samba - May 2020 - Users loose supplementary groups after a time

On 14/05/2020 21:59, Orion Poplawski via samba wrote:
> Sorry, I thought I had re-enabled delivery, but I had not.  So trying to
reply
> to Rowland Penny here:
>
>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>> All -
>>>
>>>     I seem to be suffering from the common complaint that users
loose
>>> supplementary group access after a while - in our case it seems to
be
>>> connections left overnight.  Restarting smb fixes it.  I
haven't been able to
>>> determine the cause.
>>>
>>>
>>> though I think that is to be expected at this point as we are not
using
>>> winbind idmapping to map AD users, but rather we have an IPA - AD
trust and so
>>> have local unix users already.
>> Yes, but is winbind running ?>> Server is Scientific Linux
release 7.8
>>> samba-4.10.4-10.el7.x86_64
>>>
>>>           workgroup = DOMAIN
>>>           security = ads
>>>           realm = AD.DOMAIN
>>> # Workaround unix group issue
(https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>           username map script = /bin/echo
>>>
>>> Is the above now causing more issues?
>> I think it is what isn't there that is the problem
>>> Recent changes that I can think of are then 7.8 update and
configuring AD
>>> sites.  Though I think this problem has likely been occurring for a
long time
>>> - but for some reason we are seeing more connections left
overnight.
>> You do not say what you upgraded from, but 7.8 will now mean you have a
>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run winbind
if
>> you have 'security = ADS' in smb.conf. This also means you need
the
>> 'idmap config' lines as well, which means you cannot have the
same users
>> in /etc/passwd.
> I upgraded from 7.7.  And yes since we've had samba >= 4.8.0 for a
while now
> we've been running winbind.
>
> This configuration (dropping the username map script hack) seems to be
working
> for us, does this seem correct?
>
>          idmap config * : backend = tdb
>          idmap config * : range = 1000000-1999999
>          idmap config DOMAIN : backend = nss
>          idmap config DOMAIN : range = 1000-999999
>          winbind scan trusted domains = no
Yes, that should work for your setup. It will map your local users to 
IPA users.

It isn't the way that I would do it though ;-)

 From what you have posted, you are mapping local users to IPA users and 
the IPA is in a trust with AD, I would just ignore IPA and join the 
computer to AD and get your users and groups directly. If you have AD, 
why not leverage it and have all users & groups stored in AD ?

Rowland

On 5/15/20 12:56 AM, Rowland penny via samba wrote:
> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>> Sorry, I thought I had re-enabled delivery, but I had not.? So trying 
>> to reply
>> to Rowland Penny here:
>>
>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>> All -
>>>>
>>>> ??? I seem to be suffering from the common complaint that users
loose
>>>> supplementary group access after a while - in our case it seems
to be
>>>> connections left overnight.? Restarting smb fixes it.? I
haven't
>>>> been able to
>>>> determine the cause.
>>>>
>>>>
>>>> though I think that is to be expected at this point as we are
not using
>>>> winbind idmapping to map AD users, but rather we have an IPA -
AD
>>>> trust and so
>>>> have local unix users already.
>>> Yes, but is winbind running ?>> Server is Scientific Linux
release 7.8
>>>> samba-4.10.4-10.el7.x86_64
>>>>
>>>> ????????? workgroup = DOMAIN
>>>> ????????? security = ads
>>>> ????????? realm = AD.DOMAIN
>>>> # Workaround unix group issue 
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>> ????????? username map script = /bin/echo
>>>>
>>>> Is the above now causing more issues?
>>> I think it is what isn't there that is the problem
>>>> Recent changes that I can think of are then 7.8 update and 
>>>> configuring AD
>>>> sites.? Though I think this problem has likely been occurring
for a
>>>> long time
>>>> - but for some reason we are seeing more connections left
overnight.
>>> You do not say what you upgraded from, but 7.8 will now mean you
have a
>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run
winbind if
>>> you have 'security = ADS' in smb.conf. This also means you
need the
>>> 'idmap config' lines as well, which means you cannot have
the same users
>>> in /etc/passwd.
>> I upgraded from 7.7.? And yes since we've had samba >= 4.8.0 for
a
>> while now
>> we've been running winbind.
>>
>> This configuration (dropping the username map script hack) seems to be 
>> working
>> for us, does this seem correct?
>>
>> ???????? idmap config * : backend = tdb
>> ???????? idmap config * : range = 1000000-1999999
>> ???????? idmap config DOMAIN : backend = nss
>> ???????? idmap config DOMAIN : range = 1000-999999
>> ???????? winbind scan trusted domains = no
> 
> Yes, that should work for your setup. It will map your local users to 
> IPA users.
Thanks for the response.
> It isn't the way that I would do it though ;-)
> 
>  From what you have posted, you are mapping local users to IPA users and 
> the IPA is in a trust with AD, I would just ignore IPA and join the 
> computer to AD and get your users and groups directly. If you have AD, 
> why not leverage it and have all users & groups stored in AD ?
We do have all of our users and groups stored in AD :).  But we also 
have lots of Linux systems that are best managed via IPA.  I suppose we 
could have some that are just joined to AD, but I suspect that this 
would create its own headaches and inconsistencies.


