Jeff Sadowski
2018-Mar-27 14:46 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
My smb.conf looks like so. [global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 idmap config MIND:unix_nss_info = yes winbind use default domain = yes restrict anonymous = 2 I have a user jefftest. I found that to set the primary group that user needs to be in that group. If I set the group of jefftest to a new group (both in the UNIX attributes tab and in the Member Of tab) using Active Directory Users and Computers. Then I test the user using ldapsearch against each domain controller and they all have the new values according to ldapsearch in gidNumber. Then I login with jefftest on my joined fedora 27 machine using winbind 4.7.6 as jefftest and run id. It still shows the old group. So I log out as jefftest and in as root and run net cache flush and try and login again as jefftest and it still shows the old gid number when running id. After about 10 minutes it seems to work but that is a bit of time. Is there a way to speed this up? I think my ldapsearch using the uri of each domain controller shows that each domain controller has the new value is that an incorrect assumption? I'm using the following ldapsearch arguments (to check dc1) ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \ -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=jefftest)" gidNumber (to check dc2) ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \ -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no "(sAMAccountName=jefftest)" gidNumber "net cache flush" doesn't seem to be working.
L.P.H. van Belle
2018-Mar-27 15:02 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
Hai, Checked and confirmed also on Debian stretch with samba 4.7.6. Even restart winbind does not help. A net cache flush, same did not work. A reboot, as test, did help here. I suggest increase the debug level and report bug? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > Sadowski via samba > Verzonden: dinsdag 27 maart 2018 16:46 > Aan: samba > Onderwerp: [Samba] 10 minutes between primary group change > and effect on Fedora 27 > > My smb.conf looks like so. > > [global] > security = ads > realm = MIND.UNM.EDU > workgroup = MIND > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > idmap config MIND:unix_nss_info = yes > winbind use default domain = yes > restrict anonymous = 2 > > I have a user jefftest. > > I found that to set the primary group that user needs to be > in that group. > > If I set the group of jefftest to a new group (both in the UNIX > attributes tab and in the Member Of tab) using Active Directory Users > and Computers. > Then I test the user using ldapsearch against each domain controller > and they all have the new values according to ldapsearch in gidNumber. > > Then I login with jefftest on my joined fedora 27 machine using > winbind 4.7.6 as jefftest and run id. > It still shows the old group. > So I log out as jefftest and in as root and run > > net cache flush > > and try and login again as jefftest and it still shows the old gid > number when running id. > After about 10 minutes it seems to work but that is a bit of time. > > Is there a way to speed this up? > > I think my ldapsearch using the uri of each domain controller shows > that each domain controller has the new value is that an incorrect > assumption? > > I'm using the following ldapsearch arguments > > (to check dc1) > ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > "(sAMAccountName=jefftest)" gidNumber > > (to check dc2) > ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > "(sAMAccountName=jefftest)" gidNumber > > "net cache flush" doesn't seem to be working. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2018-Mar-27 15:05 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
In addition. I remove my test group. Did run id username. Resulted in some left overs: uid=10002(username) gid=10000(domain users) groups=10000(domain users),10005(remote-webmail),10004(servers-ssh),10008(servers-www),10010 You see the 10010 that was my test group. But more tomorrow, office is closing now.. And tomorrow is the new yesterday in too days.. :-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: dinsdag 27 maart 2018 17:03 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] 10 minutes between primary group > change and effect on Fedora 27 > > Hai, > > Checked and confirmed also on Debian stretch with samba 4.7.6. > > Even restart winbind does not help. > A net cache flush, same did not work. > > A reboot, as test, did help here. > > I suggest increase the debug level and report bug? > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > > Sadowski via samba > > Verzonden: dinsdag 27 maart 2018 16:46 > > Aan: samba > > Onderwerp: [Samba] 10 minutes between primary group change > > and effect on Fedora 27 > > > > My smb.conf looks like so. > > > > [global] > > security = ads > > realm = MIND.UNM.EDU > > workgroup = MIND > > idmap config * : backend = tdb > > idmap config * : range = 2000-7999 > > idmap config MIND:backend = ad > > idmap config MIND:schema_mode = rfc2307 > > idmap config MIND:range = 8000-9999999 > > idmap config MIND:unix_nss_info = yes > > winbind use default domain = yes > > restrict anonymous = 2 > > > > I have a user jefftest. > > > > I found that to set the primary group that user needs to be > > in that group. > > > > If I set the group of jefftest to a new group (both in the UNIX > > attributes tab and in the Member Of tab) using Active > Directory Users > > and Computers. > > Then I test the user using ldapsearch against each domain controller > > and they all have the new values according to ldapsearch in > gidNumber. > > > > Then I login with jefftest on my joined fedora 27 machine using > > winbind 4.7.6 as jefftest and run id. > > It