[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
Rowland penny
rpenny at samba.org
Thu May 13 19:01:25 UTC 2021
On 13/05/2021 19:29, Kees van Vloten wrote:
> Hi Rowland,
>
> These are the results of the 2 commands:
>
> 100016
>
> 2000
>
> So that matches your expectations :-)
Just checking, there have been instances when an OP has claimed that
they have added things when they hadn't, not that I really thought this
was the problem in your case because 'id' showed the groups.
>
>
> To make a long story short, I have found the culprit, it is called
> 'winbind normalize names = yes'. The interesting bit is that in the
> first output I sent that line was commented, I guess the bad results
> then were due to not flushing the cache.
Probably, always flush the cache after making changes, even if you
restart Samba.
> I found this as a working configuration:
>
> global]
>
> allow insecure wide links = yes
Some of those are defaults and, as such, could be removed.
The last line is interesting, you appear to have attempted to harden
your Unix domain member and then you go and blow a large hole in it by
adding that line 😁
>
> I looked up 'winbind normalize names' in 'man 5 smb.conf ':
>
> This parameter controls whether winbindd will replace whitespace in
> user and group names with an underscore
> (_) character. For example, whether the name "Space Kadet" should be
> replaced with the string
> "space_kadet".
>
> And that sounds useful to me. However it looks like it has a
> side-effect on groups that already contain an underscore.
> Unfortunately all groups in my AD have underscores in their names.
>
> What do we do now?
Remove the line.
> Should I file a bug?
No, because the smb.conf manpage goes on to say:
If your domain possesses names containing the underscore character, this
option may cause problems unless the name aliasing feature is supported
by your nss_info plugin.
So, it is a known feature 😁
Rowland
More information about the samba
mailing list