[Samba] winbind, user permissions, and group permissions
Gaiseric Vandal
gaiseric.vandal at gmail.com
Thu Feb 3 22:36:29 UTC 2022
If I change "use default domain" in smb.conf from "no" to "yes" then I
see users as "myname at mydomain.com" while groups still show as
"MYDOMAIN\somegroup." This is the same behavior as with files on the
other Samba servers as well as real Windows servers.
While I can change read, write, and read/execute permissions via
Windows, I am unable to add additional users or groups, or grant my self
extended permissions. Although maybe this didn't work before and I
only just noticed.
On 2/3/2022 8:09 AM, Gaiseric Vandal wrote:
>
> I am running several Solaris unix servers with Samba as domain members
> in an Windows Active Directory domain. The uidNumber or gidNumber
> for a user or group is explicitly set in the AD attributes.
>
> The /etc/nsswitch.conf file typically includes
>
>
> passwd: files ldap winbind
> group: files ldap winbind
>
>
> This ensures that user and group permissions are consistent across all
> servers and consistent for access via samba, ssh, sftp and nfs. The
> "Ldap" users are still pulled from the AD servers.
>
> However, some recent OS updates cause a conflict between the name
> caching svc and winbind. With name caching enabled, "getent passwd"
> and "getent group" return ldap entries but hangs up on winbind.
> But with name caching disabled "getent" hangs up trying to lookup ldap
> users and groups. Either way, it prevents access via from windows
> clients or via ssh or both. Other servers show slow response for
> pulling winbind entries with "getent" but not to the point of
> preventing access.
>
>
> For the moment I have update /etc/nsswitch.conf as
>
> passwd: files ldap
> group: files ldap
>
>
>
>
> When I look at the file permissions of a file via Windows, I see
> permissions for the user as "myname (UNIX\myname)" - which is
> what I expect (though not what I want.)
>
> I see permissions for the the group as
> "somegroup(MYDOMAIN\somegroup)" - which is what I would want but not
> what I would expect.
>
>
>
> The wbinfo command shows that the user and group ID numbers are
> matching what getent pulls from ldap.
>
>
> # getent passwd myname
>
> myname:x:123:515::/home/myname:/bin/bash
>
>
> # wbinfo -i "MYDOMAIN\myname"
> MYDOMAIN\myname:*:123:518:Firstname Lastname:/home/myname:/bin/bash#
>
>
> # getent group somegroup
>
> somegroup::456:myname,someuserA,someuserB
>
>
> # wbinfo --group-info "MYDOMAIN\somegroup
>
> MYDOMAIN\somegroup :x:456:
>
>
>
>
>
>
> Samba version Version 4.11.11
>
>
> /etc/samba/smb.conf includes
>
>
>
> security = ads
> domain master = no
> domain logons = no
>
> workgroup = MYDOMAIN
> realm=MYDOMAIN.COM
>
> include system krb5 conf = no
> winbind nss info = rfc2307
> kerberos method = system keytab
>
> winbind use default domain = no
>
> winbind enum users = Yes
>
> winbind enum groups = Yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-2999
>
> idmap config MYDOMAIN:backend = ad
> idmap config MYDOMAIN:schema_mode = rfc2307
> idmap config MYDOMAIN:range = 100-1999
>
>
>
>
> The real mystery is why, from windows, the behavior is different for
> users vs groups.
>
>
> Appreciate any advice.
>
>
> Thanks
>
>
>
>
>
More information about the samba
mailing list