[Samba] Samba winbind getgroups lookup

Satay Epic satayepic at gmail.com
Thu Oct 3 14:46:58 UTC 2019 

Thank you Rowland for your reply.  My knowledge is limited with Samba
so please forgive me for any basic mistakes :)
This is something was setup by a previous admin.

We have had issues where "winbind" will just "give up" and won't let
anyone login into the host not even from the console.
I would like to fix that problem so started to investigate the
configs.  I don't know how to reproduce the issue but the goal is that
local users
should be able to login even if winbind is broken.

I'm going to give a try with the settings suggested to see if the
winbind group lookup doesn't happen for a local user.

Thanks again

On Thu, Oct 3, 2019 at 7:12 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 03/10/2019 15:05, Satay Epic via samba wrote:
> > We have winbind client running on CentOS 7.3.1611 host connected to MS
> > active directory. It is working normal for local and AD users. However
> > in the logs, I see that NSS is throwing call to winbind to retrieve
> > the groups for "root" user. I wonder why it does and what can be done
> > to make it stop doing that. I believe it should do the lookup only for
> > the domain/AD users.
> >
> > [2019/10/02 17:00:01.952225, 3]
> > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> > getgroups root
> >
> >
> > samba-winbind-4.4.4-14.el7_3.x86_64
> >
> >
> > # cat /etc/nsswitch.conf | grep winbind
> > passwd: files winbind
> > shadow: files winbind
> > group: files winbind
> >
> >
> >
> >
> > cat /etc/samba/smb.conf
> > [global]
> >
> > workgroup = DOMAIN
> > realm = DOMAIN.COM
> > preferred master = no
> > server string = Samba Server Version %v
> > security = ADS
> > encrypt passwords = yes
> > log level = 3
> > log file = /var/log/samba/%m
> > max log size = 50
> > printcap name = cups
> > printing = cups
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind use default domain = Yes
> > winbind nested groups = Yes
> > winbind separator = +
> > winbind max clients = 1000
> > template shell = /bin/bash
> >
> > idmap domains = DOMAIN
> > idmap config DOMAIN:range = 10000 - 49999
> > idmap config DOMAIN:base_rid = 0
> > idmap config DOMAIN:backend = rid
> >
> > ################################################
> > # Required for Samba/Winbind 3.4+
> > # Note that local tdb idmap backend
> > # required now for Samba/Winbind 3.4+
> > idmap backend = tdb
> > idmap uid = 10000 - 49999
> > idmap gid = 10000 - 49999
> > #################################################
> >
> >
> > Thanks in advance.
> >
> You could start by setting up smb.conf correctly ;-)
>
> Replace:
>
> idmap backend = tdb
> idmap uid = 10000 - 49999
> idmap gid = 10000 - 49999
>
> With:
>
> idmap backend = tdb
> idmap config * : range = 3000 - 7999
>
> Also, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list