[Samba] winbind, user permissions, and group permissions

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Feb 3 13:09:10 UTC 2022

I am running several Solaris unix servers with Samba as domain members 
in an Windows Active Directory domain.   The uidNumber or gidNumber  for 
a user or group is explicitly set in the AD attributes.

The /etc/nsswitch.conf file typically includes

         passwd: files ldap winbind
         group:  files ldap winbind

This ensures that user and group permissions are consistent across all 
servers and consistent for access via samba, ssh, sftp and nfs.  The 
"Ldap" users are still pulled from the AD servers.

However, some recent OS updates cause a conflict between the name 
caching svc and winbind.  With name caching enabled, "getent passwd" and 
"getent group" return ldap entries but hangs up on winbind.     But with 
name caching disabled "getent" hangs up trying to lookup ldap users and 
groups.     Either way, it prevents access via from windows clients or 
via ssh or both. Other servers show slow response for pulling winbind 
entries with "getent" but not to the point of preventing access.

For the moment I have update /etc/nsswitch.conf as

         passwd: files ldap
         group:  files ldap

When I look at the file permissions of a file via Windows, I see 
permissions for the user as    "myname (UNIX\myname)"   - which is what 
I expect (though not what I want.)

I see permissions for the the group as "somegroup(MYDOMAIN\somegroup)"  
-  which is what I would want but not what I would expect.

The wbinfo command shows that the user and group ID numbers are matching 
what getent pulls from ldap.

    # getent passwd myname


    # wbinfo -i "MYDOMAIN\myname"
    MYDOMAIN\myname:*:123:518:Firstname Lastname:/home/myname:/bin/bash#

    # getent group somegroup


    # wbinfo --group-info "MYDOMAIN\somegroup

    MYDOMAIN\somegroup :x:456:

Samba version Version 4.11.11

/etc/samba/smb.conf includes

         security =  ads
         domain master = no
         domain logons = no

         workgroup = MYDOMAIN

         include system krb5 conf = no
         winbind nss info = rfc2307
         kerberos method = system keytab

         winbind use default domain =  no

         winbind enum users = Yes

         winbind enum groups = Yes

    idmap config *:backend = tdb
    idmap config *:range = 2000-2999

    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range = 100-1999

The real mystery is why, from windows, the behavior is different for 
users vs groups.

Appreciate any advice.


More information about the samba mailing list