still shows the old group. > > So I log out as jefftest and in as root and run > > > > net cache flush > > > > and try and login again as jefftest and it still shows the old gid > > number when running id. > > After about 10 minutes it seems to work but that is a bit of time. > > > > Is there a way to speed this up? > > > > I think my ldapsearch using the uri of each domain controller shows > > that each domain controller has the new value is that an incorrect > > assumption? > > > > I'm using the following ldapsearch arguments > > > > (to check dc1) > > ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > > "(sAMAccountName=jefftest)" gidNumber > > > > (to check dc2) > > ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > > -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > > "(sAMAccountName=jefftest)" gidNumber > > > > "net cache flush" doesn't seem to be working. > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Jeff Sadowski
2018-Mar-27 15:06 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
On Tue, Mar 27, 2018 at 9:02 AM, L.P.H. van Belle via samba <samba at lists.samba.org> wrote:> Hai, > > Checked and confirmed also on Debian stretch with samba 4.7.6. > > Even restart winbind does not help. > A net cache flush, same did not work. > > A reboot, as test, did help here. > > I suggest increase the debug level and report bug?Where can I set the debug levels? Would that be in the smb.conf file?> > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff >> Sadowski via samba >> Verzonden: dinsdag 27 maart 2018 16:46 >> Aan: samba >> Onderwerp: [Samba] 10 minutes between primary group change >> and effect on Fedora 27 >> >> My smb.conf looks like so. >> >> [global] >> security = ads >> realm = MIND.UNM.EDU >> workgroup = MIND >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> idmap config MIND:unix_nss_info = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> >> I have a user jefftest. >> >> I found that to set the primary group that user needs to be >> in that group. >> >> If I set the group of jefftest to a new group (both in the UNIX >> attributes tab and in the Member Of tab) using Active Directory Users >> and Computers. >> Then I test the user using ldapsearch against each domain controller >> and they all have the new values according to ldapsearch in gidNumber. >> >> Then I login with jefftest on my joined fedora 27 machine using >> winbind 4.7.6 as jefftest and run id. >> It still shows the old group. >> So I log out as jefftest and in as root and run >> >> net cache flush >> >> and try and login again as jefftest and it still shows the old gid >> number when running id. >> After about 10 minutes it seems to work but that is a bit of time. >> >> Is there a way to speed this up? >> >> I think my ldapsearch using the uri of each domain controller shows >> that each domain controller has the new value is that an incorrect >> assumption? >> >> I'm using the following ldapsearch arguments >> >> (to check dc1) >> ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \ >> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no >> "(sAMAccountName=jefftest)" gidNumber >> >> (to check dc2) >> ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \ >> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no >> "(sAMAccountName=jefftest)" gidNumber >> >> "net cache flush" doesn't seem to be working. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2018-Mar-27 15:10 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
Start with this in smb.conf 0-10 are the values. Put it in smb.conf (global) log level = 3 winbind:5 A reboot did not remove my 10010 gid, so i'll go checking more tomorrow.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Jeff Sadowski [mailto:jeff.sadowski at gmail.com] > Verzonden: dinsdag 27 maart 2018 17:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] 10 minutes between primary group > change and effect on Fedora 27 > > On Tue, Mar 27, 2018 at 9:02 AM, L.P.H. van Belle via samba > <samba at lists.samba.org> wrote: > > Hai, > > > > Checked and confirmed also on Debian stretch with samba 4.7.6. > > > > Even restart winbind does not help. > > A net cache flush, same did not work. > > > > A reboot, as test, did help here. > > > > I suggest increase the debug level and report bug? > Where can I set the debug levels? > Would that be in the smb.conf file? > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jeff > >> Sadowski via samba > >> Verzonden: dinsdag 27 maart 2018 16:46 > >> Aan: samba > >> Onderwerp: [Samba] 10 minutes between primary group change > >> and effect on Fedora 27 > >> > >> My smb.conf looks like so. > >> > >> [global] > >> security = ads > >> realm = MIND.UNM.EDU > >> workgroup = MIND > >> idmap config * : backend = tdb > >> idmap config * : range = 2000-7999 > >> idmap config MIND:backend = ad > >> idmap config MIND:schema_mode = rfc2307 > >> idmap config MIND:range = 8000-9999999 > >> idmap config MIND:unix_nss_info = yes > >> winbind use default domain = yes > >> restrict anonymous = 2 > >> > >> I have a user jefftest. > >> > >> I found that to set the primary group that user needs to be > >> in that group. > >> > >> If I set the group of jefftest to a new group (both in the UNIX > >> attributes tab and in the Member Of tab) using Active > Directory Users > >> and Computers. > >> Then I test the user using ldapsearch against each domain > controller > >> and they all have the new values according to ldapsearch > in gidNumber. > >> > >> Then I login with jefftest on my joined fedora 27 machine using > >> winbind 4.7.6 as jefftest and run id. > >> It still shows the old group. > >> So I log out as jefftest and in as root and run > >> > >> net cache flush > >> > >> and try and login again as jefftest and it still shows the old gid > >> number when running id. > >> After about 10 minutes it seems to work but that is a bit of time. > >> > >> Is there a way to speed this up? > >> > >> I think my ldapsearch using the uri of each domain controller shows > >> that each domain controller has the new value is that an incorrect > >> assumption? > >> > >> I'm using the following ldapsearch arguments > >> > >> (to check dc1) > >> ldapsearch -H ldap://dc1.