kawazu428 at gmail.com
2018-Jun-01 10:11 UTC
[Samba] winbind, nsswitch, AD and group membership caching?
Hi Rowland; thanks for your comment. Am Freitag, den 01.06.2018, 11:05 +0100 schrieb Rowland Penny via samba:> > Have the users logged in ? If not, then this is the expected > behaviour. >The users have logged in several times using ssh; does that suffice? As far as I can tell right now, it *looks* like this is computed just exactly once and never updated. Did a quick check with an empty VM that joined the domain; after logging in there with the same user, group assignment is the same as in Windows AD. Forgot to mention before: I'm on Ubuntu 16.04 / samba 4.3.11. Best regards, Kristian
Rowland Penny
2018-Jun-01 10:42 UTC
[Samba] winbind, nsswitch, AD and group membership caching?
On Fri, 01 Jun 2018 12:11:57 +0200 Kristian via samba <samba at lists.samba.org> wrote:> Hi Rowland; > > thanks for your comment. > > Am Freitag, den 01.06.2018, 11:05 +0100 schrieb Rowland Penny via > samba: > > > > Have the users logged in ? If not, then this is the expected > > behaviour. > > > > The users have logged in several times using ssh; does that suffice? > > As far as I can tell right now, it *looks* like this is computed just > exactly once and never updated. Did a quick check with an empty VM > that joined the domain; after logging in there with the same user, > group assignment is the same as in Windows AD. Forgot to mention > before: I'm on Ubuntu 16.04 / samba 4.3.11. > > Best regards, > Kristian >OK, how are you running the Unix domain members ? Are you using the 'ad' or the 'rid' winbind backend ? If you are using the 'ad' backend, have you given the groups a gidNumber ? Try running 'net cache flush' on the Unix domain member. Rowland
kawazu428 at gmail.com
2018-Jun-01 11:13 UTC
[Samba] winbind, nsswitch, AD and group membership caching?
Hi Rowland; Am Freitag, den 01.06.2018, 11:42 +0100 schrieb Rowland Penny via samba:> > OK, how are you running the Unix domain members ? > Are you using the 'ad' or the 'rid' winbind backend ? > If you are using the 'ad' backend, have you given the groups a > gidNumber ? >Hmm, I only have these statements relating to winbind and idmap in my smb.conf; this hasn't changed in ages on our samba systems but so far we never tried to use this config for ssh login and really working with multiple groups, just for user/group name mapping: idmap config * : backend = tdb idmap config * : range = 3000-7999 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes Should I change that first statement (* backend) to ad then? It does assign uids and gids as far as I can tell, but these seem in some way "mixed up" too; while logging in via ssh or doing "groups", the system complains that one or two group gids can't be resolved to names.> Try running 'net cache flush' on the Unix domain member. >Already tried that before, no result. Best, Kristian