aluno3 at poczta.onet.pl
2017-May-26 13:50 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On 26.05.2017 15:31, Rowland Penny via samba wrote:> On Fri, 26 May 2017 14:36:45 +0200 > aluno3--- via samba <samba at lists.samba.org> wrote: > >> I have upgraded Samba in my environment from 4.5.10 to 4.6.3 and >> experienced issue with primary group for domain guest user: >> >> With Samba 4.5.10 primary group for DEV2+guest was "DEV2+domain >> guests": >> >> root at root:~# id DEV2+guest >> uid=66037(DEV2+guest) gid=66050(DEV2+domain guests) >> groups=66050(DEV2+domain guests) >> >> >> With Samba 4.6.3 primary group for DEV2+guest is "DEV2+domain users": >> > > If you check the release notes for 4.6.0, you will find this: > > winbind primary group and nss info > ---------------------------------- > > With 4.6, it will be possible to optionally use the primary group as > set in the "Unix Attributes" tab for the local unix token of a domain > user. Before 4.6, the Windows primary group was always chosen as > primary group for the local unix token. > > To activate the unix primary group, set > > idmap config <DOMAIN> : unix_primary_group = yes > > > I wonder if is possibly an artefact of the above change, because you > seem to have possibly given 'Guest' a uidNumber. > > Rowland > >Is there possibility to not set "Unix Attributes" and have the same behavior as in 4.5? Also in "winbind changes" section in release notes we can read: "This means that "id <username>" without the user having logged in previously stops showing any supplementary groups. Also, it will show "DOMAIN\Domain Users" as the primary group. Once the user has logged in, "id <username>" will correctly show the primary group and supplementary group list. " also "The winbind change to simplify the calculation of supplementary groups to make it more reliable and predictable has been deferred to 4.7 or later. This means that 'id <username>' without the user having logged in previously works similar to 4.5." but in spite of I logged to share using guest user, "id <username>" shows the same result.
Rowland Penny
2017-May-26 15:03 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On Fri, 26 May 2017 15:50:04 +0200 aluno3--- via samba <samba at lists.samba.org> wrote:> > Is there possibility to not set "Unix > Attributes" and have the same behavior as in 4.5?I do not know, you may have found a bug If I run 'id guest' on a Samba 4.6.x DC, I get this: uid=3000002(SAMDOM\guest) gid=10000(SAMDOM\domain users) groups=10000(SAMDOM\domain users),3000002(SAMDOM\guest),3000003(SAMDOM\domain guests),3000006(BUILTIN\guests),3000001(BUILTIN\users) The 'uid' is correct, but, like you, the gid is set to 'Domain Users' even though the 'guest' users primaryGroupID is '514' which is 'Domain Guests'> > Also in "winbind changes" section in release notes we can read: > > "This means that "id <username>" without the user having logged in > previously stops showing any supplementary groups. Also, it will show > "DOMAIN\Domain Users" as the primary group. Once the user has logged > in, "id <username>" will correctly show the primary group and > supplementary group list. " > > also > > "The winbind change to simplify the calculation of supplementary > groups to make it more reliable and predictable has been deferred to > 4.7 or later. > > This means that 'id <username>' without the user having logged in > previously works similar to 4.5." > > but in spite of I logged to share using guest user, "id <username>" > shows the same result. > >If I run 'id guest' on a Unix domain member, I get: id: guest: no such user Have you given 'Guest' a uidNumber and/or gidNumber attribute ? I do not think that you should be able to log in as 'Guest', this is Windows version of the Unix user 'nobody' and you cannot log in as 'nobody' Rowland
aluno3 at poczta.onet.pl
2017-May-29 06:40 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On 26.05.2017 17:03, Rowland Penny via samba wrote:> On Fri, 26 May 2017 15:50:04 +0200 > aluno3--- via samba <samba at lists.samba.org> wrote: > >> >> Is there possibility to not set "Unix >> Attributes" and have the same behavior as in 4.5? > > I do not know, you may have found a bug > > If I run 'id guest' on a Samba 4.6.x DC, I get this: > > uid=3000002(SAMDOM\guest) gid=10000(SAMDOM\domain users) > groups=10000(SAMDOM\domain > users),3000002(SAMDOM\guest),3000003(SAMDOM\domain > guests),3000006(BUILTIN\guests),3000001(BUILTIN\users) > > The 'uid' is correct, but, like you, the gid is set to 'Domain Users' > even though the 'guest' users primaryGroupID is '514' which is 'Domain > Guests' > >> >> Also in "winbind changes" section in release notes we can read: >> >> "This means that "id <username>" without the user having logged in >> previously stops showing any supplementary groups. Also, it will show >> "DOMAIN\Domain Users" as the primary group. Once the user has logged >> in, "id <username>" will correctly show the primary group and >> supplementary group list. " >> >> also >> >> "The winbind change to simplify the calculation of supplementary >> groups to make it more reliable and predictable has been deferred to >> 4.7 or later. >> >> This means that 'id <username>' without the user having logged in >> previously works similar to 4.5." >> >> but in spite of I logged to share using guest user, "id <username>" >> shows the same result. >> >> > > If I run 'id guest' on a Unix domain member, I get: > > id: guest: no such user > > Have you given 'Guest' a uidNumber and/or gidNumber attribute ?If I run "id guest" I also have "no such user". I need to pass also domain realm: root at root:~$ id guest id: guest: no such user root at root:~$ wbinfo -u|grep -i guest DEV2+guest root at root:~$ id DEV2+guest uid=66037(DEV2+guest) gid=66049(DEV2+domain users) groups=66049(DEV2+domain users),66037(DEV2+guest),66050(DEV2+domain guests)> > I do not think that you should be able to log in as 'Guest', this is > Windows version of the Unix user 'nobody' and you cannot log in as > 'nobody' >of course I meant about DEV2+guest. In release notes we have: "This means that 'id <username>' without the user having logged in previously works similar to 4.5" I'm a little confused about this. Should I apply patch from: https://bugzilla.samba.org/show_bug.cgi?id=12612 which bug was mentioned here: https://www.samba.org/samba/history/samba-4.6.0.html https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed to have the same result as in 4.5? or this should also work in native 4.6 version without any changes?