[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'

Thu May 13 19:47:27 UTC 2021

On 13/05/2021 20:26, Kees van Vloten wrote:
> On 13-05-2021 21:01, Rowland penny via samba wrote:
>> On 13/05/2021 19:29, Kees van Vloten wrote:
>>> Hi Rowland,
>>>
>>> These are the results of the 2 commands:
>>>
>>> 100016
>>>
>>> 2000
>>>
>>> So that matches your expectations :-)
>>
>>
>> Just checking, there have been instances when an OP has claimed that 
>> they have added things when they hadn't, not that I really thought 
>> this was the problem in your case because 'id' showed the groups.
>>
>>>
>>>
>>> To make a long story short, I have found the culprit, it is called 
>>> 'winbind normalize names = yes'. The interesting bit is that in the 
>>> first output I sent that line was commented, I guess the bad results 
>>> then were due to not flushing the cache.
>>
>>
>> Probably, always flush the cache after making changes, even if you 
>> restart Samba.
>>
>>> I found this as a working configuration:
>>>
>>> global]
>>>
>>>         allow insecure wide links = yes
>>
>>
>> Some of those are defaults and, as such, could be removed.
>>
>> The last line is interesting, you appear to have attempted to harden 
>> your Unix domain member and then you go and blow a large hole in it 
>> by adding that line 😁
>>
>>>
>>> I looked up 'winbind normalize names' in 'man 5 smb.conf ':
>>>
>>> This parameter controls whether winbindd will replace whitespace in 
>>> user and group names with an underscore
>>> (_) character. For example, whether the name "Space Kadet" should be 
>>> replaced with the string
>>> "space_kadet".
>>>
>>> And that sounds useful to me. However it looks like it has a 
>>> side-effect on groups that already contain an underscore. 
>>> Unfortunately all groups in my AD have underscores in their names.
>>>
>>> What do we do now?
>>
>>
>> Remove the line.
>>
>>> Should I file a bug? 
>>
>>
>> No, because the smb.conf manpage goes on to say:
>>
>> If your domain possesses names containing the underscore character, 
>> this option may cause problems unless the name aliasing feature is 
>> supported by your nss_info plugin.
>>
>> So, it is a known feature 😁
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> As it seems, I did not read the docs well enough to grasp the 
> important note about a known problem :-(
>
> The other issue you raise is indeed something I would love to remove: 
> 'allow insecure wide links = yes' or isolate to a single share (that 
> is probably the highest reachable).
> I have a windows deploy-share (read-only) with mounted windows iso 
> files and those contain extra drivers that are put in the mounted iso 
> through an overlayfs and symlinks.
> I looked into another way of putting the windows images together but 
> that does not seem to be a simple thing.
>
> [global]
>         ....
>         restrict anonymous = 2
>         map acl inherit = yes
>         store dos attributes = yes
>         allow insecure wide links = yes
>
> [deploy]
>        comment = Windows OS deployment
>        path = /srv/deploy/windows/share
>        read list = @"acl-smb_share_windows_deploy-read_only"
>        read only = yes
>        locking = no
>        follow symlinks = yes
>        wide links = yes
>
> Since it is a read-only share in samba I would expect it to be secure, 
> is that assumption correct?

Yes, as far as it goes, but you will probably be able to set finer 
access control from Windows,see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

>
> Is there a way to get rid of the global setting 'allow insecure wide 
> links'?

Not if you require 'wide links = yes'

Rowland