[Samba] Odd default group behaviour.

Jeff Sadowski jeff.sadowski at gmail.com
Wed Mar 14 13:56:09 UTC 2018 

On Wed, Mar 14, 2018 at 7:32 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> On Tue, Mar 13, 2018 at 7:30 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>> On Tue, Mar 13, 2018 at 5:31 PM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>> On Tue, Mar 13, 2018 at 4:12 PM, Rowland Penny via samba
>>> <samba at lists.samba.org> wrote:
>>>> On Tue, 13 Mar 2018 16:05:53 -0600
>>>> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>>>
>>>>> On Tue, Mar 13, 2018 at 4:03 PM, Rowland Penny via samba
>>>>> <samba at lists.samba.org> wrote:
>>>>> > On Tue, 13 Mar 2018 15:57:35 -0600
>>>>> > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>>>>> >
>>>>> >> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
>>>>> >> <samba at lists.samba.org> wrote:
>>>>> >> > On Tue, 13 Mar 2018 12:13:32 -0600
>>>>> >> > Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>>>>> >> >
>>>>> >> >> My smb.conf file looks like so
>>>>> >> >>
>>>>> >> >> [global]
>>>>> >> >>    security = ads
>>>>> >> >>    realm = MIND.UNM.EDU
>>>>> >> >>    workgroup = MIND
>>>>> >> >>    idmap config * : backend = tdb
>>>>> >> >>    idmap config * : range = 2000-7999
>>>>> >> >>    idmap config MIND:backend = ad
>>>>> >> >>    idmap config MIND:schema_mode = rfc2307
>>>>> >> >>    idmap config MIND:range = 8000-9999999
>>>>> >> >>    # added because 4.6+ no longer understands
>>>>> >> >>    # winbind nss info = rfc2307
>>>>> >> >>    idmap config MIND:unix_nss_info = yes
>>>>> >> >>    # left because 4.5- don’t understand
>>>>> >> >>    # idmap config MIND:unix_nss_info = yes
>>>>> >> >>    winbind nss info = rfc2307
>>>>> >> >
>>>>> >> > OK, what version Samba are using on the Unix domain member ?
>>>>> >> > If you are using 4.6 (or later), remove the 'winbind nss info'
>>>>> >> > line. If you are still using 4.5, then remove the 'idmap config
>>>>> >> > MIND:unix_info' line.
>>>>> >> >
>>>>> >> I use both This config file is used across ubuntu 16.04 which has
>>>>> >> 4.3.11 And I am using Fedora 27 which has 4.7.5
>>>>> >> I thought I could leave them both uncommented for both as they
>>>>> >> should throw out what they don't understand is that not correct?
>>>>> >
>>>>> > No, you should use one or the other (depending on the Samba
>>>>> > version), you cannot use both.
>>>>> >
>>>>> >> >>    restrict anonymous = 2
>>>>> >> >>    #added the following 2 for the Badlock updates that change
>>>>> >> >> the defaults #to no longer work with my domain controllers
>>>>> >> >>    ldap server require strong auth = no
>>>>> >> >>    client ldap sasl wrapping = plain
>>>>> >> >>    kerberos method = secrets and keytab
>>>>> >> >
>>>>> >> > If you had to add the above lines after the Badlock updates,
>>>>> >> > don't you think it is about time you fixed your DCs, it will be
>>>>> >> > more secure. I also cannot see the reason for adding them, the
>>>>> >> > first line only makes sense on a DC, the second turns off 'sign
>>>>> >> > & seal' and the third only makes Kerberos look
>>>>> >> > in /etc/krb5.keytab.
>>>>> >> >
>>>>> >> I'm not sure how to fix my DCs It may have been fixed with updates.
>>>>> >> Also if I do fix it I don't know if it will break my Network
>>>>> >> storage and how to roll back if it does.
>>>>> >>
>>>>> >> I commented out "ldap server require strong auth = no", "client
>>>>> >> ldap sasl wrapping = plain" and "kerberos method = secrets and
>>>>> >> keytab" and restarted the winbind service in Fedora and it still
>>>>> >> works. I can still ssh as a domain user and type a password. I
>>>>> >> will try in ubuntu later.
>>>>> >>
>>>>> >> Does that mean my domain is fixed?
>>>>> >
>>>>> > Probably
>>>>> >
>>>>> >>
>>>>> >> I still am not getting the correct group for my dstephenson user.
>>>>> >> With "id dstephenson" or "getent passwd dstephenson"
>>>>> >>
>>>>> >> With all those changes nothing seems to have changed.
>>>>> >
>>>>> > Have you run 'net cache flush' ?
>>>>> >
>>>>> Yeah that was in my script above
>>>>
>>>> Has your user logged in ? There were winbind changes in 4.6.0 that
>>>> meant that you get 'Domain Users as the primary group if the user
>>>> hasn't logged in, more info here:
>>>>
>>>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes
>>>>
>>>> Rowland
>>>>
>>> No and likely will not on that system. I will try with a test user
>>> that is also not reporting correctly.
>>>>
>>
>> Still not working right
>>
>> ldapu is a function I wrote to use ldapsearch
>>
>> ldapu jefftest|grep -ie uidnumber -e gidnumber
>> uidNumber: 11507
>> gidNumber: 31025
>>
>> even logging in as jefftest I get as follows
>>
>> jefftest::daddles { ~ }-> id jefftest
>> uid=11507(jefftest) gid=8513(domain users) groups=8513(domain
>> users),31025(jeffs_general_group),8918648(vpn_users),8000(staff),8004(research),31036(insightiq)
>>
> Interesting maybe I was running "net cache flush" the wrong way. I was
> doing it after stopping winbind then I would start winbind back up.
> Today I tried it without stopping winbind and logged in as jefftest.
> The jefftest account now correctly shows with id.
>
> jefftest::daddles { ~ }-> id jefftest
> uid=11507(jefftest) gid=31025(jeffs_general_group)
> groups=31025(jeffs_general_group),31036(insightiq),8004(research),8513(domain
> users),8000(staff),8918648(vpn_users)
>
I decided to try and change the group of jefftest and do some more experiments.

I replicated the servers via ADSS(Active Directory Sites and Services)
starting on the NTDS Settings of the one I made the change on and
replicated the other servers
Then I did the same on the other 2

> ldapu jefftest | grep -ie uidnumber -e gidnumber
Still have a valid key jsadowski at MIND.UNM.EDU 03/14/2018 17:25:25
uidNumber: 11507
gidNumber: 31026
> id jefftest
uid=11507(jefftest) gid=31025(jeffs_general_group)
groups=31025(jeffs_general_group),31036(insightiq),8004(research),8513(domain
users),8000(staff),8918648(vpn_users)
root::daddles { ~ }-> net cache flush
> id jefftest
uid=11507(jefftest) gid=31025(jeffs_general_group)
groups=31025(jeffs_general_group),31036(insightiq),8004(research),8513(domain
users),8000(staff),8918648(vpn_users)
logged out and back in as jefftest
jefftest::daddles { ~ }-> id jefftest
uid=11507(jefftest) gid=31025(jeffs_general_group)
groups=31025(jeffs_general_group),31036(insightiq),8004(research),8513(domain
users),8000(staff),8918648(vpn_users)

Still has not changed. Am I replicating the servers incorrectly? Each
server when I login and look at the jefftest user looks correct.

>> P.S. Te ubuntu 16.04 machines are showing correctly. (Still need to
>> mod the smb.conf's for them I want to try on non important machines
>> first)
>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list