Andreas Ladanyi
2008-Aug-15 10:05 UTC
[Samba] ldapsearch and getent passd/group with nss winbind differs
Hi, after deleting winbindd_idmap and winbindd_cache.tdb files: For security =domain AND security=ADS ! wbinfo -u /-g /-t are ok ! getent passwd is ok. getent group shows different group memberships as ldapsearch with filter "msSFU30PosixMemberOf". smb.conf - winbind: winbind separator = / winbind enum users = yes winbind enum groups = yes winbind cache time = 60 idmap backend = ad idmap uid = 6000-27000 idmap gid = 600-7000 template shell = /bin/bash template homedir = /home/%u winbind use default domain = yes winbind refresh tickets = yes winbind nss info = template sfu Any ideas ? Andy
Gerald (Jerry) Carter
2008-Aug-19 20:02 UTC
[Samba] ldapsearch and getent passd/group with nss winbind differs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andreas Ladanyi wrote:> Hi, > > after deleting winbindd_idmap and winbindd_cache.tdb files: > > For security =domain AND security=ADS ! > > wbinfo -u /-g /-t are ok ! > > getent passwd is ok. > > getent group shows different group memberships as ldapsearch with filter > "msSFU30PosixMemberOf".Winbind honors the Windows group membership and not necessarily "msSFU30PosixMemberOf" attributes.> > smb.conf - winbind: > > winbind separator = / > winbind enum users = yes > winbind enum groups = yes > winbind cache time = 60 > idmap backend = ad > idmap uid = 6000-27000 > idmap gid = 600-7000 > template shell = /bin/bash > template homedir = /home/%u > winbind use default domain = yes > winbind refresh tickets = yes > winbind nss info = template sfu > > Any ideas ? > > Andy >- -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE lxx+F3++8Y8maDRIxl3Xny8=xmUQ -----END PGP SIGNATURE-----
Andreas Ladanyi
2008-Aug-20 07:49 UTC
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hi Jerry, Gerald (Jerry) Carter schrieb:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andreas Ladanyi wrote: >> Hi, >> >> after deleting winbindd_idmap and winbindd_cache.tdb files: >> >> For security =domain AND security=ADS ! >> >> wbinfo -u /-g /-t are ok ! >> >> getent passwd is ok. >> >> getent group shows different group memberships as ldapsearch with filter >> "msSFU30PosixMemberOf".> Winbind honors the Windows group membership and not > necessarily "msSFU30PosixMemberOf" attributes.So it should be enough if you give the Windows group a GID in tab "UNIX attribute" in Active Directory and you have to do nothing else for the Linux side ?!> >> smb.conf - winbind: >> >> winbind separator = / >> winbind enum users = yes >> winbind enum groups = yes >> winbind cache time = 60 >> idmap backend = ad >> idmap uid = 6000-27000 >> idmap gid = 600-7000 >> template shell = /bin/bash >> template homedir = /home/%u >> winbind use default domain = yes >> winbind refresh tickets = yes >> winbind nss info = template sfu >> >> Any ideas ? >> >> Andy >> > > > - -- > ====================================================================> Samba ------- http://www.samba.org > Likewise Software --------- http://www.likewisesoftware.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIqyaeIR7qMdg1EfYRAgZWAKDRsC9qFFIIlIYZTgcrrt/+eZNiBQCcDNHE > lxx+F3++8Y8maDRIxl3Xny8> =xmUQ > -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2008-Aug-20 15:09 UTC
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andreas Ladanyi wrote:> Winbind honors the Windows group membership and not > necessarily "msSFU30PosixMemberOf" attributes. > >> So it should be enough if you give the Windows group a GID in tab "UNIX >> attribute" in Active Directory and you have to do nothing else for the >> Linux side ?!Yup. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrDOFIR7qMdg1EfYRAgsqAKDTH0QZ9CBi3qqulyrxowRJTPs0CwCgvTL/ kOzJhdCV11isitjqB1ch9jo=zXud -----END PGP SIGNATURE-----
Andreas Ladanyi
2008-Aug-20 17:40 UTC
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andreas Ladanyi wrote: > >> Winbind honors the Windows group membership and not >> necessarily "msSFU30PosixMemberOf" attributes. >> >>> So it should be enough if you give the Windows group a GID in tab "UNIX >>> attribute" in Active Directory and you have to do nothing else for the >>> Linux side ?! > > > Yup.Ok ! Could it be true this behavior is different between "security=domain" and "security=ads" ? Because we had to put the user to the group: - first on windows side in ActiveFirectory - second on unix site in AD in the tab "Members of" so winbind 3.0.24 client recognise the group membership on unix side in "security=domain" mode. Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different. ??
Gerald (Jerry) Carter
2008-Aug-21 15:01 UTC
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andreas Ladanyi wrote:> Ok ! Could it be true this behavior is different between > "security=domain" and "security=ads" ? > > Because we had to put the user to the group: > - first on windows side in ActiveFirectory > - second on unix site in AD in the tab "Members of" > > so winbind 3.0.24 client recognise the group membership > on unix side in "security=domain" mode. > > Now we changed to Samba 3.0.31 with security=ads > mode and the behavior is a bit different.You lost me here. Maybe due to the fact that I accustomed to the Windows 2003 R2 Unix Attribute tab. The only member of tab I see is to control the Windows group memberships. If I understand you correctly, you want to define a different Unix group membership for the user rather than honoring the Windows group membership. Did I understand you correct? cheers, jerry - -- ====================================================================Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIrYNGIR7qMdg1EfYRAqZ9AJ9rDnF+21K2ZcdTcGSZmm/xTnfZcQCfcTMv gTJRvQv/ziAJNDuSnjgZilE=ph5v -----END PGP SIGNATURE-----
Andreas Ladanyi
2008-Aug-23 19:03 UTC
[Samba] Re: ldapsearch and getent passd/group with nss winbind differs
Hay Jerry, Gerald (Jerry) Carter schrieb:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Andreas Ladanyi wrote: > >> Ok ! Could it be true this behavior is different between >> "security=domain" and "security=ads" ? >> >> Because we had to put the user to the group: >> - first on windows side in ActiveFirectory >> - second on unix site in AD in the tab "Members of" >> >> so winbind 3.0.24 client recognise the group membership >> on unix side in "security=domain" mode. >> >> Now we changed to Samba 3.0.31 with security=ads >> mode and the behavior is a bit different. > > You lost me here. Maybe due to the fact that I accustomed > to the Windows 2003 R2 Unix Attribute tab. The only member > of tab I see is to control the Windows group memberships.The reason of my message is a litte confusion: In general you are right ;-) There is one "UNIX attribute" tab and one "Members Of" tab. During some tests we discover the following facts ================================================ In "UNIX attribute" tab: ======================= winbind is only interested in the UID field -> in ldap tree the attribute "uidnumber". The other attributes from "UNIX attribute" tab are written to ldap tree, but not used by winbind on linux side. For example we set the following parameter in smb.conf: winbind nss info = sfu Of course we could define our own template bash/home with the "template home" and "template shell" parameter, but its better the "sfu" will work, so we would configure this parameter by the tab. The "primary Group" is written to the ldap tree but not used by winbind on the unix side. In "Members Of" tab: =================== In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the "UNIX attribute" tab. What do you say ? Did we configure something wrong ? Is this the normal function ? Thanks, Andy