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

On 15/05/2020 14:56, Orion Poplawski wrote:
> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>> Sorry, I thought I had re-enabled delivery, but I had not.? So 
>>> trying to reply
>>> to Rowland Penny here:
>>>
>>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>>> All -
>>>>>
>>>>> ??? I seem to be suffering from the common complaint that
users loose
>>>>> supplementary group access after a while - in our case it
seems to be
>>>>> connections left overnight.? Restarting smb fixes it.? I
haven't
>>>>> been able to
>>>>> determine the cause.
>>>>>
>>>>>
>>>>> though I think that is to be expected at this point as we
are not
>>>>> using
>>>>> winbind idmapping to map AD users, but rather we have an
IPA - AD
>>>>> trust and so
>>>>> have local unix users already.
>>>> Yes, but is winbind running ?>> Server is Scientific
Linux release 7.8
>>>>> samba-4.10.4-10.el7.x86_64
>>>>>
>>>>> ????????? workgroup = DOMAIN
>>>>> ????????? security = ads
>>>>> ????????? realm = AD.DOMAIN
>>>>> # Workaround unix group issue 
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>> ????????? username map script = /bin/echo
>>>>>
>>>>> Is the above now causing more issues?
>>>> I think it is what isn't there that is the problem
>>>>> Recent changes that I can think of are then 7.8 update and 
>>>>> configuring AD
>>>>> sites.? Though I think this problem has likely been
occurring for
>>>>> a long time
>>>>> - but for some reason we are seeing more connections left
overnight.
>>>> You do not say what you upgraded from, but 7.8 will now mean
you
>>>> have a
>>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run
winbind if
>>>> you have 'security = ADS' in smb.conf. This also means
you need the
>>>> 'idmap config' lines as well, which means you cannot
have the same
>>>> users
>>>> in /etc/passwd.
>>> I upgraded from 7.7.? And yes since we've had samba >= 4.8.0
for a
>>> while now
>>> we've been running winbind.
>>>
>>> This configuration (dropping the username map script hack) seems to
>>> be working
>>> for us, does this seem correct?
>>>
>>> ???????? idmap config * : backend = tdb
>>> ???????? idmap config * : range = 1000000-1999999
>>> ???????? idmap config DOMAIN : backend = nss
>>> ???????? idmap config DOMAIN : range = 1000-999999
>>> ???????? winbind scan trusted domains = no
>>
>> Yes, that should work for your setup. It will map your local users to 
>> IPA users.
>
> Thanks for the response.
>
>> It isn't the way that I would do it though ;-)
>>
>> ?From what you have posted, you are mapping local users to IPA users 
>> and the IPA is in a trust with AD, I would just ignore IPA and join 
>> the computer to AD and get your users and groups directly. If you 
>> have AD, why not leverage it and have all users & groups stored in
AD ?
>
> We do have all of our users and groups stored in AD :).? But we also 
> have lots of Linux systems that are best managed via IPA.? I suppose 
> we could have some that are just joined to AD, but I suspect that this 
> would create its own headaches and inconsistencies.
Do you have any Samba shares ? From Samba 4.8.0 you cannot use sssd (not 
that I am saying you are using sssd).

I am struggling to understand just what IPA gives you, except for 
authentication and you can do this with Samba directly from AD.

The whole idea behind AD is to get centralised authentication (which 
from my understanding is what IPA does), so why have two authentication 
centres ?

