samba - Feb 2017 - wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all

Emmanuel Florac via samba wrote:
> Unknown parameter encountered: "winbind enumerate users"
> Ignoring unknown parameter "winbind enumerate users"
> Unknown parameter encountered: "winbind enumerate groups"
> Ignoring unknown parameter "winbind enumerate groups"
It may be irrelevant, but I have:

  winbind enum groups = Yes
  winbind enum users = Yes

in mine.  The manpage makes no reference to 'enumerate' as a valid
option.


---------------------------
Rowland Penny via samba wrote:
>> If you want to show all users and groups, you will need to add these
>> lines to smb.conf:
>>
>>    winbind enumerate users = yes
>>    winbind enumerate groups = yes
>>     
> Only do this for testing.
>   
----

Eh?  The man page says that turning off enumeration may cause
programs to behave 'oddly' [i.e randomly or to exhibit undocumented
behavior].  That doesn't sound like a "good thing".  Perhaps
you are thinking about the advice on 'winbind expand groups'
where it cautions about high values possibly resulting in server
slowdown?

Remember what I said about using lists from my server
to find out what USERs & GROUPs are available -- turning that off
would not be good for me.

Is there something that has changed to make the older manpage's
advice no longer valid?

Tnx!
-l

On Sun, 19 Feb 2017 14:28:28 -0800
L A Walsh via samba <samba at lists.samba.org> wrote:
> It may be irrelevant, but I have:
> 
>   winbind enum groups = Yes
>   winbind enum users = Yes
> 
> in mine.  The manpage makes no reference to 'enumerate' as a valid
> option.
> 
It isn't in the smb.conf manpage, but it does seem to be valid
> Eh?  The man page says that turning off enumeration may cause
> programs to behave 'oddly' [i.e randomly or to exhibit undocumented
> behavior].  That doesn't sound like a "good thing".  Perhaps
> you are thinking about the advice on 'winbind expand groups'
> where it cautions about high values possibly resulting in server
> slowdown?
> 
> Remember what I said about using lists from my server
> to find out what USERs & GROUPs are available -- turning that off
> would not be good for me.
> 
> Is there something that has changed to make the older manpage's
> advice no longer valid?
> 
You don't need enumeration, your users will still be found, the default
is now 'winbind enumerate users = no'

If you have a lot of users and run 'getent passwd' with 'winbind
enumerate users = yes' set, it may bog down your computer.

Rowland

Le Sun, 19 Feb 2017 14:28:28 -0800
L A Walsh <samba at tlinx.org> écrivait:
> It may be irrelevant, but I have:
> 
>   winbind enum groups = Yes
>   winbind enum users = Yes
> 
> in mine.  The manpage makes no reference to 'enumerate' as a valid
> option.
> 
Indeed. I remarked that samba often alternate spellings (like writable
and writeable or readonly) for the same meaning. In this particular
case it looks like only the short spelling works in versions around 4.2
at least.

Unfortunately if the option is accepted, it doesn't change the
behaviour: 

id TESTAD\\testuser

returns "no such user" and 

getent passwd TESTAD\\testuser

returns a "2" code.


-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: Signature digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20170220/3163f6f7/attachment.sig>

On Mon, 20 Feb 2017 13:31:14 +0100
Emmanuel Florac via samba <samba at lists.samba.org> wrote:
> Le Sun, 19 Feb 2017 14:28:28 -0800
> L A Walsh <samba at tlinx.org> écrivait:
> 
> > It may be irrelevant, but I have:
> > 
> >   winbind enum groups = Yes
> >   winbind enum users = Yes
> > 
> > in mine.  The manpage makes no reference to 'enumerate' as a
valid
> > option.
> > 
> 
> Indeed. I remarked that samba often alternate spellings (like writable
> and writeable or readonly) for the same meaning. In this particular
> case it looks like only the short spelling works in versions around
> 4.2 at least.
> 
> Unfortunately if the option is accepted, it doesn't change the
> behaviour: 
> 
> id TESTAD\\testuser
> 
> returns "no such user" and 
> 
> getent passwd TESTAD\\testuser
> 
> returns a "2" code.
> 
> 
There must be something wrong in your set up, as it works for me

Rowland

Emmanuel Florac wrote:
> id TESTAD\\testuser
> returns "no such user" and 
>
> getent passwd TESTAD\\testuser
>
> returns a "2" code.
>   
----
On linux, to get 'domain\user' to resolve, I had to have
those entries in my /etc/passwd (and /etc/group for groups).

I.e. *w/o krb*, (in samba 3.x), I had entries like:

linda:x:1001:201:xxx:/home/linda:/bin/bash
    and
Domain\linda:x:1001:201:xxx:/home/linda:/bin/bash

So if something ever looked up w/'Domain\linda' on my
PDC, it would resolve to the same UID+GID as the
entry w/o the domain (since, theoretically, on the PDC,
users == 'Domain\\users').

I also had idmap config for the '*' range set the same as for
the 'Domain\' range (where the PDC is in 'Domain') as well as
for the BUILTIN range (the UID's I allocate for the 3 'domains'
are designed not to clash). 

It's my intent that name 'x' & 'domain\x' would map to
the same UID (and
windows RID) -- which is what happens on samba3.x.  Haven't upgraded
yet, since, with it working for me, I have other issues that are
more pressing.