[Samba] Users loose supplementary groups after a time
Rowland penny
rpenny at samba.org
Fri May 15 18:28:41 UTC 2020
On 15/05/2020 19:10, Orion Poplawski wrote:
> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>> Sorry, I thought I had re-enabled delivery, but I had not. So trying to reply
>>> to Rowland Penny here:
>>>
>>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>>> All -
>>>>>
>>>>> I seem to be suffering from the common complaint that users loose
>>>>> supplementary group access after a while - in our case it seems to be
>>>>> connections left overnight. Restarting smb fixes it. I haven't been able to
>>>>> determine the cause.
>>>>>
>>>>>
>>>>> though I think that is to be expected at this point as we are not using
>>>>> winbind idmapping to map AD users, but rather we have an IPA - AD trust
>>>>> and so
>>>>> have local unix users already.
>>>> Yes, but is winbind running ?>> Server is Scientific Linux release 7.8
>>>>> samba-4.10.4-10.el7.x86_64
>>>>>
>>>>> workgroup = DOMAIN
>>>>> security = ads
>>>>> realm = AD.DOMAIN
>>>>> # Workaround unix group issue
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>> username map script = /bin/echo
>>>>>
>>>>> Is the above now causing more issues?
>>>> I think it is what isn't there that is the problem
>>>>> Recent changes that I can think of are then 7.8 update and configuring AD
>>>>> sites. Though I think this problem has likely been occurring for a long time
>>>>> - but for some reason we are seeing more connections left overnight.
>>>> You do not say what you upgraded from, but 7.8 will now mean you have a
>>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind if
>>>> you have 'security = ADS' in smb.conf. This also means you need the
>>>> 'idmap config' lines as well, which means you cannot have the same users
>>>> in /etc/passwd.
>>> I upgraded from 7.7. And yes since we've had samba >= 4.8.0 for a while now
>>> we've been running winbind.
>>>
>>> This configuration (dropping the username map script hack) seems to be working
>>> for us, does this seem correct?
>>>
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000-1999999
>>> idmap config DOMAIN : backend = nss
>>> idmap config DOMAIN : range = 1000-999999
>>> winbind scan trusted domains = no
>> Yes, that should work for your setup. It will map your local users to IPA users.
> Unfortunately I still seem to be seeing different behavior for different
> users. Some users are being assigned to local unix groups that they belong
> to, others are only given the groups for which their AD groups have matching
> local unix equivalents. After clearing out the samba/winbind caches on a test
> server - it appears that the latter behavior is likely the expected one. Is
> this correct?
Yes, the backend you are using, maps AD users and groups to local users
and groups, so this means that you have to have users & groups in
/etc/passwd and groups with the same names as in AD.
For more info read 'man idmap_nss'
Rowland
More information about the samba
mailing list