My smb.conf file looks like so
[global]
security = ads
realm = MIND.UNM.EDU
workgroup = MIND
idmap config * : backend = tdb
idmap config * : range = 2000-7999
idmap config MIND:backend = ad
idmap config MIND:schema_mode = rfc2307
idmap config MIND:range = 8000-9999999
# added because 4.6+ no longer understands winbind nss info = rfc2307
idmap config MIND:unix_nss_info = yes
# left because 4.5- don’t understand idmap config MIND:unix_nss_info = yes
winbind nss info = rfc2307
winbind use default domain = yes
# so that the users show up in getent
winbind enum users = yes
# so that the groups show up in getent
winbind enum groups = yes
restrict anonymous = 2
#added the following 2 for the Badlock updates that change the defaults
#to no longer work with my domain controllers
ldap server require strong auth = no
client ldap sasl wrapping = plain
kerberos method = secrets and keytab
ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL -b
dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=dstephenson)"
|grep -ie gidnumber -e uidnumber
returns
uidNumber: 11772
gidNumber: 9013
as it should
getent group amayerg
returns
amayerg:x:9013:
as it should
but
id dstephenson
returns
uid=11772(dstephenson) gid=8513(domain users) groups=8513(domain
users),9013(amayerg),9033(sfeldsteing),9201(sharp_07295),9022(vcalhoung),8000(staff),9921(cnssage_secure),8004(research)
the gid should be the one from AD 9013
and
getent passwd dstephenson
returns
dstephenson:*:11772:8513::/na/homes/dstephenson:/bin/bash
again 8513 should be 9013
In windows ADUC it shows on the UNIX Attributes Tab it shows as the
correct group amayerg for the primary group.
I created the following script in the past to clear out cache
<== start of script
#!/bin/bash
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
echo "If prompted type your sudo password"
sudo $0
exit
fi
#if service
function is()
{
if [ "$(service $1 status 2>&1|grep -e "unrecognized
service" -e
"could not be found")" = "" ];then
if [ "$2" = "stop" ];then
echo "Stopping $1"
fi
if [ "$2" = "start" ];then
echo "Starting $1"
fi
service $1 $2
fi
}
is winbind stop
is smb stop
is smbd stop
is nmb stop
is nmbd stop
net cache flush
rm -f /var/lib/samba/*.tdb
rm -f /var/cache/samba/*.tdb
rm -f /var/lib/samba/group_mapping.ldb
sleep 1
is nmbd start
is nmb start
is smbd start
is smb start
is winbind start
<== end of script
I ran it to try and clear out any caching I could
but I still get the same results.
What could be causing it to have a different gid than what is provided by AD?
On Tue, 13 Mar 2018 12:13:32 -0600 Jeff Sadowski via samba <samba at lists.samba.org> wrote:> My smb.conf file looks like so > > [global] > security = ads > realm = MIND.UNM.EDU > workgroup = MIND > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > # added because 4.6+ no longer understands > # winbind nss info = rfc2307 > idmap config MIND:unix_nss_info = yes > # left because 4.5- don’t understand > # idmap config MIND:unix_nss_info = yes > winbind nss info = rfc2307OK, what version Samba are using on the Unix domain member ? If you are using 4.6 (or later), remove the 'winbind nss info' line. If you are still using 4.5, then remove the 'idmap config MIND:unix_info' line.> winbind use default domain = yes > # so that the users show up in getent > winbind enum users = yes > # so that the groups show up in getent > winbind enum groups = yesYou do not need the the two 'winbind enum' lines to gete 'getent' to work, 'getent passwd username' & 'getent group groupname' will work without them.> restrict anonymous = 2 > #added the following 2 for the Badlock updates that change the > defaults #to no longer work with my domain controllers > ldap server require strong auth = no > client ldap sasl wrapping = plain > kerberos method = secrets and keytabIf you had to add the above lines after the Badlock updates, don't you think it is about time you fixed your DCs, it will be more secure. I also cannot see the reason for adding them, the first line only makes sense on a DC, the second turns off 'sign & seal' and the third only makes Kerberos look in /etc/krb5.keytab. Rowland
On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 13 Mar 2018 12:13:32 -0600 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> My smb.conf file looks like so >> >> [global] >> security = ads >> realm = MIND.UNM.EDU >> workgroup = MIND >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> # added because 4.6+ no longer understands >> # winbind nss info = rfc2307 >> idmap config MIND:unix_nss_info = yes >> # left because 4.5- don’t understand >> # idmap config MIND:unix_nss_info = yes >> winbind nss info = rfc2307 > > OK, what version Samba are using on the Unix domain member ? > If you are using 4.6 (or later), remove the 'winbind nss info' line. > If you are still using 4.5, then remove the 'idmap config > MIND:unix_info' line. >I use both This config file is used across ubuntu 16.04 which has 4.3.11 And I am using Fedora 27 which has 4.7.5 I thought I could leave them both uncommented for both as they should throw out what they don't understand is that not correct?>> winbind use default domain = yes >> # so that the users show up in getent >> winbind enum users = yes >> # so that the groups show up in getent >> winbind enum groups = yes > > You do not need the the two 'winbind enum' lines to gete 'getent' to > work, 'getent passwd username' & 'getent group groupname' will work > without them. >I commented out both enums Seems to work on my Fedora I'll try on ubuntu latter I could have sworn this was why I added them.>> restrict anonymous = 2 >> #added the following 2 for the Badlock updates that change the >> defaults #to no longer work with my domain controllers >> ldap server require strong auth = no >> client ldap sasl wrapping = plain >> kerberos method = secrets and keytab > > If you had to add the above lines after the Badlock updates, don't you > think it is about time you fixed your DCs, it will be more secure. I > also cannot see the reason for adding them, the first line only > makes sense on a DC, the second turns off 'sign & seal' and the third > only makes Kerberos look in /etc/krb5.keytab. >I'm not sure how to fix my DCs It may have been fixed with updates. Also if I do fix it I don't know if it will break my Network storage and how to roll back if it does. I commented out "ldap server require strong auth = no", "client ldap sasl wrapping = plain" and "kerberos method = secrets and keytab" and restarted the winbind service in Fedora and it still works. I can still ssh as a domain user and type a password. I will try in ubuntu later. Does that mean my domain is fixed? I still am not getting the correct group for my dstephenson user. With "id dstephenson" or "getent passwd dstephenson" With all those changes nothing seems to have changed.> Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba