samba - May 2020 - Users loose supplementary groups after a time

On 15/05/2020 14:56, Orion Poplawski wrote:
> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>> Sorry, I thought I had re-enabled delivery, but I had not.? So 
>>> trying to reply
>>> to Rowland Penny here:
>>>
>>>> On 14/05/2020 18:46, Orion Poplawski via samba wrote:
>>>>> All -
>>>>>
>>>>> ??? I seem to be suffering from the common complaint that
users loose
>>>>> supplementary group access after a while - in our case it
seems to be
>>>>> connections left overnight.? Restarting smb fixes it.? I
haven't
>>>>> been able to
>>>>> determine the cause.
>>>>>
>>>>>
>>>>> though I think that is to be expected at this point as we
are not
>>>>> using
>>>>> winbind idmapping to map AD users, but rather we have an
IPA - AD
>>>>> trust and so
>>>>> have local unix users already.
>>>> Yes, but is winbind running ?>> Server is Scientific
Linux release 7.8
>>>>> samba-4.10.4-10.el7.x86_64
>>>>>
>>>>> ????????? workgroup = DOMAIN
>>>>> ????????? security = ads
>>>>> ????????? realm = AD.DOMAIN
>>>>> # Workaround unix group issue 
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=10618)
>>>>> ????????? username map script = /bin/echo
>>>>>
>>>>> Is the above now causing more issues?
>>>> I think it is what isn't there that is the problem
>>>>> Recent changes that I can think of are then 7.8 update and 
>>>>> configuring AD
>>>>> sites.? Though I think this problem has likely been
occurring for
>>>>> a long time
>>>>> - but for some reason we are seeing more connections left
overnight.
>>>> You do not say what you upgraded from, but 7.8 will now mean
you
>>>> have a
>>>> Samba version >= 4.8.0 and from Samba 4.8.0 you need to run
winbind if
>>>> you have 'security = ADS' in smb.conf. This also means
you need the
>>>> 'idmap config' lines as well, which means you cannot
have the same
>>>> users
>>>> in /etc/passwd.
>>> I upgraded from 7.7.? And yes since we've had samba >= 4.8.0
for a
>>> while now
>>> we've been running winbind.
>>>
>>> This configuration (dropping the username map script hack) seems to
>>> be working
>>> for us, does this seem correct?
>>>
>>> ???????? idmap config * : backend = tdb
>>> ???????? idmap config * : range = 1000000-1999999
>>> ???????? idmap config DOMAIN : backend = nss
>>> ???????? idmap config DOMAIN : range = 1000-999999
>>> ???????? winbind scan trusted domains = no
>>
>> Yes, that should work for your setup. It will map your local users to 
>> IPA users.
>
> Thanks for the response.
>
>> It isn't the way that I would do it though ;-)
>>
>> ?From what you have posted, you are mapping local users to IPA users 
>> and the IPA is in a trust with AD, I would just ignore IPA and join 
>> the computer to AD and get your users and groups directly. If you 
>> have AD, why not leverage it and have all users & groups stored in
AD ?
>
> We do have all of our users and groups stored in AD :).? But we also 
> have lots of Linux systems that are best managed via IPA.? I suppose 
> we could have some that are just joined to AD, but I suspect that this 
> would create its own headaches and inconsistencies.
Do you have any Samba shares ? From Samba 4.8.0 you cannot use sssd (not 
that I am saying you are using sssd).

I am struggling to understand just what IPA gives you, except for 
authentication and you can do this with Samba directly from AD.

The whole idea behind AD is to get centralised authentication (which 
from my understanding is what IPA does), so why have two authentication 
centres ?

Rowland

On 5/15/20 8:22 AM, Rowland penny via samba wrote:
> On 15/05/2020 14:56, Orion Poplawski wrote:
>> On 5/15/20 12:56 AM, Rowland penny via samba wrote:
>>> On 14/05/2020 21:59, Orion Poplawski via samba wrote:
>>>>
>>>> This configuration (dropping the username map script hack)
seems to be
>>>> working
>>>> for us, does this seem correct?
>>>>
>>>> ???????? idmap config * : backend = tdb
>>>> ???????? idmap config * : range = 1000000-1999999
>>>> ???????? idmap config DOMAIN : backend = nss
>>>> ???????? idmap config DOMAIN : range = 1000-999999
>>>> ???????? winbind scan trusted domains = no
>>>
>>> Yes, that should work for your setup. It will map your local users
to IPA
>>> users.
>>
>> Thanks for the response.
>>
>>> It isn't the way that I would do it though ;-)
>>>
>>> ?From what you have posted, you are mapping local users to IPA
users and
>>> the IPA is in a trust with AD, I would just ignore IPA and join the
>>> computer to AD and get your users and groups directly. If you have
AD, why
>>> not leverage it and have all users & groups stored in AD ?
>>
>> We do have all of our users and groups stored in AD :).? But we also
have
>> lots of Linux systems that are best managed via IPA.? I suppose we
could
>> have some that are just joined to AD, but I suspect that this would
create
>> its own headaches and inconsistencies.
> 
> Do you have any Samba shares ? From Samba 4.8.0 you cannot use sssd (not
that
> I am saying you are using sssd).
Yes, the main issue here is around access to samba shares.  I can't really
parse the statement that "you cannot use sssd".  Of course we are
using sssd.
That's what is resolving the the AD users into local unix users via the IPA
-
AD trust.  What exactly do you mean when you say that we cannot use sssd?
> I am struggling to understand just what IPA gives you, except for
> authentication and you can do this with Samba directly from AD.
Lots with regard to policy and authorization:

- Fine grained PAM access controls for each host, user, group, service.
- Centralized sudo rules.
- Certificate issuance and renewal.
- Centralized automount configuration.
> The whole idea behind AD is to get centralised authentication (which from
my
> understanding is what IPA does), so why have two authentication centres ?
There's more to it then authentication :)

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

On 15/05/2020 19:27, Orion Poplawski wrote:
> Yes, the main issue here is around access to samba shares.  I can't
really
> parse the statement that "you cannot use sssd".  Of course we are
using sssd.
> That's what is resolving the the AD users into local unix users via the
IPA -
> AD trust.  What exactly do you mean when you say that we cannot use sssd?
The Samba daemon 'smbd' used to be able to talk directly to AD, so you 
could use sssd with Samba, but, from Samba 4.8.0, this was changed. If 
you now use 'security = ADS' with Samba >= 4.8.0 , you must run
winbind
and you cannot run winbind with sssd, this is because sssd uses its 
versions of some of the winbind libs.

This will not affect IPA, because this is what sssd was written for, 
but, as far as I am aware (never used IPA), you do not have SMB shares 
with IPA, so it boils down to: If you just want authentication, you can 
use IPA, but if you want authentication and shares, then you can use Samba.

Rowland

>
>> I am struggling to understand just what IPA gives you, except for
>> authentication and you can do this with Samba directly from AD.
> Lots with regard to policy and authorization:
>
> - Fine grained PAM access controls for each host, user, group, service.
> - Centralized sudo rules.
> - Certificate issuance and renewal.
> - Centralized automount configuration.
>
>> The whole idea behind AD is to get centralised authentication (which
from my
>> understanding is what IPA does), so why have two authentication centres
?
> There's more to it then authentication :)
>