[Samba] winbind, user permissions, and group permissions
gaiseric.vandal at gmail.com
Thu Feb 3 13:09:10 UTC 2022
I am running several Solaris unix servers with Samba as domain members
in an Windows Active Directory domain. The uidNumber or gidNumber for
a user or group is explicitly set in the AD attributes.
The /etc/nsswitch.conf file typically includes
passwd: files ldap winbind
group: files ldap winbind
This ensures that user and group permissions are consistent across all
servers and consistent for access via samba, ssh, sftp and nfs. The
"Ldap" users are still pulled from the AD servers.
However, some recent OS updates cause a conflict between the name
caching svc and winbind. With name caching enabled, "getent passwd" and
"getent group" return ldap entries but hangs up on winbind. But with
name caching disabled "getent" hangs up trying to lookup ldap users and
groups. Either way, it prevents access via from windows clients or
via ssh or both. Other servers show slow response for pulling winbind
entries with "getent" but not to the point of preventing access.
For the moment I have update /etc/nsswitch.conf as
passwd: files ldap
group: files ldap
When I look at the file permissions of a file via Windows, I see
permissions for the user as "myname (UNIX\myname)" - which is what
I expect (though not what I want.)
I see permissions for the the group as "somegroup(MYDOMAIN\somegroup)"
- which is what I would want but not what I would expect.
The wbinfo command shows that the user and group ID numbers are matching
what getent pulls from ldap.
# getent passwd myname
# wbinfo -i "MYDOMAIN\myname"
# getent group somegroup
# wbinfo --group-info "MYDOMAIN\somegroup
Samba version Version 4.11.11
security = ads
domain master = no
domain logons = no
workgroup = MYDOMAIN
include system krb5 conf = no
winbind nss info = rfc2307
kerberos method = system keytab
winbind use default domain = no
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend = tdb
idmap config *:range = 2000-2999
idmap config MYDOMAIN:backend = ad
idmap config MYDOMAIN:schema_mode = rfc2307
idmap config MYDOMAIN:range = 100-1999
The real mystery is why, from windows, the behavior is different for
users vs groups.
Appreciate any advice.
More information about the samba