[Samba] Odd default group behaviour.
Jeff Sadowski
jeff.sadowski at gmail.com
Tue Mar 13 23:31:14 UTC 2018
On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 13 Mar 2018 16:05:53 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
>> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba
>> <samba at lists.samba.org> wrote:
>> > On Tue, 13 Mar 2018 15:57:35 -0600
>> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> >
>> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
>> >> <samba at lists.samba.org> wrote:
>> >> > On Tue, 13 Mar 2018 12:13:32 -0600
>> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>> >> >
>> >> >> My smb.conf file looks like so
>> >> >>
>> >> >> [global]
>> >> >> security = ads
>> >> >> realm = MIND.UNM.EDU
>> >> >> workgroup = MIND
>> >> >> idmap config * : backend = tdb
>> >> >> idmap config * : range = 2000-7999
>> >> >> idmap config MIND:backend = ad
>> >> >> idmap config MIND:schema_mode = rfc2307
>> >> >> idmap config MIND:range = 8000-9999999
>> >> >> # added because 4.6+ no longer understands
>> >> >> # winbind nss info = rfc2307
>> >> >> idmap config MIND:unix_nss_info = yes
>> >> >> # left because 4.5- don’t understand
>> >> >> # idmap config MIND:unix_nss_info = yes
>> >> >> winbind nss info = rfc2307
>> >> >
>> >> > OK, what version Samba are using on the Unix domain member ?
>> >> > If you are using 4.6 (or later), remove the 'winbind nss info'
>> >> > line. If you are still using 4.5, then remove the 'idmap config
>> >> > MIND:unix_info' line.
>> >> >
>> >> I use both This config file is used across ubuntu 16.04 which has
>> >> 4.3.11 And I am using Fedora 27 which has 4.7.5
>> >> I thought I could leave them both uncommented for both as they
>> >> should throw out what they don't understand is that not correct?
>> >
>> > No, you should use one or the other (depending on the Samba
>> > version), you cannot use both.
>> >
>> >> >> restrict anonymous = 2
>> >> >> #added the following 2 for the Badlock updates that change
>> >> >> the defaults #to no longer work with my domain controllers
>> >> >> ldap server require strong auth = no
>> >> >> client ldap sasl wrapping = plain
>> >> >> kerberos method = secrets and keytab
>> >> >
>> >> > If you had to add the above lines after the Badlock updates,
>> >> > don't you think it is about time you fixed your DCs, it will be
>> >> > more secure. I also cannot see the reason for adding them, the
>> >> > first line only makes sense on a DC, the second turns off 'sign
>> >> > & seal' and the third only makes Kerberos look
>> >> > in /etc/krb5.keytab.
>> >> >
>> >> I'm not sure how to fix my DCs It may have been fixed with updates.
>> >> Also if I do fix it I don't know if it will break my Network
>> >> storage and how to roll back if it does.
>> >>
>> >> I commented out "ldap server require strong auth = no", "client
>> >> ldap sasl wrapping = plain" and "kerberos method = secrets and
>> >> keytab" and restarted the winbind service in Fedora and it still
>> >> works. I can still ssh as a domain user and type a password. I
>> >> will try in ubuntu later.
>> >>
>> >> Does that mean my domain is fixed?
>> >
>> > Probably
>> >
>> >>
>> >> I still am not getting the correct group for my dstephenson user.
>> >> With "id dstephenson" or "getent passwd dstephenson"
>> >>
>> >> With all those changes nothing seems to have changed.
>> >
>> > Have you run 'net cache flush' ?
>> >
>> Yeah that was in my script above
>
> Has your user logged in ? There were winbind changes in 4.6.0 that
> meant that you get 'Domain Users as the primary group if the user
> hasn't logged in, more info here:
>
> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes
>
> Rowland
>
No and likely will not on that system. I will try with a test user
that is also not reporting correctly.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list