Hi, Just noticed, I am unable to use nested groups when relying on RFC2307 for filesystem permissions, am I wright? What have I missed? (Samba 4.12 on Buster, 2008R2 domain level) Any migration path to stop using RFC2307 and go to pure idmap without loosing all permissions on a 6T filesystem? Is that a solution? Regards, -- *Marcio Merlone*
On Mon, 2020-05-25 at 17:09 -0300, Marcio Merlone via samba wrote:> Hi, > > Just noticed, I am unable to use nested groups when relying on > RFC2307 > for filesystem permissions, am I wright? What have I missed? > > (Samba 4.12 on Buster, 2008R2 domain level) > > Any migration path to stop using RFC2307 and go to pure idmap > without > loosing all permissions on a 6T filesystem? Is that a solution?I'm not sure what you are seeing, but using the RFC2307 idmap module shouldn't stop the other group memberships from being set. Do ensure you are using winbindd and nss_winbind, not directly connecting nss to AD with some other tool. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
On Mon, 2020-05-25 at 17:09 -0300, Marcio Merlone via samba wrote:> Hi, > > Just noticed, I am unable to use nested groups when relying on > RFC2307 > for filesystem permissions, am I wright? What have I missed? > > (Samba 4.12 on Buster, 2008R2 domain level) > > Any migration path to stop using RFC2307 and go to pure idmap > without > loosing all permissions on a 6T filesystem? Is that a solution?have you checked "winbind expand groups" options ? # Check depth of nested groups, ! slows down you samba, if to much groups depth # Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4. winbind expand groups = 4> Regards, > > -- > *Marcio Merlone*-- S?rgio M. B.
On Tue, 2020-05-26 at 01:21 +0100, S?rgio Basto via samba wrote:> On Mon, 2020-05-25 at 17:09 -0300, Marcio Merlone via samba wrote: > > Hi, > > > > Just noticed, I am unable to use nested groups when relying on > > RFC2307 > > for filesystem permissions, am I wright? What have I missed? > > > > (Samba 4.12 on Buster, 2008R2 domain level) > > > > Any migration path to stop using RFC2307 and go to pure idmap > > without > > loosing all permissions on a 6T filesystem? Is that a solution? > > have you checked "winbind expand groups" options ? > > # Check depth of nested groups, ! slows down you samba, if to much > groups depth > # Samba default is 0, i suggest a minimal of 2 in this setup, advices > is 4. > winbind expand groups = 4This should only be needed if you are running non-samba things in a very strange way. Samba provides the initgroups() hook in nss_winbind, and populates the full group list on the user token for non-Samba tasks. For Samba, we directly obtain the group list, flattened, from the Kerberos PAC or SamLogon 'info3' reponse (for NTLM). This option is only needed if you need to see the nested group members in a group membership list with posix tools, eg getent group. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba