We have winbind client running on CentOS 7.3.1611 host connected to MS active directory. It is working normal for local and AD users. However in the logs, I see that NSS is throwing call to winbind to retrieve the groups for "root" user. I wonder why it does and what can be done to make it stop doing that. I believe it should do the lookup only for the domain/AD users. [2019/10/02 17:00:01.952225, 3] ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) getgroups root samba-winbind-4.4.4-14.el7_3.x86_64 # cat /etc/nsswitch.conf | grep winbind passwd: files winbind shadow: files winbind group: files winbind cat /etc/samba/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.COM preferred master = no server string = Samba Server Version %v security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind separator = + winbind max clients = 1000 template shell = /bin/bash idmap domains = DOMAIN idmap config DOMAIN:range = 10000 - 49999 idmap config DOMAIN:base_rid = 0 idmap config DOMAIN:backend = rid ################################################ # Required for Samba/Winbind 3.4+ # Note that local tdb idmap backend # required now for Samba/Winbind 3.4+ idmap backend = tdb idmap uid = 10000 - 49999 idmap gid = 10000 - 49999 ################################################# Thanks in advance.
On 03/10/2019 15:05, Satay Epic via samba wrote:> We have winbind client running on CentOS 7.3.1611 host connected to MS > active directory. It is working normal for local and AD users. However > in the logs, I see that NSS is throwing call to winbind to retrieve > the groups for "root" user. I wonder why it does and what can be done > to make it stop doing that. I believe it should do the lookup only for > the domain/AD users. > > [2019/10/02 17:00:01.952225, 3] > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > getgroups root > > > samba-winbind-4.4.4-14.el7_3.x86_64 > > > # cat /etc/nsswitch.conf | grep winbind > passwd: files winbind > shadow: files winbind > group: files winbind > > > > > cat /etc/samba/smb.conf > [global] > > workgroup = DOMAIN > realm = DOMAIN.COM > preferred master = no > server string = Samba Server Version %v > security = ADS > encrypt passwords = yes > log level = 3 > log file = /var/log/samba/%m > max log size = 50 > printcap name = cups > printing = cups > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nested groups = Yes > winbind separator = + > winbind max clients = 1000 > template shell = /bin/bash > > idmap domains = DOMAIN > idmap config DOMAIN:range = 10000 - 49999 > idmap config DOMAIN:base_rid = 0 > idmap config DOMAIN:backend = rid > > ################################################ > # Required for Samba/Winbind 3.4+ > # Note that local tdb idmap backend > # required now for Samba/Winbind 3.4+ > idmap backend = tdb > idmap uid = 10000 - 49999 > idmap gid = 10000 - 49999 > ################################################# > > > Thanks in advance. >You could start by setting up smb.conf correctly ;-) Replace: idmap backend = tdb idmap uid = 10000 - 49999 idmap gid = 10000 - 49999 With: idmap backend = tdb idmap config * : range = 3000 - 7999 Also, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf Rowland
Thank you Rowland for your reply. My knowledge is limited with Samba so please forgive me for any basic mistakes :) This is something was setup by a previous admin. We have had issues where "winbind" will just "give up" and won't let anyone login into the host not even from the console. I would like to fix that problem so started to investigate the configs. I don't know how to reproduce the issue but the goal is that local users should be able to login even if winbind is broken. I'm going to give a try with the settings suggested to see if the winbind group lookup doesn't happen for a local user. Thanks again On Thu, Oct 3, 2019 at 7:12 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 03/10/2019 15:05, Satay Epic via samba wrote: > > We have winbind client running on CentOS 7.3.1611 host connected to MS > > active directory. It is working normal for local and AD users. However > > in the logs, I see that NSS is throwing call to winbind to retrieve > > the groups for "root" user. I wonder why it does and what can be done > > to make it stop doing that. I believe it should do the lookup only for > > the domain/AD users. > > > > [2019/10/02 17:00:01.952225, 3] > > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > > getgroups root > > > > > > samba-winbind-4.4.4-14.el7_3.x86_64 > > > > > > # cat /etc/nsswitch.conf | grep winbind > > passwd: files winbind > > shadow: files winbind > > group: files winbind > > > > > > > > > > cat /etc/samba/smb.conf > > [global] > > > > workgroup = DOMAIN > > realm = DOMAIN.COM > > preferred master = no > > server string = Samba Server Version %v > > security = ADS > > encrypt passwords = yes > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 50 > > printcap name = cups > > printing = cups > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind nested groups = Yes > > winbind separator = + > > winbind max clients = 1000 > > template shell = /bin/bash > > > > idmap domains = DOMAIN > > idmap config DOMAIN:range = 10000 - 49999 > > idmap config DOMAIN:base_rid = 0 > > idmap config DOMAIN:backend = rid > > > > ################################################ > > # Required for Samba/Winbind 3.4+ > > # Note that local tdb idmap backend > > # required now for Samba/Winbind 3.4+ > > idmap backend = tdb > > idmap uid = 10000 - 49999 > > idmap gid = 10000 - 49999 > > ################################################# > > > > > > Thanks in advance. > > > You could start by setting up smb.conf correctly ;-) > > Replace: > > idmap backend = tdb > idmap uid = 10000 - 49999 > idmap gid = 10000 - 49999 > > With: > > idmap backend = tdb > idmap config * : range = 3000 - 7999 > > Also, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba