samba - Jun 2018 - winbind, nsswitch, AD and group membership caching?

Hi Rowland;

Am Freitag, den 01.06.2018, 11:42 +0100 schrieb Rowland Penny via
samba:
> 
> OK, how are you running the Unix domain members ?
> Are you using the 'ad' or the 'rid' winbind backend ?
> If you are using the 'ad' backend, have you given the groups a
> gidNumber ?
> 
Hmm, I only have these statements relating to winbind and idmap in my
smb.conf; this hasn't changed in ages on our samba systems but so far
we never tried to use this config for ssh login and really working with
multiple groups, just for user/group name mapping:

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999


   winbind separator = +
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes

Should I change that first statement (* backend) to ad then?

It does assign uids and gids as far as I can tell, but these seem in
some way "mixed up" too; while logging in via ssh or doing
"groups",
the system complains that one or two group gids can't be resolved to
names.
> Try running 'net cache flush' on the Unix domain member.
> 
Already tried that before, no result.

Best,
Kristian

On Fri, 01 Jun 2018 13:13:21 +0200
Kristian via samba <samba at lists.samba.org> wrote:
> Hi Rowland;
> 
> Am Freitag, den 01.06.2018, 11:42 +0100 schrieb Rowland Penny via
> samba:
> > 
> > OK, how are you running the Unix domain members ?
> > Are you using the 'ad' or the 'rid' winbind backend ?
> > If you are using the 'ad' backend, have you given the groups a
> > gidNumber ?
> > 
> 
> Hmm, I only have these statements relating to winbind and idmap in my
> smb.conf; this hasn't changed in ages on our samba systems but so far
> we never tried to use this config for ssh login and really working
> with multiple groups, just for user/group name mapping:
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 3000-7999
Sorry, but that is not enough, you need lines for the DOMAIN
> 
> 
>    winbind separator = +
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
> 
> Should I change that first statement (* backend) to ad then?
No, those lines are perfectly correct for the '*' domain (which is
basically the Well known SIDs and anything outside the DOMAIN)
If you do not have any uidNumber & gidNumber attributes in AD (and you
wont have, unless somebody added them, they do not 'magically' appear),
you will need lines like these:

    idmap config YOUR_DOMAIN : backend = rid
    idmap config YOUR_DOMAIN : range = 10000-999999
> 
> It does assign uids and gids as far as I can tell, but these seem in
> some way "mixed up" too; while logging in via ssh or doing
"groups",
> the system complains that one or two group gids can't be resolved to
> names.
> 
> > Try running 'net cache flush' on the Unix domain member.
> > 
> 
> Already tried that before, no result.
> 
See this wikipage for more info:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland

Hi Rowland;

thanks for the follow-up.
> > > Try running 'net cache flush' on the Unix domain member.
> > > 
> > 
> > Already tried that before, no result.
> > 
> 
> See this wikipage for more info:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> 
Ok, so I'll try getting my homework done and report back in case
something's still wrong after. By now, thanks a bunch for your help. :)

Best regards,
Kristian