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > >> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > >> "(sAMAccountName=jefftest)" gidNumber > >> > >> (to check dc2) > >> ldapsearch -H ldap://dc2.mind.unm.edu.:389 -U jsadowski -Q -LLL \ > >> -b dc=mind,dc=unm,dc=edu -o ldif-wrap=no > >> "(sAMAccountName=jefftest)" gidNumber > >> > >> "net cache flush" doesn't seem to be working. > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Mar-27 15:15 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
On Tue, 27 Mar 2018 08:46:00 -0600 Jeff Sadowski via samba <samba at lists.samba.org> wrote:> My smb.conf looks like so. > > [global] > security = ads > realm = MIND.UNM.EDU > workgroup = MIND > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config MIND:backend = ad > idmap config MIND:schema_mode = rfc2307 > idmap config MIND:range = 8000-9999999 > idmap config MIND:unix_nss_info = yes > winbind use default domain = yes > restrict anonymous = 2 > > I have a user jefftest. > > I found that to set the primary group that user needs to be in that > group. > > If I set the group of jefftest to a new group (both in the UNIX > attributes tab and in the Member Of tab) using Active Directory Users > and Computers. > Then I test the user using ldapsearch against each domain controller > and they all have the new values according to ldapsearch in gidNumber. > > Then I login with jefftest on my joined fedora 27 machine using > winbind 4.7.6 as jefftest and run id. > It still shows the old group. > So I log out as jefftest and in as root and runI think you are mixing up group membership and the users primary group, when you run 'getent group username' what is returned is the username and the users primarygroup e.g. getent passwd rowland Returns: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The first number is the users uidNumber, the second is the gidNumber of the users primarygroup, in this case Domain Users. All users, by default, get the gidNumber of Domain Users, if you want the user to have a different primarygroup, you need to give the user a gidNumber attribute containing the gidNumber of the required group AND add this line to smb.conf: idmap config MIND:unix_primary_group = yes This will only work from Samba 4.6.0 Just in case you are trying to have user private groups with the same name as the user, well, you cannot, it isn't allowed. Rowland
Jeff Sadowski
2018-Mar-27 15:36 UTC
[Samba] 10 minutes between primary group change and effect on Fedora 27
On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny at samba.org> wrote:> On Tue, 27 Mar 2018 08:46:00 -0600 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > >> My smb.conf looks like so. >> >> [global] >> security = ads >> realm = MIND.UNM.EDU >> workgroup = MIND >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config MIND:backend = ad >> idmap config MIND:schema_mode = rfc2307 >> idmap config MIND:range = 8000-9999999 >> idmap config MIND:unix_nss_info = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> >> I have a user jefftest. >> >> I found that to set the primary group that user needs to be in that >> group. >> >> If I set the group of jefftest to a new group (both in the UNIX >> attributes tab and in the Member Of tab) using Active Directory Users >> and Computers. >> Then I test the user using ldapsearch against each domain controller >> and they all have the new values according to ldapsearch in gidNumber. >> >> Then I login with jefftest on my joined fedora 27 machine using >> winbind 4.7.6 as jefftest and run id. >> It still shows the old group. >> So I log out as jefftest and in as root and run > > I think you are mixing up group membership and the users primary group, > when you run 'getent group username' what is returned is the username > and the users primarygroup > e.g. getent passwd rowland > > Returns: > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > The first number is the users uidNumber, the second is the gidNumber of > the users primarygroup, in this case Domain Users. > > All users, by default, get the gidNumber of Domain Users, if you want > the user to have a different primarygroup, you need to give the user a > gidNumber attribute containing the gidNumber of the required group AND > add this line to smb.conf: > > idmap config MIND:unix_primary_group = yesOK I added this line Is that not the default behavior? It seemed to work after ten minutes like I wanted. I just wanted to speed up by flushing the cache or something.> > This will only work from Samba 4.6.0Did you mean 4.6.0 and greater?> > Just in case you are trying to have user private groups with the same > name as the user, well, you cannot, it isn't allowed. >I'm switching between jeff_write_group and jeffs_general_group so this isn't the issue. AD wouldn't let me do that anyways.> RowlandI added the debug line as L.P.H. van Belle had suggested too.> getent passwd jefftestjefftest:*:11507:31026:Jeff Test:/na/homes/jefftest:/bin/bash when I just switched the gidNumber to 31025 and verified using ldapsearch against all my dc's and I tried a "net cache flush" the log files may have info in them but I'm not sure what to look for or how to post them. I think attachments are removed by the list. And after 10 minutes getent now shows the same. Seems that adding the idmap config MIND:unix_primary_group = yes nothing has noticeably changed.