Michael Schwarz
2020-Oct-08 09:23 UTC
[Samba] Is Samba unable to resolve secodary group membership?
Am 08.10.20 um 10:41 schrieb Rowland penny via samba:> On 08/10/2020 08:51, Michael Schwarz via samba wrote: > >> The setup at our university is not quite trivial. I can understand >> that. I'll try to explain it again in a different way: > > Lets see if I understand this, you have one kerberos domain for the > Linux machines and another kerberos domain for the Windows machines, > you have virtually the same users and groups in both. Why two domains, > why not just use the AD for both ? This would make your setup trivial. > I feel this is probably all down to department politics. >Yes this is correct. I'm not sure why there are two domains. I'm not working at the central computer center, but i'm sure, they have their reasons why they are doing it this way. We are only using this infrastructure. The LDAP is storing much more information than only simple posixAccounts. It might be, that an AD is not so flexible if you want to store more than the standard attributes. But i don't now in detail as i am not so familiar with windows ad services. Regards, Michael
Rowland penny
2020-Oct-08 09:31 UTC
[Samba] Is Samba unable to resolve secodary group membership?
On 08/10/2020 10:23, Michael Schwarz via samba wrote:> > > Am 08.10.20 um 10:41 schrieb Rowland penny via samba: >> On 08/10/2020 08:51, Michael Schwarz via samba wrote: >> >>> The setup at our university is not quite trivial. I can understand >>> that. I'll try to explain it again in a different way: >> >> Lets see if I understand this, you have one kerberos domain for the >> Linux machines and another kerberos domain for the Windows machines, >> you have virtually the same users and groups in both. Why two >> domains, why not just use the AD for both ? This would make your >> setup trivial. I feel this is probably all down to department politics. >> > > Yes this is correct. I'm not sure why there are two domains. I'm not > working at the central computer center, but i'm sure, they have their > reasons why they are doing it this way. We are only using this > infrastructure. The LDAP is storing much more information than only > simple posixAccounts. It might be, that an AD is not so flexible if > you want to store more than the standard attributes. But i don't now > in detail as i am not so familiar with windows ad services.There are no posixAccounts in AD, there are just Accounts (but all the RFC2307 attributes are available, so any account can be a Unix account) and you will be surprised just how extendable the AD schema is. No, I think it is just down to politics, Windows versus Linux politics :-) Rowland
Harald Hannelius
2020-Oct-08 10:24 UTC
[Samba] Is Samba unable to resolve secodary group membership?
On Thu, 8 Oct 2020, Michael Schwarz via samba wrote:> Am 08.10.20 um 10:41 schrieb Rowland penny via samba: >> On 08/10/2020 08:51, Michael Schwarz via samba wrote: >> >>> The setup at our university is not quite trivial. I can understand that. >>> I'll try to explain it again in a different way: >> >> Lets see if I understand this, you have one kerberos domain for the Linux >> machines and another kerberos domain for the Windows machines, you have >> virtually the same users and groups in both. Why two domains, why not just >> use the AD for both ? This would make your setup trivial. I feel this is >> probably all down to department politics. >> > > Yes this is correct. I'm not sure why there are two domains. I'm not working > at the central computer center, but i'm sure, they have their reasons why > they are doing it this way. We are only using this infrastructure. The LDAP > is storing much more information than only simple posixAccounts. It might be, > that an AD is not so flexible if you want to store more than the standard > attributes. But i don't now in detail as i am not so familiar with windows ad > services.This sounds much like our University of Applied Sciences where we have been running Samba+OpenLDAP as a DC and a AD DS, both with the same users synced by our IDM. When the time came to do something to the Samba+OpenLDAP I didn't feel like extending schemas in AD DS, but rather went the path of a Samba AD with users synced from our IDM so they apparently share the same usernames, albeit the domain part differs. username is not the same as AD\username . The migration went fine, the only annoying thing being that people have to enter their passwords at least once. -- Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
Michael Schwarz
2020-Oct-09 10:00 UTC
[Samba] Is Samba unable to resolve secodary group membership?
