[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Wed Mar 14 01:30:27 UTC 2018 

On Tue, Mar 13, 2018 at 5:31 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
>> On Tue, 13 Mar 2018 16:05:53 -0600
>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>
>>> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>> > On Tue, 13 Mar 2018 15:57:35 -0600
>>> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>> >
>>> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
>>> >> <samba at lists.samba.org> wrote:
>>> >> > On Tue, 13 Mar 2018 12:13:32 -0600
>>> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>> >> >
>>> >> >> My smb.conf file looks like so
>>> >> >>
>>> >> >> [global]
>>> >> >>    security = ads
>>> >> >>    realm = MIND.UNM.EDU
>>> >> >>    workgroup = MIND
>>> >> >>    idmap config * : backend = tdb
>>> >> >>    idmap config * : range = 2000-7999
>>> >> >>    idmap config MIND:backend = ad
>>> >> >>    idmap config MIND:schema_mode = rfc2307
>>> >> >>    idmap config MIND:range = 8000-9999999
>>> >> >>    # added because 4.6+ no longer understands
>>> >> >>    # winbind nss info = rfc2307
>>> >> >>    idmap config MIND:unix_nss_info = yes
>>> >> >>    # left because 4.5- don’t understand
>>> >> >>    # idmap config MIND:unix_nss_info = yes
>>> >> >>    winbind nss info = rfc2307
>>> >> >
>>> >> > OK, what version Samba are using on the Unix domain member ?
>>> >> > If you are using 4.6 (or later), remove the 'winbind nss info'
>>> >> > line. If you are still using 4.5, then remove the 'idmap config
>>> >> > MIND:unix_info' line.
>>> >> >
>>> >> I use both This config file is used across ubuntu 16.04 which has
>>> >> 4.3.11 And I am using Fedora 27 which has 4.7.5
>>> >> I thought I could leave them both uncommented for both as they
>>> >> should throw out what they don't understand is that not correct?
>>> >
>>> > No, you should use one or the other (depending on the Samba
>>> > version), you cannot use both.
>>> >
>>> >> >>    restrict anonymous = 2
>>> >> >>    #added the following 2 for the Badlock updates that change
>>> >> >> the defaults #to no longer work with my domain controllers
>>> >> >>    ldap server require strong auth = no
>>> >> >>    client ldap sasl wrapping = plain
>>> >> >>    kerberos method = secrets and keytab
>>> >> >
>>> >> > If you had to add the above lines after the Badlock updates,
>>> >> > don't you think it is about time you fixed your DCs, it will be
>>> >> > more secure. I also cannot see the reason for adding them, the
>>> >> > first line only makes sense on a DC, the second turns off 'sign
>>> >> > & seal' and the third only makes Kerberos look
>>> >> > in /etc/krb5.keytab.
>>> >> >
>>> >> I'm not sure how to fix my DCs It may have been fixed with updates.
>>> >> Also if I do fix it I don't know if it will break my Network
>>> >> storage and how to roll back if it does.
>>> >>
>>> >> I commented out "ldap server require strong auth = no", "client
>>> >> ldap sasl wrapping = plain" and "kerberos method = secrets and
>>> >> keytab" and restarted the winbind service in Fedora and it still
>>> >> works. I can still ssh as a domain user and type a password. I
>>> >> will try in ubuntu later.
>>> >>
>>> >> Does that mean my domain is fixed?
>>> >
>>> > Probably
>>> >
>>> >>
>>> >> I still am not getting the correct group for my dstephenson user.
>>> >> With "id dstephenson" or "getent passwd dstephenson"
>>> >>
>>> >> With all those changes nothing seems to have changed.
>>> >
>>> > Have you run 'net cache flush' ?
>>> >
>>> Yeah that was in my script above
>>
>> Has your user logged in ? There were winbind changes in 4.6.0 that
>> meant that you get 'Domain Users as the primary group if the user
>> hasn't logged in, more info here:
>>
>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes
>>
>> Rowland
>>
> No and likely will not on that system. I will try with a test user
> that is also not reporting correctly.
>>

Still not working right

ldapu is a function I wrote to use ldapsearch

ldapu jefftest|grep -ie uidnumber -e gidnumber
uidNumber: 11507
gidNumber: 31025

even logging in as jefftest I get as follows

jefftest::daddles { ~ }-> id jefftest
uid=11507(jefftest) gid=8513(domain users) groups=8513(domain
users),31025(jeffs_general_group),8918648(vpn_users),8000(staff),8004(research),31036(insightiq)

P.S. Te ubuntu 16.04 machines are showing correctly. (Still need to
mod the smb.conf's for them I want to try on non important machines
first)

>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list