samba - Nov 2018 - Upgraded to 4.8 - forced to use winbindd - retro how to missing?

winbind is running and I fixed the ranges.  testparm seems happy now.  Same
result.

Any other suggestions?

On Wed, Nov 28, 2018 at 4:18 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Nov 2018 16:06:01 -0500
> Richard Bollinger via samba <samba at lists.samba.org> wrote:
>
> > Well it *almost* works as before.  With this stanza and version 4.8.3,
> > access seems to only be granted per the single group listed in a
> > user's entry in /etc/passwd, not including groups listed in
/etc/group
> >
> > [global]
> >         workgroup = AMERICAS
> >         realm = AMERICAS.X.Y
> >         security = ADS
> >         idmap config * : range = 100000:199999
> >         idmap config AMERICAS : backend = nss
> >         idmap config AMERICAS : range = 1000:99999
> >
> > Thoughts?
>
> You mean apart from thinking 'I wouldn't use idmap_nss' ? ;-)
>
> It should be '100000-199999' not '100000:19999'
>
> You will also need winbind running.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Wed, 28 Nov 2018 16:48:09 -0500
Richard Bollinger <rabollinger at gmail.com> wrote:
> winbind is running and I fixed the ranges.  testparm seems happy
> now.  Same result.
> 
> Any other suggestions?
> 
Well, 'man idmap_nss' says this:

The idmap_nss plugin provides a means to map Unix users and groups to Windows
accounts.
This provides a simple means of ensuring that the SID for a Unix user named
jsmith is reported as the one assigned to DOMAIN\jsmith which is necessary for
reporting ACLs on files and printers stored on a Samba member server.

So, from that, it is possible you are hitting the 'supplementary
groups are not found unless the user has logged in' feature.

You may never get this to work as you want.

Rowland

Sad, because that used to work fine (without winbind)... and it seems to
work now only after some magical event occurs.

While I was testing various smb.conf and wbinfo commands, suddenly it
started working... but I don't know what was the triggering event / setting
:-(.

Is there a documented way to force supplemental groups to be recognized
initially / always?

On Wed, Nov 28, 2018 at 5:16 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 28 Nov 2018 16:48:09 -0500
> Richard Bollinger <rabollinger at gmail.com> wrote:
>
> > winbind is running and I fixed the ranges.  testparm seems happy
> > now.  Same result.
> >
> > Any other suggestions?
> >
>
> Well, 'man idmap_nss' says this:
>
> The idmap_nss plugin provides a means to map Unix users and groups to
> Windows accounts.
> This provides a simple means of ensuring that the SID for a Unix user
> named jsmith is reported as the one assigned to DOMAIN\jsmith which is
> necessary for reporting ACLs on files and printers stored on a Samba member
> server.
>
> So, from that, it is possible you are hitting the 'supplementary
> groups are not found unless the user has logged in' feature.
>
> You may never get this to work as you want.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba