miguel.sanders.external at arcelormittal.com
2018-Aug-06 12:38 UTC
[Samba] Winbind issue after upgrading from 4.7.5 to 4.8.3
Hi guys We recently upgraded our Samba clusters from 4.7.5 to 4.8.3 and noticed a difference in behavior for winbind. The situation is as follows Assume we have a local Linux user XYZ (UID 519) as well as a AD user object XYZ (UID 30001). idmap config * : backend = tdb2 idmap config * : range = 30000-50000 In our share definitions we regularly use the "force user" directive. In 4.8.3, when using "force user = XYZ", we are forcing the UID of the AD user object XYZ (UID 30001) and not the local Linux user XYZ (UID 519). In 4.7.5 this worked fine. Is this change intentional or a defect? Moreover, when running "id XYZ", the correct UID 519 is given. The groups, however, are a mix of local groups and AD groups. This behavior was also different in 4.7.5. 4.8.3 # id XYZ uid=519(XYZ) gid=1(bin) groups=1(bin),30004(DOSIM000+domain users) # id xyz uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users) 4.7.5 # id XYZ uid=519(XYZ) gid=1(bin) groups=1(bin) # id xyz id: ‘xyz’: no such user Thanks for your help -- Met vriendelijke groeten Best regards *Miguel Sanders* ArcelorMittal Europe – Flat Products – Business Division North External collaborator | Midrange UNIX John Kennedylaan 51 B-9042 Gent *T* +32 9 347 52 78 *E* gen-sid-ism-cbi-sig at arcelormittal.com *E* miguel.sanders.external at arcelormittal.com
Rowland Penny
2018-Aug-06 18:05 UTC
[Samba] Winbind issue after upgrading from 4.7.5 to 4.8.3
On Mon, 6 Aug 2018 14:38:33 +0200 Miguel Sanders via samba <samba at lists.samba.org> wrote:> Hi guys > > We recently upgraded our Samba clusters from 4.7.5 to 4.8.3 and > noticed a difference in behavior for winbind. > The situation is as follows > Assume we have a local Linux user XYZ (UID 519) as well as a AD user > object XYZ (UID 30001). > idmap config * : backend = tdb2 > idmap config * : range = 30000-50000 > > In our share definitions we regularly use the "force user" directive. > In 4.8.3, when using "force user = XYZ", we are forcing the UID of > the AD user object XYZ (UID 30001) and not the local Linux user XYZ > (UID 519). In 4.7.5 this worked fine. > Is this change intentional or a defect? > > Moreover, when running "id XYZ", the correct UID 519 is given. > The groups, however, are a mix of local groups and AD groups. This > behavior was also different in 4.7.5. > > 4.8.3 > # id XYZ > uid=519(XYZ) gid=1(bin) groups=1(bin),30004(DOSIM000+domain users) > # id xyz > uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users) > > 4.7.5 > # id XYZ > uid=519(XYZ) gid=1(bin) groups=1(bin) > # id xyz > id: ‘xyz’: no such user > > Thanks for your help >How are you running Samba ? can you post your smb.conf What OS is this on ? The problem is, you shouldn't have a local user called 'XYZ' and an AD user called 'XYZ', you should just have the AD user. Rowland
miguel.sanders.external at arcelormittal.com
2018-Aug-07 10:53 UTC
[Samba] Winbind issue after upgrading from 4.7.5 to 4.8.3
Hi This is the global section of smb.conf. [global] workgroup = DOMAIN realm = DOMAIN.COM netbios name = SAMBA security = ads clustering = yes idmap config * : backend = tdb2 idmap config * : range = 30000-50000 passdb backend = tdbsam ctdbd socket = /usr/samba/var/run/ctdb/ctdbd.socket winbind separator = + unix extensions = no follow symlinks = yes wide links = yes log level = 2 log file = /usr/samba/var/log/log.%m max log size = 500 I understand your point but this has been the setup for many years now (this XYZ Linux user is in fact an LDAP user (not AD)) without any issue. We also have other UNIX distributions and therefore we have a dedicated LDAP infrastructure for them (hosting users, groups, services, sudo roles, ...) Moreover in the past you always had to specify the domain when running NSS queries f.e. # id DOMAIN+XYZ uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users) This doesn't seem to be needed anymore and is therefore the root cause of this I believe. Can this be configured somehow or, if not, any pointer to the source file where I could have a look at? Many thanks. Met vriendelijke groeten Best regards *Miguel Sanders* ArcelorMittal Europe – Flat Products – Business Division North External collaborator | Midrange UNIX John Kennedylaan 51 B-9042 Gent *T* +32 9 347 52 78 *E* gen-sid-ism-cbi-sig at arcelormittal.com *E* miguel.sanders.external at arcelormittal.com On 06-08-18 20:05, Rowland Penny via samba wrote:> **This Message originated from a Non-ArcelorMittal source** > > > On Mon, 6 Aug 2018 14:38:33 +0200 > Miguel Sanders via samba <samba at lists.samba.org> wrote: > >> Hi guys >> >> We recently upgraded our Samba clusters from 4.7.5 to 4.8.3 and >> noticed a difference in behavior for winbind. >> The situation is as follows >> Assume we have a local Linux user XYZ (UID 519) as well as a AD user >> object XYZ (UID 30001). >> idmap config * : backend = tdb2 >> idmap config * : range = 30000-50000 >> >> In our share definitions we regularly use the "force user" directive. >> In 4.8.3, when using "force user = XYZ", we are forcing the UID of >> the AD user object XYZ (UID 30001) and not the local Linux user XYZ >> (UID 519). In 4.7.5 this worked fine. >> Is this change intentional or a defect? >> >> Moreover, when running "id XYZ", the correct UID 519 is given. >> The groups, however, are a mix of local groups and AD groups. This >> behavior was also different in 4.7.5. >> >> 4.8.3 >> # id XYZ >> uid=519(XYZ) gid=1(bin) groups=1(bin),30004(DOSIM000+domain users) >> # id xyz >> uid=30001(DOMAIN+XYZ) gid=30004(DOSIM000+domain users) >> >> 4.7.5 >> # id XYZ >> uid=519(XYZ) gid=1(bin) groups=1(bin) >> # id xyz >> id: ‘xyz’: no such user >> >> Thanks for your help >> > How are you running Samba ? can you post your smb.conf > > What OS is this on ? > > The problem is, you shouldn't have a local user called 'XYZ' and an AD > user called 'XYZ', you should just have the AD user. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.samba.org_mailman_options_samba&d=DwIDaQ&c=y5LGzd1hT50ruE_IlUH7x8VGgWz9W0tFVWT6rSvPUKA&r=-jarnr4YmBQFoNnIGAjHDx81m61Dvp1EaoZlwqmtvF74kGNWdeWU__tBrcfos55v&m=0B7Q7l4zP1E762SVutQVnMG9gNm7FkWRA96xha9cD6c&s=vKsAIQwQt5hp5myc-Y_UfopXrTQ81WLTp5tCBz4S7vA&e=