aluno3 at poczta.onet.pl
2017-May-30 14:02 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
Additionally if I authenticate to user using wbinfo -a it seems to works correctly: root at root:~$ id DEV2+guest uid=2000501(DEV2+guest) gid=2000513(DEV2+domain users) groups=2000513(DEV2+domain users),2000501(DEV2+guest),2000514(DEV2+domain guests) root at root:~$ wbinfo -a DEV2+guest Enter DEV2+guest's password: plaintext password authentication succeeded Enter DEV2+guest's password: challenge/response password authentication succeeded root at root:~$ id DEV2+guest uid=2000501(DEV2+guest) gid=2000514(DEV2+domain guests) groups=2000514(DEV2+domain guests),2000501(DEV2+guest) so seems that if samlogon cache is filled then primary group is returned correctly. But I suppose that if I use share using NFS (without Samba authentication) and have some ACL to files or directories I will probably have issues with access denied. On 30.05.2017 11:54, aluno3 at poczta.onet.pl wrote:> I changed default/primary group for other user than guest and issue also > occurred so if domain user has default group other than "domain users", > 'id <username>' always shows "domain users" as primary group. > > On 29.05.2017 12:30, aluno3 at poczta.onet.pl wrote: >> On 29.05.2017 12:03, Rowland Penny via samba wrote: >>> On Mon, 29 May 2017 11:33:21 +0200 >>> aluno3--- via samba <samba at lists.samba.org> wrote: >>> >>>> My configuration for idmap backend is: >>>> >>>> idmap config dev2 : range = 65536-19999999 >>>> idmap config dev2 : backend = rid >>>> idmap config * : range = 20000000-39999999 >>>> idmap config * : backend = autorid >>> >>> It is recommended to use the tdb backend for the '*' domain >> >> I will try to use tdb backend but in relative to issue with primary >> group it will not help. >> >>> >>>> >>>> Does it mean that functionality is not fully reverted? >>>> >>> >>> No, it means that a patch was added and then removed, as far as the code >>> is concerned, it is just as if the patch had never existed. >>> >>> Rowland >>> >> >> I suppose that not all commits from 2017-01-04 from Volker was reverted >> on 2017-03-06. Am I wrong ? >> >> Additionally in commit: >> >> https://git.samba.org/?p=samba.git;a=commitdiff;h=93e804a8b0e63f90c166f063fa16a1238cd8f8f3 >> >> >> we have updated release notes regarding to 'id <username>' but on: >> >> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes >> >> this information is not updated so it can bring the confusion. >> >> >
aluno3 at poczta.onet.pl
2017-May-31 09:36 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
Below I post the scenario where user can lost access to the file with winbindd 4.6.x (DEV2+dev2user1000 has default group other then "domain users"): root at host:~# su DEV2+dev2user105 DEV2+dev2user105 at host:/$ whoami DEV2+dev2user105 DEV2+dev2user105 at host:/$ > /testfile DEV2+dev2user105 at host:/$ ls -al /testfile -rw-r--r-- 1 DEV2+dev2user105 DEV2+domain users 0 May 31 11:27 /testfile DEV2+dev2user105 at host:/$ chmod 660 /testfile DEV2+dev2user105 at host:/$ ls -al /testfile -rw-rw---- 1 DEV2+dev2user105 DEV2+domain users 0 May 31 11:27 /testfile DEV2+dev2user105 at host:/$ exit root at host:~# su DEV2+dev2user1000 DEV2+dev2user1000 at host:/$ whoami DEV2+dev2user1000 DEV2+dev2user1000 at host:/$ echo "testpermissions" >> /testfile DEV2+dev2user1000 at host:/$ cat /testfile testpermissions DEV2+dev2user1000 at host:/$ exit root at host:~# wbinfo --pam-logon=DEV2+dev2user1000 Enter DEV2+dev2user1000's password: plaintext password authentication