samba - Feb 2022 - winbind, user permissions, and group permissions

I am running several Solaris unix servers with Samba as domain members 
in an Windows Active Directory domain.?? The uidNumber or gidNumber? for 
a user or group is explicitly set in the AD attributes.

The /etc/nsswitch.conf file typically includes


 ??? ??? passwd: files ldap winbind
 ??? ??? group:? files ldap winbind


This ensures that user and group permissions are consistent across all 
servers and consistent for access via samba, ssh, sftp and nfs.? The 
"Ldap" users are still pulled from the AD servers.

However, some recent OS updates cause a conflict between the name 
caching svc and winbind.? With name caching enabled, "getent passwd"
and
"getent group" return ldap entries but hangs up on winbind.???? But
with
name caching disabled "getent" hangs up trying to lookup ldap users
and
groups.???? Either way, it prevents access via from windows clients or 
via ssh or both. Other servers show slow response for pulling winbind 
entries with "getent" but not to the point of preventing access.


For the moment I have update /etc/nsswitch.conf as

 ??? ??? passwd: files ldap
 ??? ??? group:? files ldap




When I look at the file permissions of a file via Windows, I see 
permissions for the user as??? "myname (UNIX\myname)"?? - which is
what
I expect (though not what I want.)

I see permissions for the the group as
"somegroup(MYDOMAIN\somegroup)"?
-? which is what I would want but not what I would expect.



The wbinfo command shows that the user and group ID numbers are matching 
what getent pulls from ldap.


    # getent passwd myname

    myname:x:123:515::/home/myname:/bin/bash


    # wbinfo -i "MYDOMAIN\myname"
    MYDOMAIN\myname:*:123:518:Firstname Lastname:/home/myname:/bin/bash#


    # getent group somegroup

    somegroup::456:myname,someuserA,someuserB


    # wbinfo --group-info "MYDOMAIN\somegroup

    MYDOMAIN\somegroup :x:456:






Samba version Version 4.11.11


/etc/samba/smb.conf includes



 ??????? security =? ads
 ??????? domain master = no
 ??????? domain logons = no

 ??????? workgroup = MYDOMAIN
 ??????? realm=MYDOMAIN.COM

 ??????? include system krb5 conf = no
 ??????? winbind nss info = rfc2307
 ??????? kerberos method = system keytab

 ??????? winbind use default domain =? no

 ??????? winbind enum users = Yes

 ??????? winbind enum groups = Yes

    idmap config *:backend = tdb
    idmap config *:range = 2000-2999

    idmap config MYDOMAIN:backend = ad
    idmap config MYDOMAIN:schema_mode = rfc2307
    idmap config MYDOMAIN:range = 100-1999




The real mystery is why, from windows, the behavior is different for 
users vs groups.


Appreciate any advice.


Thanks

On Thu, 2022-02-03 at 08:09 -0500, Gaiseric Vandal via samba
wrote:
> I am running several Solaris unix servers with Samba as domain
> members 
> in an Windows Active Directory domain.   The uidNumber or gidNumber 
> for 
> a user or group is explicitly set in the AD attributes.
> 
> The real mystery is why, from windows, the behavior is different for 
> users vs groups.
No, the real mystery is why are you using ldap and Samba to get your
users and groups from AD ?

Rowland

If I change "use default domain" in smb.conf from "no" to
"yes" then I
see users as "myname at mydomain.com" while groups still show as 
"MYDOMAIN\somegroup."?? This is the same behavior as with files on the
other Samba servers as well as real Windows servers.


While I can change? read, write, and read/execute permissions via 
Windows, I am unable to add additional users or groups, or grant my self 
extended permissions.?? Although maybe this didn't work before and I 
only just noticed.


On 2/3/2022 8:09 AM, Gaiseric Vandal wrote:
>
> I am running several Solaris unix servers with Samba as domain members 
> in an Windows Active Directory domain.?? The uidNumber or gidNumber? 
> for a user or group is explicitly set in the AD attributes.
>
> The /etc/nsswitch.conf file typically includes
>
>
> ??? ??? passwd: files ldap winbind
> ??? ??? group:? files ldap winbind
>
>
> This ensures that user and group permissions are consistent across all 
> servers and consistent for access via samba, ssh, sftp and nfs.? The 
> "Ldap" users are still pulled from the AD servers.
>
> However, some recent OS updates cause a conflict between the name 
> caching svc and winbind.? With name caching enabled, "getent
passwd"
> and "getent group" return ldap entries but hangs up on
winbind.????
> But with name caching disabled "getent" hangs up trying to lookup
ldap
> users and groups.???? Either way, it prevents access via from windows 
> clients or via ssh or both. Other servers show slow response for 
> pulling winbind entries with "getent" but not to the point of 
> preventing access.
>
>
> For the moment I have update /etc/nsswitch.conf as
>
> ??? ??? passwd: files ldap
> ??? ??? group:? files ldap
>
>
>
>
> When I look at the file permissions of a file via Windows, I see 
> permissions for the user as??? "myname (UNIX\myname)"?? - which
is
> what I expect (though not what I want.)
>
> I see permissions for the the group as 
> "somegroup(MYDOMAIN\somegroup)"? -? which is what I would want
but not
> what I would expect.
>
>
>
> The wbinfo command shows that the user and group ID numbers are 
> matching what getent pulls from ldap.
>
>
>     # getent passwd myname
>
>     myname:x:123:515::/home/myname:/bin/bash
>
>
>     # wbinfo -i "MYDOMAIN\myname"
>     MYDOMAIN\myname:*:123:518:Firstname Lastname:/home/myname:/bin/bash#
>
>
>     # getent group somegroup
>
>     somegroup::456:myname,someuserA,someuserB
>
>
>     # wbinfo --group-info "MYDOMAIN\somegroup
>
>     MYDOMAIN\somegroup :x:456:
>
>
>
>
>
>
> Samba version Version 4.11.11
>
>
> /etc/samba/smb.conf includes
>
>
>
> ??????? security =? ads
> ??????? domain master = no
> ??????? domain logons = no
>
> ??????? workgroup = MYDOMAIN
> ??????? realm=MYDOMAIN.COM
>
> ??????? include system krb5 conf = no
> ??????? winbind nss info = rfc2307
> ??????? kerberos method = system keytab
>
> ??????? winbind use default domain =? no
>
> ??????? winbind enum users = Yes
>
> ??????? winbind enum groups = Yes
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-2999
>
>     idmap config MYDOMAIN:backend = ad
>     idmap config MYDOMAIN:schema_mode = rfc2307
>     idmap config MYDOMAIN:range = 100-1999
>
>
>
>
> The real mystery is why, from windows, the behavior is different for 
> users vs groups.
>
>
> Appreciate any advice.
>
>
> Thanks
>
>
>
>
>