
Yeah that was in my script above

> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list