Reintroduce netgroups support?

Rowland Penny rpenny at samba.org
Fri Jun 3 12:12:07 UTC 2022 

On Fri, 2022-06-03 at 13:39 +0200, Samuel Cabrero wrote:
> On Fri, 2022-06-03 at 12:01 +0100, Rowland Penny via samba-technical
> wrote:
> > On Fri, 2022-06-03 at 12:40 +0200, Samuel Cabrero wrote:
> > > On Fri, 2022-06-03 at 11:10 +0100, Rowland Penny via samba-
> > > technical
> > > wrote:
> > > > On Fri, 2022-06-03 at 12:00 +0200, Samuel Cabrero via samba-
> > > > technical
> > > > wrote:
> > > > > Hi,
> > > > > 
> > > > > I have received some complains after we dropped netgroups
> > > > > support
> > > > > in
> > > > > Samba 4.15.0. Our release notes only mention we dropped NIS
> > > > > but
> > > > > netgroups went with it.
> > > > 
> > > > Well, netgroups are part of NIS
> > > 
> > > Nowadays you can store netgroups in LDAP.
> > > 
> > > https://ldapwiki.com/wiki/Netgroup
> > > 
> > > https://www.linux.com/news/sysadmin-sysadmin-netgroups-are-not-just-nis-anymore/
> > 
> > But using Samba with ldap basically requires SMBv1 and Samba is
> > trying
> > to remove this.
> > 
> > > > > Some people still use netgroups without NIS, stored in LDAP
> > > > > and
> > > > > made
> > > > > available to the system through nss_sss, but it is also
> > > > > possible
> > > > > to
> > > > > use
> > > > > /etc/netgroups.
> > > > 
> > > > Why and how are they using a part of NIS without NIS ?
> > > 
> > > The netgroups are stored in LDAP and used in the 'valid users'
> > > share
> > > option.
> > 
> > But, you really shouldn't use 'valid users' with AD, you should use
> > ACL's
> > 
> > > > > I had a look to the removed code and I think it is possible
> > > > > to
> > > > > reintroduce netgroups support independently from NIS, using
> > > > > the
> > > > > getdomainname() function from glibc instead of
> > > > > yp_get_default_domain()
> > > > > from libnsl. 
> > > > > 
> > > > > Should we bring back netgroups support?
> > > > 
> > > > I do not see the point, AD groups can do the same thing.
> > > 
> > > AD is not involved here, this is a pure file server use case.
> > 
> > Then it definitely shouldn't be brought back, once SMBv1 is
> > removed,
> > then standard ldap will very probably not be involved, just AD and
> > netgroups will not be required,
> >  
> > Why not get sssd to work with Windows AD groups ?
> > 
> > Rowland
> > 
> 
> Rowland, lets remove LDAP, AD and SSSD from the equation completely.
> Consider this pure file server deployment:
> 
> 1. Set NIS domain name
> 
> $> nisdomainname
> foonisdom
>  
> 
> 2. Add couple of users
> 
> /etc/passwd:
> user1:x:1001:1001::/home/user1:/bin/bash
> user2:x:1002:1002::/home/user2:/bin/bash
> 
> $> pdbedit -L
> user1:1001:
> user2:1002:
> 
> 
> 3. Setup /etc/nsswitch.conf
> 
> passwd:         compat
> group:          compat
> netgroup:       files nis
> 
> 
> 4. Add a netgroup
> 
> $> cat /etc/netgroup
> netgrp1 (,user1,foonisdom) (,user2,barnisdom)
> 
> 
> 5. Minimal smb.conf
> 
> [global]
>         workgroup = WORKGROUP
>         security = user
> 
> [share]
>         path = /srv/share
>         valid users = @netgrp1
> 
> 
> 6. Test, samba < 4.15.0
> 
> $> smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
> $> echo $?
> 0
> 
> $> smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> 
> 7. Test, samba >= 4.15.0
> 
> $ smbclient //localhost/share -Uuser1%<pwd> -c 'quit'
> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> $ smbclient //localhost/share -Uuser2%<pwd> -c 'quit'
> tree connect failed: NT_STATUS_ACCESS_DENIED

Lets take everything out of this, you want Samba to bring netgroups
back so that sssd works. Why not get sssd to emulate netgroups with AD
(or ldap) ? why should Samba be altered to work with an outside corner
case ? There are, in my opinion, too many corner cases already.

Rowland

More information about the samba-technical mailing list