[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
Rowland penny
rpenny at samba.org
Thu May 13 19:47:27 UTC 2021
On 13/05/2021 20:26, Kees van Vloten wrote:
> On 13-05-2021 21:01, Rowland penny via samba wrote:
>> On 13/05/2021 19:29, Kees van Vloten wrote:
>>> Hi Rowland,
>>>
>>> These are the results of the 2 commands:
>>>
>>> 100016
>>>
>>> 2000
>>>
>>> So that matches your expectations :-)
>>
>>
>> Just checking, there have been instances when an OP has claimed that
>> they have added things when they hadn't, not that I really thought
>> this was the problem in your case because 'id' showed the groups.
>>
>>>
>>>
>>> To make a long story short, I have found the culprit, it is called
>>> 'winbind normalize names = yes'. The interesting bit is that in the
>>> first output I sent that line was commented, I guess the bad results
>>> then were due to not flushing the cache.
>>
>>
>> Probably, always flush the cache after making changes, even if you
>> restart Samba.
>>
>>> I found this as a working configuration:
>>>
>>> global]
>>>
>>> allow insecure wide links = yes
>>
>>
>> Some of those are defaults and, as such, could be removed.
>>
>> The last line is interesting, you appear to have attempted to harden
>> your Unix domain member and then you go and blow a large hole in it
>> by adding that line 😁
>>
>>>
>>> I looked up 'winbind normalize names' in 'man 5 smb.conf ':
>>>
>>> This parameter controls whether winbindd will replace whitespace in
>>> user and group names with an underscore
>>> (_) character. For example, whether the name "Space Kadet" should be
>>> replaced with the string
>>> "space_kadet".
>>>
>>> And that sounds useful to me. However it looks like it has a
>>> side-effect on groups that already contain an underscore.
>>> Unfortunately all groups in my AD have underscores in their names.
>>>
>>> What do we do now?
>>
>>
>> Remove the line.
>>
>>> Should I file a bug?
>>
>>
>> No, because the smb.conf manpage goes on to say:
>>
>> If your domain possesses names containing the underscore character,
>> this option may cause problems unless the name aliasing feature is
>> supported by your nss_info plugin.
>>
>> So, it is a known feature 😁
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> As it seems, I did not read the docs well enough to grasp the
> important note about a known problem :-(
>
> The other issue you raise is indeed something I would love to remove:
> 'allow insecure wide links = yes' or isolate to a single share (that
> is probably the highest reachable).
> I have a windows deploy-share (read-only) with mounted windows iso
> files and those contain extra drivers that are put in the mounted iso
> through an overlayfs and symlinks.
> I looked into another way of putting the windows images together but
> that does not seem to be a simple thing.
>
> [global]
> ....
> restrict anonymous = 2
> map acl inherit = yes
> store dos attributes = yes
> allow insecure wide links = yes
>
> [deploy]
> comment = Windows OS deployment
> path = /srv/deploy/windows/share
> read list = @"acl-smb_share_windows_deploy-read_only"
> read only = yes
> locking = no
> follow symlinks = yes
> wide links = yes
>
> Since it is a read-only share in samba I would expect it to be secure,
> is that assumption correct?
Yes, as far as it goes, but you will probably be able to set finer
access control from Windows,see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Is there a way to get rid of the global setting 'allow insecure wide
> links'?
Not if you require 'wide links = yes'
Rowland
More information about the samba
mailing list