[Samba] Persistent Winbind gid cache

Rowland Penny rpenny at samba.org
Mon Oct 8 19:19:34 UTC 2018 

On Mon, 8 Oct 2018 19:20:51 +0200
Prunk Dump via samba <samba at lists.samba.org> wrote:

> Thank you very much for your help Rowland ! And sorry for my English,
> I'm french.

Never apologise for your English, it is a darned sight better than my
French ;-)

> 
> Le lun. 8 oct. 2018 à 18:38, Rowland Penny via samba
> <samba at lists.samba.org> a écrit :
> >
> > On Mon, 8 Oct 2018 18:11:39 +0200
> > Prunk Dump <prunkdump at gmail.com> wrote:
> >
> > > Hi !
> > >
> > > I use samba 4.5 ( Debian stable ) and to get the primary group I
> > > want, I change the user's primaryGroupID in AD.
> >
> > Bad idea
> >
> >
> > > -> It's difficult for my to move to samba 4.6 or newer because I
> > > lost Debian security updates. Security and stability is very
> > > important with 450 stations.
> >
> > How can you lose 'security updates' ?
> 
> The Debian security Team work only on Debian stable. So it does not
> always publish security updates for backports or sid samba version.

Andrew, is this correct, does Debian not backport security updates ?

> Moreover is difficult for me to use third party repositories as they
> change the samba version very often. I need to be as "stable" as
> possible to don't disturb my users.

I understand your problem, you want to keep things stable, but this
means you end up with a Samba version that is EOL as far as Samba is
concerned. Just because a new version of Samba comes out, it doesn't
mean you have to upgrade.

> 
> So I prefer a workaround over switch to a Samba version other that the
> "Stable" version. But you're right, maybe this is not the right
> workaround. But actually I can't find another. I need to assign a
> correct gid to my users.

I personally use Louis's repo, but I don't update at every new
release, but if you did update to a Samba version >= 4.6.0 you could
use the new 'ad' backend lines. This would allow you to have the
correct primaryGroupID and a Unix primary group that isn't Domain
Users, this would make everybody happy.
  
> 
> > > Here my smb.conf (on clients) :
> > >
> > > [global]
> > >    workgroup = FICHLAN
> > >    security = ADS
> > >    realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> > >
> > >    dedicated keytab file = /etc/krb5.keytab
> > >    kerberos method = secrets and keytab
> > >    winbind refresh tickets = Yes
> > >
> > >    winbind trusted domains only = no
> > >    winbind use default domain = yes
> > >    winbind enum users  = no
> > >    winbind enum groups = no
> > >    winbind expand groups = 1
> > >
> > >    idmap config *:backend = tdb
> > >    idmap config *:range = 2000-9999
> > >    idmap config FICHLAN:backend = ad
> > >    idmap config FICHLAN:schema_mode = rfc2307
> > >    idmap config FICHLAN:range = 3000000-9999999
> > >    winbind nss info = rfc2307

From Samba 4.6.0, you would remove the 'winbind nss info' line and add:

idmap config FICHLAN : unix_nss_info = yes
idmap config FICHLAN : unix_primary_group = yes

Rowland

More information about the samba mailing list