samba - Aug 2008 - ldapsearch and getent passd/group with nss winbind differs

Hi,

after deleting winbindd_idmap and winbindd_cache.tdb files:

For security =domain AND security=ADS !

wbinfo -u /-g /-t are ok !

getent passwd is ok.

getent group shows different group memberships as ldapsearch with filter 
"msSFU30PosixMemberOf".

smb.conf - winbind:

winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
idmap backend = ad
idmap uid = 6000-27000
idmap gid = 600-7000
template shell = /bin/bash
template homedir  = /home/%u
winbind use default domain = yes
winbind refresh tickets = yes
winbind nss info =  template sfu

Any ideas ?

Andy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ladanyi wrote:
> Hi,
> 
> after deleting winbindd_idmap and winbindd_cache.tdb files:
> 
> For security =domain AND security=ADS !
> 
> wbinfo -u /-g /-t are ok !
> 
> getent passwd is ok.
> 
> getent group shows different group memberships as ldapsearch with filter
> "msSFU30PosixMemberOf".
Winbind honors the Windows group membership and not
necessarily "msSFU30PosixMemberOf" attributes.
> 
> smb.conf - winbind:
> 
> winbind separator = /
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 60
> idmap backend = ad
> idmap uid = 6000-27000
> idmap gid = 600-7000
> template shell = /bin/bash
> template homedir  = /home/%u
> winbind use default domain = yes
> winbind refresh tickets = yes
> winbind nss info =  template sfu
> 
> Any ideas ?
> 
> Andy
> 

- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE
lxx+F3++8Y8maDRIxl3Xny8=xmUQ
-----END PGP SIGNATURE-----

Hi Jerry,


Gerald (Jerry) Carter schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andreas Ladanyi wrote:
>> Hi,
>>
>> after deleting winbindd_idmap and winbindd_cache.tdb files:
>>
>> For security =domain AND security=ADS !
>>
>> wbinfo -u /-g /-t are ok !
>>
>> getent passwd is ok.
>>
>> getent group shows different group memberships as ldapsearch with
filter
>> "msSFU30PosixMemberOf".
> Winbind honors the Windows group membership and not
> necessarily "msSFU30PosixMemberOf" attributes.
So it should be enough if you give the Windows group a GID in tab "UNIX 
attribute" in Active Directory and you have to do nothing else for the 
Linux side ?!
> 
>> smb.conf - winbind:
>>
>> winbind separator = /
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind cache time = 60
>> idmap backend = ad
>> idmap uid = 6000-27000
>> idmap gid = 600-7000
>> template shell = /bin/bash
>> template homedir  = /home/%u
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>> winbind nss info =  template sfu
>>
>> Any ideas ?
>>
>> Andy
>>
> 
> 
> - --
> ====================================================================>
Samba                                    ------- http://www.samba.org
> Likewise Software          ---------  http://www.likewisesoftware.com
> "What man is a man who does not make the world better?"     
--Balian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE
> lxx+F3++8Y8maDRIxl3Xny8> =xmUQ
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ladanyi wrote:
> Winbind honors the Windows group membership and not
> necessarily "msSFU30PosixMemberOf" attributes.
> 
>> So it should be enough if you give the Windows group a GID in tab
"UNIX
>> attribute" in Active Directory and you have to do nothing else for
the
>> Linux side ?!

Yup.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIrDOFIR7qMdg1EfYRAgsqAKDTH0QZ9CBi3qqulyrxowRJTPs0CwCgvTL/
kOzJhdCV11isitjqB1ch9jo=zXud
-----END PGP SIGNATURE-----

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andreas Ladanyi wrote:
> 
>> Winbind honors the Windows group membership and not
>> necessarily "msSFU30PosixMemberOf" attributes.
>>
>>> So it should be enough if you give the Windows group a GID in tab
"UNIX
>>> attribute" in Active Directory and you have to do nothing else
for the
>>> Linux side ?!
> 
> 
> Yup.
Ok ! Could it be true this behavior is different between 
"security=domain" and "security=ads" ?

Because we had to put the user to the group:
- first on windows side in ActiveFirectory
- second on unix site in AD in the tab "Members of"

so winbind 3.0.24 client recognise the group membership on unix side in 
"security=domain" mode.

Now we changed to Samba 3.0.31 with security=ads mode and the behavior 
is a bit different.

??

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ladanyi wrote:
> Ok ! Could it be true this behavior is different between
> "security=domain" and "security=ads" ?
> 
> Because we had to put the user to the group:
> - first on windows side in ActiveFirectory
> - second on unix site in AD in the tab "Members of"
> 
> so winbind 3.0.24 client recognise the group membership 
> on unix side in "security=domain" mode.
> 
> Now we changed to Samba 3.0.31 with security=ads 
> mode and the behavior is a bit different.
You lost me here.  Maybe due to the fact that I accustomed
to the Windows 2003 R2 Unix Attribute tab.  The only member
of tab I see is to control the Windows group memberships.

If I understand you correctly, you want to define a
different Unix group membership for the user rather than
honoring the Windows group membership.  Did I understand
you correct?



cheers, jerry
- --
====================================================================Samba       
------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIrYNGIR7qMdg1EfYRAqZ9AJ9rDnF+21K2ZcdTcGSZmm/xTnfZcQCfcTMv
gTJRvQv/ziAJNDuSnjgZilE=ph5v
-----END PGP SIGNATURE-----

Hay Jerry,

Gerald (Jerry) Carter schrieb:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Andreas Ladanyi wrote:
> 
>> Ok ! Could it be true this behavior is different between
>> "security=domain" and "security=ads" ?
>>
>> Because we had to put the user to the group:
>> - first on windows side in ActiveFirectory
>> - second on unix site in AD in the tab "Members of"
>>
>> so winbind 3.0.24 client recognise the group membership 
>> on unix side in "security=domain" mode.
>>
>> Now we changed to Samba 3.0.31 with security=ads 
>> mode and the behavior is a bit different.
> 
> You lost me here.  Maybe due to the fact that I accustomed
> to the Windows 2003 R2 Unix Attribute tab.  The only member
> of tab I see is to control the Windows group memberships.

The reason of my message is a litte confusion:

In general you are right ;-)

There is one "UNIX attribute" tab and one "Members Of" tab.

During some tests we discover the following facts
================================================
In "UNIX attribute" tab:
=======================
winbind is only interested in the UID field ->
in ldap tree the attribute "uidnumber".

The other attributes from "UNIX attribute" tab are written to ldap
tree,
but not used by winbind on linux side.

For example we set the following parameter in smb.conf:

winbind nss info = sfu

Of course we could define our own template bash/home with the "template 
home" and "template shell" parameter, but its better the
"sfu" will
work, so we would configure this parameter by the tab.

The "primary Group" is written to the ldap tree but not used by
winbind
on the unix side.

In "Members Of" tab:
===================
In this tab you can choose a group from a list and there is a button you 
could set a Unix primary group by klicking. This will be read by winbind 
only. But this have no force to the primary group ID on the "UNIX 
attribute" tab.




What do you say ? Did we configure something wrong ? Is this the normal 
function ?

Thanks,
Andy