samba - Feb 2017 - wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all

On Sat, 18 Feb 2017 13:50:52 +0100
Emmanuel Florac via samba <samba at lists.samba.org> wrote:
> Le Sat, 18 Feb 2017 13:20:52 +0100
> Emmanuel Florac via samba <samba at lists.samba.org> écrivait:
> 
> 
> I've added 
> 
> idmap config * : backend = tdb
> idmap config * : range = 10000-30000
> 
> to smb.conf, and now 'wbinfo -i TESTDOMAIN\\user' returns correct
ids.
Don't rely on 'wbinfo' it is meaningless to the underlying OS, use
'getent' instead.
> 
> I've found in the FAQ a mention of this, however it's obsolete:
Which FAQ, where ?
> 
> I have set up a domain member using the idmap_ad backend, but getent
> passwd and getent group does not show users or groups
This is correct, think about it, what if you 500,000 users or more ?
> 
> If you want to show all users and groups, you will need to add these
> lines to smb.conf:
> 
>    winbind enumerate users = yes
>    winbind enumerate groups = yes
Only do this for testing.
> 
> These options are not recognized by 'testparm'. 
> 
> 
Yes they are.

Rowland

Le Sat, 18 Feb 2017 13:18:53 +0000
Rowland Penny via samba <samba at lists.samba.org> écrivait:
> On Sat, 18 Feb 2017 13:50:52 +0100
> Emmanuel Florac via samba <samba at lists.samba.org> wrote:
> 
> > Le Sat, 18 Feb 2017 13:20:52 +0100
> > Emmanuel Florac via samba <samba at lists.samba.org> écrivait:
> > 
> > 
> > I've added 
> > 
> > idmap config * : backend = tdb
> > idmap config * : range = 10000-30000
> > 
> > to smb.conf, and now 'wbinfo -i TESTDOMAIN\\user' returns
correct
> > ids.  
> 
> Don't rely on 'wbinfo' it is meaningless to the underlying OS,
use
> 'getent' instead.
> 
OK, but getent and id return with error (id: no such user, getent:
return code 2). On the systems I've previously set up similarly
(Wheezy/Samba 3.6), id and getent work.
> > 
> > I've found in the FAQ a mention of this, however it's
obsolete:
> 
> Which FAQ, where ?
> 
This one:
https://wiki.samba.org/index.php/FAQ
> > 
> > I have set up a domain member using the idmap_ad backend, but getent
> > passwd and getent group does not show users or groups  
> 
> This is correct, think about it, what if you 500,000 users or more ?
What about 'getent passwd SOMEUSER' ? shouldn't it work?
> > These options are not recognized by 'testparm'. 
> > 
> >   
> 
> Yes they are.
Obviously not in the standard Debian stable version (4.2.14) at least:

# testparm 
Load smb config files from /etc/samba/smb.conf
Unknown parameter encountered: "winbind enumerate users"
Ignoring unknown parameter "winbind enumerate users"
Unknown parameter encountered: "winbind enumerate groups"
Ignoring unknown parameter "winbind enumerate groups"
Processing section "[DATA]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions


-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170218/a0bc96a8/attachment.sig>

On Sat, 18 Feb 2017 17:41:06 +0100
Emmanuel Florac <eflorac at intellique.com> wrote:
> 
> OK, but getent and id return with error (id: no such user, getent:
> return code 2). On the systems I've previously set up similarly
> (Wheezy/Samba 3.6), id and getent work.
>
Is this before or after you tried my proposed smb.conf ?
 
> > > 
> > > I've found in the FAQ a mention of this, however it's
obsolete:
> > 
> > Which FAQ, where ?
> > 
> 
> This one:
> https://wiki.samba.org/index.php/FAQ
Yes, but which part ?
> 
> > > 
> > > I have set up a domain member using the idmap_ad backend, but
> > > getent passwd and getent group does not show users or groups  
> > 
> > This is correct, think about it, what if you 500,000 users or more ?
> 
> What about 'getent passwd SOMEUSER' ? shouldn't it work?
Actually both should work on your version.
But only if your users have a uidNumber attribute and Domain
Users has a gidNumber attribute.
> 
> 
> Obviously not in the standard Debian stable version (4.2.14) at least:
> 
Yes, now I have checked, it wasn't

Rowland

Emmanuel Florac via samba wrote:
> Unknown parameter encountered: "winbind enumerate users"
> Ignoring unknown parameter "winbind enumerate users"
> Unknown parameter encountered: "winbind enumerate groups"
> Ignoring unknown parameter "winbind enumerate groups"
It may be irrelevant, but I have:

  winbind enum groups = Yes
  winbind enum users = Yes

in mine.  The manpage makes no reference to 'enumerate' as a valid
option.


---------------------------
Rowland Penny via samba wrote:
>> If you want to show all users and groups, you will need to add these
>> lines to smb.conf:
>>
>>    winbind enumerate users = yes
>>    winbind enumerate groups = yes
>>     
> Only do this for testing.
>   
----

Eh?  The man page says that turning off enumeration may cause
programs to behave 'oddly' [i.e randomly or to exhibit undocumented
behavior].  That doesn't sound like a "good thing".  Perhaps
you are thinking about the advice on 'winbind expand groups'
where it cautions about high values possibly resulting in server
slowdown?

Remember what I said about using lists from my server
to find out what USERs & GROUPs are available -- turning that off
would not be good for me.

Is there something that has changed to make the older manpage's
advice no longer valid?

Tnx!
-l