aluno3 at poczta.onet.pl
2017-May-29 06:40 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On 26.05.2017 17:03, Rowland Penny via samba wrote:> On Fri, 26 May 2017 15:50:04 +0200 > aluno3--- via samba <samba at lists.samba.org> wrote: > >> >> Is there possibility to not set "Unix >> Attributes" and have the same behavior as in 4.5? > > I do not know, you may have found a bug > > If I run 'id guest' on a Samba 4.6.x DC, I get this: > > uid=3000002(SAMDOM\guest) gid=10000(SAMDOM\domain users) > groups=10000(SAMDOM\domain > users),3000002(SAMDOM\guest),3000003(SAMDOM\domain > guests),3000006(BUILTIN\guests),3000001(BUILTIN\users) > > The 'uid' is correct, but, like you, the gid is set to 'Domain Users' > even though the 'guest' users primaryGroupID is '514' which is 'Domain > Guests' > >> >> Also in "winbind changes" section in release notes we can read: >> >> "This means that "id <username>" without the user having logged in >> previously stops showing any supplementary groups. Also, it will show >> "DOMAIN\Domain Users" as the primary group. Once the user has logged >> in, "id <username>" will correctly show the primary group and >> supplementary group list. " >> >> also >> >> "The winbind change to simplify the calculation of supplementary >> groups to make it more reliable and predictable has been deferred to >> 4.7 or later. >> >> This means that 'id <username>' without the user having logged in >> previously works similar to 4.5." >> >> but in spite of I logged to share using guest user, "id <username>" >> shows the same result. >> >> > > If I run 'id guest' on a Unix domain member, I get: > > id: guest: no such user > > Have you given 'Guest' a uidNumber and/or gidNumber attribute ?If I run "id guest" I also have "no such user". I need to pass also domain realm: root at root:~$ id guest id: guest: no such user root at root:~$ wbinfo -u|grep -i guest DEV2+guest root at root:~$ id DEV2+guest uid=66037(DEV2+guest) gid=66049(DEV2+domain users) groups=66049(DEV2+domain users),66037(DEV2+guest),66050(DEV2+domain guests)> > I do not think that you should be able to log in as 'Guest', this is > Windows version of the Unix user 'nobody' and you cannot log in as > 'nobody' >of course I meant about DEV2+guest. In release notes we have: "This means that 'id <username>' without the user having logged in previously works similar to 4.5" I'm a little confused about this. Should I apply patch from: https://bugzilla.samba.org/show_bug.cgi?id=12612 which bug was mentioned here: https://www.samba.org/samba/history/samba-4.6.0.html https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed to have the same result as in 4.5? or this should also work in native 4.6 version without any changes?
Rowland Penny
2017-May-29 08:42 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On Mon, 29 May 2017 08:40:07 +0200 aluno3--- via samba <samba at lists.samba.org> wrote:> > Have you given 'Guest' a uidNumber and/or gidNumber attribute ? > > If I run "id guest" I also have "no such user". I need to pass also > domain realm: > > root at root:~$ id guest > id: guest: no such user > root at root:~$ wbinfo -u|grep -i guest > DEV2+guest > root at root:~$ id DEV2+guest > uid=66037(DEV2+guest) gid=66049(DEV2+domain users) > groups=66049(DEV2+domain users),66037(DEV2+guest),66050(DEV2+domain > guests)OK, so you do not have 'winbind use default domain = yes' in smb.conf, but you do have 'winbind separator = +' I do have the first, so your 'id DEV+guest' is the same as my 'id guest' When I run it on a Unix domain member, i get: id: guest: no such user Bit different on a DC: uid=3000002(SAMDOM\guest) gid=10000(SAMDOM\domain users) groups=10000(SAMDOM\domain users),3000002(SAMDOM\guest),3000003(SAMDOM\domain guests),3000006(BUILTIN\guests),3000001(BUILTIN\users) As you seem to be getting '66037' for your ID, it seems that you must have give 'Guest' a uidNumber or are using the winbind 'rid' backend. Either way, you should not be able to login as 'Guest', or 'nobody', these are users that should be used in the background.> In release notes we have: > > "This means that 'id <username>' without the user having logged in > previously works similar to 4.5" > > I'm a little confused about this. Should I apply patch from: > > https://bugzilla.samba.org/show_bug.cgi?id=12612No, it was for something that was added and then removed before a stable release Rowland
aluno3 at poczta.onet.pl
2017-May-29 09:33 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On 29.05.2017 10:42, Rowland Penny via samba wrote:> On Mon, 29 May 2017 08:40:07 +0200 > aluno3--- via samba <samba at lists.samba.org> wrote: > > >>> Have you given 'Guest' a uidNumber and/or gidNumber attribute ? >> >> If I run "id guest" I also have "no such user". I need to pass also >> domain realm: >> >> root at root:~$ id guest >> id: guest: no such user >> root at root:~$ wbinfo -u|grep -i guest >> DEV2+guest >> root at root:~$ id DEV2+guest >> uid=66037(DEV2+guest) gid=66049(DEV2+domain users) >> groups=66049(DEV2+domain users),66037(DEV2+guest),66050(DEV2+domain >> guests) > > OK, so you do not have 'winbind use default domain = yes' in smb.conf, > but you do have 'winbind separator = +'Yes, exactly I have 'winbind separator = +'> > I do have the first, so your 'id DEV+guest' is the same as my 'id guest' > When I run it on a Unix domain member, i get: > > id: guest: no such user > > Bit different on a DC: > > uid=3000002(SAMDOM\guest) gid=10000(SAMDOM\domain users) groups=10000(SAMDOM\domain users),3000002(SAMDOM\guest),3000003(SAMDOM\domain guests),3000006(BUILTIN\guests),3000001(BUILTIN\users) > > As you seem to be getting '66037' for your ID, it seems that you must > have give 'Guest' a uidNumber or are using the winbind 'rid' backend. > Either way, you should not be able to login as 'Guest', or 'nobody', > these are users that should be used in the background. >My configuration for idmap backend is: idmap config dev2 : range = 65536-19999999 idmap config dev2 : backend = rid idmap config * : range = 20000000-39999999 idmap config * : backend = autorid>> In release notes we have: >> >> "This means that 'id <username>' without the user having logged in >> previously works similar to 4.5" >> >> I'm a little confused about this. Should I apply patch from: >> >> https://bugzilla.samba.org/show_bug.cgi?id=12612 > > No, it was for something that was added and then removed before a > stable release > > RowlandDoes it mean that functionality is not fully reverted?> > >