[Samba] Persistent Winbind gid cache

Rowland Penny rpenny at samba.org
Mon Oct 8 16:38:11 UTC 2018


On Mon, 8 Oct 2018 18:11:39 +0200
Prunk Dump <prunkdump at gmail.com> wrote:

> Hi !
> 
> I use samba 4.5 ( Debian stable ) and to get the primary group I want,
> I change the user's primaryGroupID in AD.

Bad idea

> 
> I know this is usually a bad idea ( as said in the samba documentation
> ). But in my case there is some arguments in favor of this method :

There are no arguments in favour of changing the primaryGroupID
attribute, try asking the guy who couldn't add another DC because he
had done this.
  
> -> My users are still member of the "Domain Users" group but not as
> primary group.

Yes, but not in the correct way.

> -> My network is 90% Linux and 10% Windows ( around 450 Linux and 40
> Windows clients).

You are still using Microsoft technology, you need to fit in with that,
not the other way around.

> -> I never seen any problems with the "Domain Users" group on the
> Windows clients with this setup.

This doesn't mean it is the correct thing to do.

> -> As my Linux clients mount shares with NFSv4. My users absolutely
> need to have a right gid to create some shared files.

Possibly, but you do not need to change the primaryGroupID to do this.

> -> It's difficult for my to move to samba 4.6 or newer because I lost
> Debian security updates. Security and stability is very important with
> 450 stations.

How can you lose 'security updates' ?

> Here my smb.conf (on clients) :
> 
> [global]
>    workgroup = FICHLAN
>    security = ADS
>    realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> 
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    winbind refresh tickets = Yes
> 
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = no
>    winbind enum groups = no
>    winbind expand groups = 1
> 
>    idmap config *:backend = tdb
>    idmap config *:range = 2000-9999
>    idmap config FICHLAN:backend = ad
>    idmap config FICHLAN:schema_mode = rfc2307
>    idmap config FICHLAN:range = 3000000-9999999
>    winbind nss info = rfc2307

Don't tell me, you got the '3000000' numbers from the DC, you didn't
have to use them, they are xidNumber's

> 
> The strange thing is that my user seems to have the right gid once the
> login is done. 

They would still have been allowed access to the shares even if you
hadn't changed the primaryGroupID and the group membership is only
correct once the user has logged in.

>I can't find files in my user home folder with a bad
> gid. The problem seems to appear only at the pam_mount stage.

Strange, pam mount works for me and I do not change the primaryGroupID
 
> Thanks James for the tips ! I will try to understand what contain the
> netsamlogon_cache.tdb file.
 
I doubt that it is your problem. (whoever James is ?)

Rowland




More information about the samba mailing list