aluno3 at poczta.onet.pl
2017-May-26 12:36 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
I have upgraded Samba in my environment from 4.5.10 to 4.6.3 and experienced issue with primary group for domain guest user: With Samba 4.5.10 primary group for DEV2+guest was "DEV2+domain guests": root at root:~# id DEV2+guest uid=66037(DEV2+guest) gid=66050(DEV2+domain guests) groups=66050(DEV2+domain guests) With Samba 4.6.3 primary group for DEV2+guest is "DEV2+domain users": root at root:~# id DEV2+guest uid=66037(DEV2+guest) gid=66049(DEV2+domain users) groups=66049(DEV2+domain users),66050(DEV2+domain guests) Even though DEV2+guest does not belong to "DEV2+domain users" and wbinfo also shows: root at root:~# wbinfo --gid-info=66049|grep -i guest root at root:~# wbinfo --gid-info=66050|grep -i guest DEV2+domain guests:x:66050:DEV2+guest so why with Samba 4.6.3 id or getent passwd shows that primary group for my guest user is group which that user does not belong to. I saw and checked new options for idmap config: idmap config <DOMAIN> : unix_primary_group idmap config <DOMAIN> : unix_nss_info but if I set they to yes or not effect is the same. I tested below configuration for idmap: idmap config dev2 : unix_nss_info = no/yes idmap config dev2 : unix_primary_group = no/yes idmap config dev2 : range = 65536-19999999 idmap config dev2 : backend = rid idmap config * : range = 20000000-39999999 idmap config * : backend = autorid
Rowland Penny
2017-May-26 13:31 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On Fri, 26 May 2017 14:36:45 +0200 aluno3--- via samba <samba at lists.samba.org> wrote:> I have upgraded Samba in my environment from 4.5.10 to 4.6.3 and > experienced issue with primary group for domain guest user: > > With Samba 4.5.10 primary group for DEV2+guest was "DEV2+domain > guests": > > root at root:~# id DEV2+guest > uid=66037(DEV2+guest) gid=66050(DEV2+domain guests) > groups=66050(DEV2+domain guests) > > > With Samba 4.6.3 primary group for DEV2+guest is "DEV2+domain users": >If you check the release notes for 4.6.0, you will find this: winbind primary group and nss info ---------------------------------- With 4.6, it will be possible to optionally use the primary group as set in the "Unix Attributes" tab for the local unix token of a domain user. Before 4.6, the Windows primary group was always chosen as primary group for the local unix token. To activate the unix primary group, set idmap config <DOMAIN> : unix_primary_group = yes I wonder if is possibly an artefact of the above change, because you seem to have possibly given 'Guest' a uidNumber. Rowland
aluno3 at poczta.onet.pl
2017-May-26 13:50 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On 26.05.2017 15:31, Rowland Penny via samba wrote:> On Fri, 26 May 2017 14:36:45 +0200 > aluno3--- via samba <samba at lists.samba.org> wrote: > >> I have upgraded Samba in my environment from 4.5.10 to 4.6.3 and >> experienced issue with primary group for domain guest user: >> >> With Samba 4.5.10 primary group for DEV2+guest was "DEV2+domain >> guests": >> >> root at root:~# id DEV2+guest >> uid=66037(DEV2+guest) gid=66050(DEV2+domain guests) >> groups=66050(DEV2+domain guests) >> >> >> With Samba 4.6.3 primary group for DEV2+guest is "DEV2+domain users": >> > > If you check the release notes for 4.6.0, you will find this: > > winbind primary group and nss info > ---------------------------------- > > With 4.6, it will be possible to optionally use the primary group as > set in the "Unix Attributes" tab for the local unix token of a domain > user. Before 4.6, the Windows primary group was always chosen as > primary group for the local unix token. > > To activate the unix primary group, set > > idmap config <DOMAIN> : unix_primary_group = yes > > > I wonder if is possibly an artefact of the above change, because you > seem to have possibly given 'Guest' a uidNumber. > > Rowland > >Is there possibility to not set "Unix Attributes" and have the same behavior as in 4.5? Also in "winbind changes" section in release notes we can read: "This means that "id <username>" without the user having logged in previously stops showing any supplementary groups. Also, it will show "DOMAIN\Domain Users" as the primary group. Once the user has logged in, "id <username>" will correctly show the primary group and supplementary group list. " also "The winbind change to simplify the calculation of supplementary groups to make it more reliable and predictable has been deferred to 4.7 or later. This means that 'id <username>' without the user having logged in previously works similar to 4.5." but in spite of I logged to share using guest user, "id <username>" shows the same result.