Rowland

On 5/15/20 12:56 AM, Rowland penny via samba wrote:
> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>> Sorry, I thought I had re-enabled delivery, but I had not.? So trying
to reply
>> to Rowland Penny here:
>>
>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>> All -
>>>>
>>>> ??? I seem to be suffering from the common complaint that users
loose
>>>> supplementary group access after a while - in our case it seems
to be
>>>> connections left overnight.? Restarting smb fixes it.? I
haven't been able to
>>>> determine the cause.
>>>>
>>>>
>>>> though I think that is to be expected at this point as we are
not using
>>>> winbind idmapping to map AD users, but rather we have an IPA -
AD trust
>>>> and so
>>>> have local unix users already.
>>> Yes, but is winbind running ?>> Server is Scientific Linux
release 7.8
>>>> samba-4.10.4-10.el7.x86_64
>>>>
>>>> ????????? workgroup = DOMAIN
>>>> ????????? security = ads
>>>> ????????? realm = AD.DOMAIN
>>>> # Workaround unix group issue
>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>> ????????? username map script = /bin/echo
>>>>
>>>> Is the above now causing more issues?
>>> I think it is what isn't there that is the problem
>>>> Recent changes that I can think of are then 7.8 update and
configuring AD
>>>> sites.? Though I think this problem has likely been occurring
for a long time
>>>> - but for some reason we are seeing more connections left
overnight.
>>> You do not say what you upgraded from, but 7.8 will now mean you
have a
>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run
winbind if
>>> you have 'security = ADS' in smb.conf. This also means you
need the
>>> 'idmap config' lines as well, which means you cannot have
the same users
>>> in /etc/passwd.
>> I upgraded from 7.7.? And yes since we've had samba >= 4.8.0 for
a while now
>> we've been running winbind.
>>
>> This configuration (dropping the username map script hack) seems to be
working
>> for us, does this seem correct?
>>
>> ???????? idmap config * : backend = tdb
>> ???????? idmap config * : range = 1000000-1999999
>> ???????? idmap config DOMAIN : backend = nss
>> ???????? idmap config DOMAIN : range = 1000-999999
>> ???????? winbind scan trusted domains = no
> 
> Yes, that should work for your setup. It will map your local users to IPA
users.
Unfortunately I still seem to be seeing different behavior for different
users.  Some users are being assigned to local unix groups that they belong
to, others are only given the groups for which their AD groups have matching
local unix equivalents.  After clearing out the samba/winbind caches on a test
server - it appears that the latter behavior is likely the expected one.  Is
this correct?

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

On 15/05/2020 19:10, Orion Poplawski wrote:
> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>> Sorry, I thought I had re-enabled delivery, but I had not.? So
trying to reply
>>> to Rowland Penny here:
>>>
>>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>>> All -
>>>>>
>>>>>  ??? I seem to be suffering from the common complaint that
users loose
>>>>> supplementary group access after a while - in our case it
seems to be
>>>>> connections left overnight.? Restarting smb fixes it.? I
haven't been able to
>>>>> determine the cause.
>>>>>
>>>>>
>>>>> though I think that is to be expected at this point as we
are not using
>>>>> winbind idmapping to map AD users, but rather we have an
IPA - AD trust
>>>>> and so
>>>>> have local unix users already.
>>>> Yes, but is winbind running ?>> Server is Scientific
Linux release 7.8
>>>>> samba-4.10.4-10.el7.x86_64
>>>>>
>>>>>  ????????? workgroup = DOMAIN
>>>>>  ????????? security = ads
>>>>>  ????????? realm = AD.DOMAIN
>>>>> # Workaround unix group issue
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>>  ????????? username map script = /bin/echo
>>>>>
>>>>> Is the above now causing more issues?
>>>> I think it is what isn't there that is the problem
>>>>> Recent changes that I can think of are then 7.8 update and
configuring AD
>>>>> sites.? Though I think this problem has likely been
occurring for a long time
>>>>> - but for some reason we are seeing more connections left
overnight.
>>>> You do not say what you upgraded from, but 7.8 will now mean
you have a
>>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run
winbind if
>>>> you have 'security = ADS' in smb.conf. This also means
you need the
>>>> 'idmap config' lines as well, which means you cannot
have the same users
>>>> in /etc/passwd.
>>> I upgraded from 7.7.? And yes since we've had samba >= 4.8.0
for a while now
>>> we've been running winbind.
>>>
>>> This configuration (dropping the username map script hack) seems to
be working
>>> for us, does this seem correct?
>>>
>>>  ???????? idmap config * : backend = tdb
>>>  ???????? idmap config * : range = 1000000-1999999
>>>  ???????? idmap config DOMAIN : backend = nss
>>>  ???????? idmap config DOMAIN : range = 1000-999999
>>>  ???????? winbind scan trusted domains = no
>> Yes, that should work for your setup. It will map your local users to
IPA users.
> Unfortunately I still seem to be seeing different behavior for different
> users.  Some users are being assigned to local unix groups that they belong
> to, others are only given the groups for which their AD groups have
matching
> local unix equivalents.  After clearing out the samba/winbind caches on a
test
> server - it appears that the latter behavior is likely the expected one. 
Is
> this correct?
Yes, the backend you are using, maps AD users and groups to local users 
and groups, so this means that you have to have users & groups in 
/etc/passwd and groups with the same names as in AD.

For more info read 'man idmap_nss'

Rowland