samba - Nov 2018 - Odd behavior on group membership

Hi Rowland, thank you for your prompt reply,

I sent you the testparam output hence lots of defaults (i presumed would 
be better), here is crude smb.conf:

root at araucaria:~# cat /etc/samba/smb.conf
[global]
     netbios name = ARAUCARIA
     realm = AD.TLD
     server role = active directory domain controller
     workgroup = A1
     server services = -dns
     ldap server require strong auth = no
     wins support = yes
     ntlm auth = yes
     log file = /var/log/samba/%m.log
     log level = 1 auth_audit:3 auth_json_audit:3
     idmap_ldb:use rfc2307 = yes
     idmap config * : backend = tdb
     template shell = /bin/bash
     template homedir = /home/usuarios/%U

[netlogon]
     path = /var/lib/samba/sysvol/ad.tld/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No
root at araucaria:~#



Em 28/11/2018 09:17, Rowland Penny via samba escreveu:
> On Wed, 28 Nov 2018 08:48:07 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
>
>> Hi Rowland,
>>
>> Those tests were made on DC (araucaria), not a domain member.
>>
>> root at araucaria:~# testparm /etc/samba/smb.conf
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>>           passdb backend = samba_dsdb
>>           wins support = Yes
>>           rpc_server:tcpip = no
>>           rpc_daemon:spoolssd = embedded
>>           rpc_server:spoolss = embedded
>>           rpc_server:winreg = embedded
>>           rpc_server:ntsvcs = embedded
>>           rpc_server:eventlog = embedded
>>           rpc_server:srvsvc = embedded
>>           rpc_server:svcctl = embedded
>>           rpc_server:default = external
>>           winbindd:use external pipes = true
>>           idmap config * : backend = tdb
>>           map archive = No
>>           map readonly = no
>>           store dos attributes = Yes
>>           vfs objects = dfs_samba4 acl_xattr
>>
>>
> I would remove the above lines from your smb.conf, most are defaults,
> but some are actually wrong for an AD DC, see 'man smb.conf' for
more
> details
>
> Rowland
>
-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 99689-0036

https://a1.ind.br/ <https://a1.ind.br>

On Wed, 28 Nov 2018 10:12:39 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
> Hi Rowland, thank you for your prompt reply,
> 
> I sent you the testparam output hence lots of defaults (i presumed
> would be better), here is crude smb.conf:
> 
> root at araucaria:~# cat /etc/samba/smb.conf
> [global]
>      netbios name = ARAUCARIA
>      realm = AD.TLD
>      server role = active directory domain controller
>      workgroup = A1
>      server services = -dns
>      ldap server require strong auth = no
>      wins support = yes
>      ntlm auth = yes
>      log file = /var/log/samba/%m.log
>      log level = 1 auth_audit:3 auth_json_audit:3
>      idmap_ldb:use rfc2307 = yes
>      idmap config * : backend = tdb
>      template shell = /bin/bash
>      template homedir = /home/usuarios/%U
> 

OK, You cannot get a correct list of a users supplementary groups
unless the user has logged into the computer, see here (under 'winbind
changes' near the bottom of the page):

https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed

Rowland

So,

My problem started on squid not seeing group changes "on the fly". The
link Rowland provided says the user must authenticate to winbind see the 
new groups, so my workaround was to query ldap directly and bypass 
winbind, or in other words, use ext_ldap_group_acl instead of 
ext_wbinfo_group_acl.

Best regards.

Em 28/11/2018 11:32, Rowland Penny escreveu:
> On Wed, 28 Nov 2018 10:12:39 -0200
> Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
>
>> Hi Rowland, thank you for your prompt reply,
>>
>> I sent you the testparam output hence lots of defaults (i presumed
>> would be better), here is crude smb.conf:
>>
>> root at araucaria:~# cat /etc/samba/smb.conf
>> [global]
>>       netbios name = ARAUCARIA
>>       realm = AD.TLD
>>       server role = active directory domain controller
>>       workgroup = A1
>>       server services = -dns
>>       ldap server require strong auth = no
>>       wins support = yes
>>       ntlm auth = yes
>>       log file = /var/log/samba/%m.log
>>       log level = 1 auth_audit:3 auth_json_audit:3
>>       idmap_ldb:use rfc2307 = yes
>>       idmap config * : backend = tdb
>>       template shell = /bin/bash
>>       template homedir = /home/usuarios/%U
>>
>
> OK, You cannot get a correct list of a users supplementary groups
> unless the user has logged into the computer, see here (under 'winbind
> changes' near the bottom of the page):
>
> https://wiki.samba.org/index.php/Samba_4.6_Features_added/changed
>
> Rowland
>   
-- 
*Marcio Merlone*
TI - Administrador de redes

*A1 Engenharia - Unidade Corporativa*
Fone: 	+55 41 3616-3797
Cel: 	+55 41 99689-0036

https://a1.ind.br/ <https://a1.ind.br>