Hi list,
the behaviour of winbind changed in Samba version 4.8.3.
Having this nsswitch.conf:
# cat /etc/nsswitch.conf
passwd: compat winbind cache
group: compat winbind cache
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
and this smb.conf:
# cat /etc/samba/smb.conf
[global]
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
max log size = 1000
realm = SPREADSHIRT.PRIVATE
security = ADS
server role = member server
server string = %h server (Samba, Ubuntu)
winbind expand groups = 5
winbind offline logon = Yes
winbind separator = +
workgroup = SPREADSHIRT
idmap config * : range = 10000 - 19999
idmap config spreadshirt : range = 1000000 - 19999999
idmap config spreadshirt : backend = rid
idmap config * : backend = tdb
There is a user in the domain SPREADSHIRT with the name tmutest.
With Samba 4.8.2 and lower:
# id tmutest
id: ‘tmutest’: no such user
# id SPREADSHIRT+tmutest
uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
groups=1000513(SPREADSHIRT+domain
users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
With Samba 4.8.3:
# id tmutest
uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
groups=1000513(SPREADSHIRT+domain
users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
root at toolbox01 [lej] ~ # id SPREADSHIRT+tmutest
uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users)
groups=1000513(SPREADSHIRT+domain
users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users)
Is this intended?
Is it possible to change the behaviour back to pre-4.8.3 by
configuration change?
Thank you.
Best,
Tino
On Mon, 2 Jul 2018 08:53:31 +0200 Tino Müller via samba <samba at lists.samba.org> wrote:> Hi list, > > the behaviour of winbind changed in Samba version 4.8.3. > > Having this nsswitch.conf: > # cat /etc/nsswitch.conf > passwd: compat winbind cache > group: compat winbind cache > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > and this smb.conf: > # cat /etc/samba/smb.conf > [global] > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > realm = SPREADSHIRT.PRIVATE > security = ADS > server role = member server > server string = %h server (Samba, Ubuntu) > winbind expand groups = 5 > winbind offline logon = Yes > winbind separator = + > workgroup = SPREADSHIRT > idmap config * : range = 10000 - 19999 > idmap config spreadshirt : range = 1000000 - 19999999 > idmap config spreadshirt : backend = rid > idmap config * : backend = tdb > > There is a user in the domain SPREADSHIRT with the name tmutest. > > With Samba 4.8.2 and lower: > # id tmutest > id: ‘tmutest’: no such user > > # id SPREADSHIRT+tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > > With Samba 4.8.3: > # id tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > root at toolbox01 [lej] ~ # id SPREADSHIRT+tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > Is this intended? > Is it possible to change the behaviour back to pre-4.8.3 by > configuration change? > > Thank you. > > Best, > Tino >You don't have 'winbind use default domain = yes' so you should have to use the domain name to get a result. Can you try this with 'getent passwd tmutest', if this returns output on 4.8.3, then it is a Samba problem, if it doesn't, it is an 'id' problem. The only thing that changed between 4.8.2 & 4.8.3 and seems to be possibly relevant is this: https://bugzilla.samba.org/show_bug.cgi?id=13369 Unless you can see something I missed here: https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Changes_since_4.8.2: Rowland
On Mon, Jul 02, 2018 at 09:20:37AM +0100, Rowland Penny via samba wrote:>The only thing that changed between 4.8.2 & 4.8.3 and seems to be >possibly relevant is this: > >https://bugzilla.samba.org/show_bug.cgi?id=13369yep. Andreas, can you take a look? -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5 59E4 AA1E 9B71 2639 9E46
On Monday, 2 July 2018 08:53:31 CEST Tino Müller via samba wrote:> Hi list, > > the behaviour of winbind changed in Samba version 4.8.3. > > Having this nsswitch.conf: > # cat /etc/nsswitch.conf > passwd: compat winbind cache > group: compat winbind cache > shadow: compat > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > and this smb.conf: > # cat /etc/samba/smb.conf > [global] > kerberos method = secrets and keytab > log file = /var/log/samba/log.%m > max log size = 1000 > realm = SPREADSHIRT.PRIVATE > security = ADS > server role = member server > server string = %h server (Samba, Ubuntu) > winbind expand groups = 5 > winbind offline logon = Yes > winbind separator = + > workgroup = SPREADSHIRT > idmap config * : range = 10000 - 19999 > idmap config spreadshirt : range = 1000000 - 19999999 > idmap config spreadshirt : backend = rid > idmap config * : backend = tdb > > There is a user in the domain SPREADSHIRT with the name tmutest. > > With Samba 4.8.2 and lower: > # id tmutest > id: ‘tmutest’: no such user > > # id SPREADSHIRT+tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > > With Samba 4.8.3: > # id tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > root at toolbox01 [lej] ~ # id SPREADSHIRT+tmutest > uid=1102339(SPREADSHIRT+tmutest) gid=1000513(SPREADSHIRT+domain users) > groups=1000513(SPREADSHIRT+domain > users),1102339(SPREADSHIRT+tmutest),10001(BUILTIN+users) > > Is this intended? > Is it possible to change the behaviour back to pre-4.8.3 by > configuration change? > > Thank you.Please open a bug report at https://bugzilla.samba.org and assign it to me. Thanks, Andreas -- Andreas Schneider asn at samba.org Samba Team www.samba.org GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
Hi Rowland, sorry for the late reply. On 07/02/2018 10:20 AM, Rowland Penny via samba wrote:> You don't have 'winbind use default domain = yes' so you should have to > use the domain name to get a result.FWIW, with 'winbind use default domain = yes' the output is: # id tmutest uid=1102339(tmutest) gid=1000513(domain users) groups=1000513(domain users),1102339(tmutest),10001(BUILTIN+users)> Can you try this with 'getent passwd tmutest', if this returns output > on 4.8.3, then it is a Samba problem, if it doesn't, it is an 'id' > problem.With 4.8.3 (4.8.2 does not produce a result): # getent passwd tmutest tmutest:*:1102339:1000513::/home/SPREADSHIRT/tmutest:/bin/false> The only thing that changed between 4.8.2 & 4.8.3 and seems to be > possibly relevant is this: > > https://bugzilla.samba.org/show_bug.cgi?id=13369 > > Unless you can see something I missed here: > > https://wiki.samba.org/index.php/Samba_4.8_Features_added/changed#Changes_since_4.8.2:Saw this too, but didn't know, if the changed behaviour was intended by this change. Will do a bug report as requested in the other mail. Thank you. Tino