Thank you Rowland for your reply. My knowledge is limited with Samba so please forgive me for any basic mistakes :) This is something was setup by a previous admin. We have had issues where "winbind" will just "give up" and won't let anyone login into the host not even from the console. I would like to fix that problem so started to investigate the configs. I don't know how to reproduce the issue but the goal is that local users should be able to login even if winbind is broken. I'm going to give a try with the settings suggested to see if the winbind group lookup doesn't happen for a local user. Thanks again On Thu, Oct 3, 2019 at 7:12 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 03/10/2019 15:05, Satay Epic via samba wrote: > > We have winbind client running on CentOS 7.3.1611 host connected to MS > > active directory. It is working normal for local and AD users. However > > in the logs, I see that NSS is throwing call to winbind to retrieve > > the groups for "root" user. I wonder why it does and what can be done > > to make it stop doing that. I believe it should do the lookup only for > > the domain/AD users. > > > > [2019/10/02 17:00:01.952225, 3] > > ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send) > > getgroups root > > > > > > samba-winbind-4.4.4-14.el7_3.x86_64 > > > > > > # cat /etc/nsswitch.conf | grep winbind > > passwd: files winbind > > shadow: files winbind > > group: files winbind > > > > > > > > > > cat /etc/samba/smb.conf > > [global] > > > > workgroup = DOMAIN > > realm = DOMAIN.COM > > preferred master = no > > server string = Samba Server Version %v > > security = ADS > > encrypt passwords = yes > > log level = 3 > > log file = /var/log/samba/%m > > max log size = 50 > > printcap name = cups > > printing = cups > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind nested groups = Yes > > winbind separator = + > > winbind max clients = 1000 > > template shell = /bin/bash > > > > idmap domains = DOMAIN > > idmap config DOMAIN:range = 10000 - 49999 > > idmap config DOMAIN:base_rid = 0 > > idmap config DOMAIN:backend = rid > > > > ################################################ > > # Required for Samba/Winbind 3.4+ > > # Note that local tdb idmap backend > > # required now for Samba/Winbind 3.4+ > > idmap backend = tdb > > idmap uid = 10000 - 49999 > > idmap gid = 10000 - 49999 > > ################################################# > > > > > > Thanks in advance. > > > You could start by setting up smb.conf correctly ;-) > > Replace: > > idmap backend = tdb > idmap uid = 10000 - 49999 > idmap gid = 10000 - 49999 > > With: > > idmap backend = tdb > idmap config * : range = 3000 - 7999 > > Also, remove 'winbind' from the 'shadow' line in /etc/nsswitch.conf > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 03/10/2019 15:46, Satay Epic wrote:> Thank you Rowland for your reply. My knowledge is limited with Samba > so please forgive me for any basic mistakes :) > This is something was setup by a previous admin. > > We have had issues where "winbind" will just "give up" and won't let > anyone login into the host not even from the console. > I would like to fix that problem so started to investigate the > configs. I don't know how to reproduce the issue but the goal is that > local users > should be able to login even if winbind is broken. > > I'm going to give a try with the settings suggested to see if the > winbind group lookup doesn't happen for a local user. >The first thing I would do is to upgrade the OS, I do not use RHEL or any of its derivatives, but I believe the latest versions supply Samba 4.8.3 and this is a lot nearer a Samba supported version than 4.4.x is. Another question that springs to mind, is sssd installed, if it is, I would remove it. Rowland
SSSD is not installed but I did remove it from nsswitch.conf. I still see winbind always doing the group lookup for local user. On Thu, Oct 3, 2019 at 8:05 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 03/10/2019 15:46, Satay Epic wrote: > > Thank you Rowland for your reply. My knowledge is limited with Samba > > so please forgive me for any basic mistakes :) > > This is something was setup by a previous admin. > > > > We have had issues where "winbind" will just "give up" and won't let > > anyone login into the host not even from the console. > > I would like to fix that problem so started to investigate the > > configs. I don't know how to reproduce the issue but the goal is that > > local users > > should be able to login even if winbind is broken. > > > > I'm going to give a try with the settings suggested to see if the > > winbind group lookup doesn't happen for a local user. > > > The first thing I would do is to upgrade the OS, I do not use RHEL or > any of its derivatives, but I believe the latest versions supply Samba > 4.8.3 and this is a lot nearer a Samba supported version than 4.4.x is. > > Another question that springs to mind, is sssd installed, if it is, I > would remove it. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba