samba - Mar 2018 - 10 minutes between primary group change and effect on Fedora 27

On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny at samba.org>
wrote:
> On Tue, 27 Mar 2018 08:46:00 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>
>> My smb.conf looks like so.
>>
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    idmap config MIND:unix_nss_info = yes
>>    winbind use default domain = yes
>>    restrict anonymous = 2
>>
>> I have a user jefftest.
>>
>> I found that to set the primary group that user needs to be in that
>> group.
>>
>> If I set the group of jefftest to a new group (both in the UNIX
>> attributes tab and in the Member Of tab) using Active Directory Users
>> and Computers.
>> Then I test the user using ldapsearch against each domain controller
>> and they all have the new values according to ldapsearch in gidNumber.
>>
>> Then I login with jefftest on my joined fedora 27 machine using
>> winbind 4.7.6 as jefftest and run id.
>> It still shows the old group.
>> So I log out as jefftest and in as root and run
>
> I think you are mixing up group membership and the users primary group,
> when you run 'getent group username' what is returned is the
username
> and the users primarygroup
> e.g. getent passwd rowland
>
> Returns:
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> The first number is the users uidNumber, the second is the gidNumber of
> the users primarygroup, in this case Domain Users.
>
> All users, by default, get the gidNumber of Domain Users, if you want
> the user to have a different primarygroup, you need to give the user a
> gidNumber attribute containing the gidNumber of the required group AND
> add this line to smb.conf:
>
> idmap config MIND:unix_primary_group = yes
OK I added this line
Is that not the default behavior? It seemed to work after ten minutes
like I wanted. I just wanted to speed up by flushing the cache or
something.
>
> This will only work from Samba 4.6.0
Did you mean 4.6.0 and greater?
>
> Just in case you are trying to have user private groups with the same
> name as the user, well, you cannot, it isn't allowed.
>
I'm switching between jeff_write_group and jeffs_general_group so this
isn't the issue. AD wouldn't let me do that
anyways.
> Rowland
I added the debug line as L.P.H. van Belle had suggested too.
> getent passwd jefftest
jefftest:*:11507:31026:Jeff Test:/na/homes/jefftest:/bin/bash

when I just switched the gidNumber to
31025

and verified using ldapsearch against all my dc's and I tried a "net
cache flush"

the log files may have info in them but I'm not sure what to look for
or how to post them. I think attachments are removed by the list.

And after 10 minutes getent now shows the same.
Seems that adding the

idmap config MIND:unix_primary_group = yes

nothing has noticeably changed.

On Tue, 27 Mar 2018 09:36:49 -0600
Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny at samba.org>
> >
> > idmap config MIND:unix_primary_group = yes
> OK I added this line
> Is that not the default behavior? 
No
See here:
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_primary_group_and_nss_info
>It seemed to work after ten minutes like I wanted. 
> I just wanted to speed up by flushing the cache or something.
Are you sure it isn't about 5 minutes ?

There is the default setting in smb.conf: winbind cache time = 300
This is the default time (in seconds) to cache user & group info
> >
> > This will only work from Samba 4.6.0
> Did you mean 4.6.0 and greater?
I thought that was what I said ;-)

Rowland

On Tue, Mar 27, 2018 at 9:51 AM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Tue, 27 Mar 2018 09:36:49 -0600
> Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
>
>> On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny at
samba.org>
>> >
>> > idmap config MIND:unix_primary_group = yes
>> OK I added this line
>> Is that not the default behavior?
>
> No
> See here:
>
https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed#winbind_primary_group_and_nss_info
>
Ah now I can set them different I see I was changing both to be
consistent anyways. This explains my testing about 2 weeks ago.
>>It seemed to work after ten minutes like I wanted.
>> I just wanted to speed up by flushing the cache or something.
>
> Are you sure it isn't about 5 minutes ?
>
I'll buy it being 5 minutes. It just seems a little longer but yeah
about 5 minutes.
> There is the default setting in smb.conf: winbind cache time = 300
> This is the default time (in seconds) to cache user & group info
>
Ahh but, isn't "net cache flush" suppose to flush this instantly?
Is there another command to flush instantly?
If not I can tell my users to wait that isn't too too long.
>> >
>> > This will only work from Samba 4.6.0
>> Did you mean 4.6.0 and greater?
>
> I thought that was what I said ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Thank you Rowland you solved a lot of my mysteries