[Samba] Persistent Winbind gid cache

Prunk Dump prunkdump at gmail.com
Mon Oct 8 17:20:51 UTC 2018 

Thank you very much for your help Rowland ! And sorry for my English,
I'm french.

Le lun. 8 oct. 2018 à 18:38, Rowland Penny via samba
<samba at lists.samba.org> a écrit :
>
> On Mon, 8 Oct 2018 18:11:39 +0200
> Prunk Dump <prunkdump at gmail.com> wrote:
>
> > Hi !
> >
> > I use samba 4.5 ( Debian stable ) and to get the primary group I want,
> > I change the user's primaryGroupID in AD.
>
> Bad idea
>
>
> > -> It's difficult for my to move to samba 4.6 or newer because I lost
> > Debian security updates. Security and stability is very important with
> > 450 stations.
>
> How can you lose 'security updates' ?

The Debian security Team work only on Debian stable. So it does not
always publish security updates for backports or sid samba version.
Moreover is difficult for me to use third party repositories as they
change the samba version very often. I need to be as "stable" as
possible to don't disturb my users.

So I prefer a workaround over switch to a Samba version other that the
"Stable" version. But you're right, maybe this is not the right
workaround. But actually I can't find another. I need to assign a
correct gid to my users.

> > Here my smb.conf (on clients) :
> >
> > [global]
> >    workgroup = FICHLAN
> >    security = ADS
> >    realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> >
> >    dedicated keytab file = /etc/krb5.keytab
> >    kerberos method = secrets and keytab
> >    winbind refresh tickets = Yes
> >
> >    winbind trusted domains only = no
> >    winbind use default domain = yes
> >    winbind enum users  = no
> >    winbind enum groups = no
> >    winbind expand groups = 1
> >
> >    idmap config *:backend = tdb
> >    idmap config *:range = 2000-9999
> >    idmap config FICHLAN:backend = ad
> >    idmap config FICHLAN:schema_mode = rfc2307
> >    idmap config FICHLAN:range = 3000000-9999999
> >    winbind nss info = rfc2307
>
> Don't tell me, you got the '3000000' numbers from the DC, you didn't
> have to use them, they are xidNumber's
>

My uids and gids are generated from my Samba DC. One year before I
used the xidNumber assigned to a user/group as ID number. Is was
copied in AD using some scripts. Now I use "msSFU30MaxUidNumber" and
"msSFU30MaxGidNumber". But I have keep the same range.

> >
> > The strange thing is that my user seems to have the right gid once the
> > login is done.
>
> They would still have been allowed access to the shares even if you
> hadn't changed the primaryGroupID and the group membership is only
> correct once the user has logged in.
>
> >I can't find files in my user home folder with a bad
> > gid. The problem seems to appear only at the pam_mount stage.
>
> Strange, pam mount works for me and I do not change the primaryGroupID
>
> > Thanks James for the tips ! I will try to understand what contain the
> > netsamlogon_cache.tdb file.
>
> I doubt that it is your problem. (whoever James is ?)
>

James give me some advice in private. He say that he have the same
problem and deleting the netsamlogon_cache.tdb solve it. But it don't
give me his Samba version and if it change the primaryGroupID.

Thanks again.

More information about the samba mailing list