[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'

[Rowland penny]

On 13/05/2021 19:29, Kees van Vloten wrote:
> Hi Rowland,
>
> These are the results of the 2 commands:
>
> 100016
>
> 2000
>
> So that matches your expectations :-)


Just checking, there have been instances when an OP has claimed that 
they have added things when they hadn't, not that I really thought this 
was the problem in your case because 'id' showed the groups.

>
>
> To make a long story short, I have found the culprit, it is called 
> 'winbind normalize names = yes'. The interesting bit is that in the 
> first output I sent that line was commented, I guess the bad results 
> then were due to not flushing the cache.


Probably, always flush the cache after making changes, even if you 
restart Samba.

> I found this as a working configuration:
>
> global]
>
>         allow insecure wide links = yes


Some of those are defaults and, as such, could be removed.

The last line is interesting, you appear to have attempted to harden 
your Unix domain member and then you go and blow a large hole in it by 
adding that line 😁

>
> I looked up 'winbind normalize names' in 'man 5 smb.conf ':
>
> This parameter controls whether winbindd will replace whitespace in 
> user and group names with an underscore
> (_) character. For example, whether the name "Space Kadet" should be 
> replaced with the string
> "space_kadet".
>
> And that sounds useful to me. However it looks like it has a 
> side-effect on groups that already contain an underscore. 
> Unfortunately all groups in my AD have underscores in their names.
>
> What do we do now?


Remove the line.

> Should I file a bug? 


No, because the smb.conf manpage goes on to say:

If your domain possesses names containing the underscore character, this 
option may cause problems unless the name aliasing feature is supported 
by your nss_info plugin.

So, it is a known feature 😁

Rowland