succeeded root at host:~# su DEV2+dev2user1000 DEV2+dev2user1000 at host:/$ echo "testpermissions2" >> /testfile bash: /testfile: Permission denied On 30.05.2017 16:02, aluno3 at poczta.onet.pl wrote:> Additionally if I authenticate to user using wbinfo -a it seems to works > correctly: > > root at root:~$ id DEV2+guest uid=2000501(DEV2+guest) > gid=2000513(DEV2+domain users) groups=2000513(DEV2+domain > users),2000501(DEV2+guest),2000514(DEV2+domain guests) > > root at root:~$ wbinfo -a DEV2+guest > Enter DEV2+guest's password: > plaintext password authentication succeeded > Enter DEV2+guest's password: > challenge/response password authentication succeeded > > root at root:~$ id DEV2+guest > uid=2000501(DEV2+guest) gid=2000514(DEV2+domain guests) > groups=2000514(DEV2+domain guests),2000501(DEV2+guest) > > so seems that if samlogon cache is filled then primary group is returned > correctly. > > But I suppose that if I use share using NFS (without Samba > authentication) and have some ACL to files or directories I will > probably have issues with access denied. > > > On 30.05.2017 11:54, aluno3 at poczta.onet.pl wrote: >> I changed default/primary group for other user than guest and issue also >> occurred so if domain user has default group other than "domain users", >> 'id <username>' always shows "domain users" as primary group. >> >> On 29.05.2017 12:30, aluno3 at poczta.onet.pl wrote: >>> On 29.05.2017 12:03, Rowland Penny via samba wrote: >>>> On Mon, 29 May 2017 11:33:21 +0200 >>>> aluno3--- via samba <samba at lists.samba.org> wrote: >>>> >>>>> My configuration for idmap backend is: >>>>> >>>>> idmap config dev2 : range = 65536-19999999 >>>>> idmap config dev2 : backend = rid >>>>> idmap config * : range = 20000000-39999999 >>>>> idmap config * : backend = autorid >>>> >>>> It is recommended to use the tdb backend for the '*' domain >>> >>> I will try to use tdb backend but in relative to issue with primary >>> group it will not help. >>> >>>> >>>>> >>>>> Does it mean that functionality is not fully reverted? >>>>> >>>> >>>> No, it means that a patch was added and then removed, as far as the code >>>> is concerned, it is just as if the patch had never existed. >>>> >>>> Rowland >>>> >>> >>> I suppose that not all commits from 2017-01-04 from Volker was reverted >>> on 2017-03-06. Am I wrong ? >>> >>> Additionally in commit: >>> >>> https://git.samba.org/?p=samba.git;a=commitdiff;h=93e804a8b0e63f90c166f063fa16a1238cd8f8f3 >>> >>> >>> we have updated release notes regarding to 'id <username>' but on: >>> >>> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_changes >>> >>> this information is not updated so it can bring the confusion. >>> >>> >> >
Rowland Penny
2017-May-31 10:04 UTC
[Samba] Different primary group between 4.5.x and 4.6.x
On Wed, 31 May 2017 11:36:56 +0200 aluno3--- via samba <samba at lists.samba.org> wrote:> root at host:~# su DEV2+dev2user1000 > > DEV2+dev2user1000 at host:/$ whoami > DEV2+dev2user1000 > > DEV2+dev2user1000 at host:/$ echo "testpermissions" >> /testfile > > DEV2+dev2user1000 at host:/$ cat /testfile > testpermissions > > DEV2+dev2user1000 at host:/$ exit > > root at host:~# wbinfo --pam-logon=DEV2+dev2user1000 > Enter DEV2+dev2user1000's password: > plaintext password authentication succeeded > > root at host:~# su DEV2+dev2user1000 > > DEV2+dev2user1000 at host:/$ echo "testpermissions2" >> /testfile > bash: /testfile: Permission denied > >This is strange, it works then it doesn't ???? Can you run 'pam-auth-update' and tell us the output ? Rowland