Hi all, i read the logfiles again and again and stumbled over some lines: [2020/10/07 11:25:45.191784,? 5] ../../libcli/security/security_token.c:63(security_token_debug) ? Security token SIDs (38): ??? SID[? 0]: S-1-5-21-3542048200-3079820972-537594794-55128 ??? SID[? 1]: S-1-5-21-3542048200-3079820972-537594794-513 ??? SID[? 2]: S-1-5-21-3542048200-3079820972-537594794-211797 ??? SID[? 3]: S-1-5-21-3542048200-3079820972-537594794-92780 ??? SID[? 4]: S-1-5-21-3542048200-3079820972-537594794-214631 ??? SID[? 5]: S-1-5-21-3542048200-3079820972-537594794-5516 ??? SID[? 6]: S-1-5-21-3542048200-3079820972-537594794-123946 ??? SID[? 7]: S-1-5-21-3542048200-3079820972-537594794-73686 ??? SID[? 8]: S-1-5-21-3542048200-3079820972-537594794-101266 ??? SID[? 9]: S-1-5-21-3542048200-3079820972-537594794-84994 ??? SID[ 10]: S-1-5-21-3542048200-3079820972-537594794-58615 ??? SID[ 11]: S-1-5-21-3542048200-3079820972-537594794-62264 ??? SID[ 12]: S-1-5-21-3542048200-3079820972-537594794-73690 ??? SID[ 13]: S-1-5-21-3542048200-3079820972-537594794-211816 ??? SID[ 14]: S-1-5-21-3542048200-3079820972-537594794-63615 ??? SID[ 15]: S-1-5-21-3542048200-3079820972-537594794-75305 ??? SID[ 16]: S-1-5-21-3542048200-3079820972-537594794-211815 ??? SID[ 17]: S-1-5-21-3542048200-3079820972-537594794-211804 ??? SID[ 18]: S-1-5-21-3542048200-3079820972-537594794-211820 ??? SID[ 19]: S-1-5-21-3542048200-3079820972-537594794-211818 ??? SID[ 20]: S-1-5-21-3542048200-3079820972-537594794-22920 ??? SID[ 21]: S-1-5-21-3542048200-3079820972-537594794-92746 ??? SID[ 22]: S-1-5-21-3542048200-3079820972-537594794-211805 ??? SID[ 23]: S-1-5-21-3542048200-3079820972-537594794-92828 ??? SID[ 24]: S-1-5-21-3542048200-3079820972-537594794-73088 ??? SID[ 25]: S-1-5-21-3542048200-3079820972-537594794-211799 ??? SID[ 26]: S-1-5-21-3542048200-3079820972-537594794-169945 ??? SID[ 27]: S-1-5-21-3542048200-3079820972-537594794-211819 ??? SID[ 28]: S-1-5-21-3542048200-3079820972-537594794-128864 ??? SID[ 29]: S-1-5-21-3542048200-3079820972-537594794-101268 ??? SID[ 30]: S-1-5-21-3542048200-3079820972-537594794-128934 ??? SID[ 31]: S-1-1-0 ??? SID[ 32]: S-1-5-2 ??? SID[ 33]: S-1-5-11 ??? SID[ 34]: S-1-5-32-545 ??? SID[ 35]: S-1-22-1-20597 ??? SID[ 36]: S-1-22-2-10000 ??? SID[ 37]: S-1-22-2-10000001 ?? Privileges (0x?????????????? 0): ?? Rights (0x?????????????? 0): [2020/10/07 11:25:45.191945,? 5] ../../source3/auth/token_util.c:866(debug_unix_user_token) ? UNIX token of user 20597 ? Primary group is 10000 and contains 1 supplementary groups ? Group[? 0]: 10000001 If i read the lines correct, the S-1-5-21 sids are the ones which come from the ads. The SIDs starting with S-1-22 are the ones which are build by the unix user and unix groups the user is in. So it seems to me, that samba doesn't read the unix group memberships while building this security context. Is this behavior correct? Unix user 20597 has a primary group id 10000 and 27 supplementary groups. None of these groups has an id of 10000001. Beside of this, shouldn't these groups also appear in the security token / unix user token? Regards, Michael Am 08.10.20 um 11:31 schrieb Rowland penny via samba:> On 08/10/2020 10:23, Michael Schwarz via samba wrote: >> >> >> Am 08.10.20 um 10:41 schrieb Rowland penny via samba: >>> On 08/10/2020 08:51, Michael Schwarz via samba wrote: >>> >>>> The setup at our university is not quite trivial. I can understand >>>> that. I'll try to explain it again in a different way: >>> >>> Lets see if I understand this, you have one kerberos domain for the >>> Linux machines and another kerberos domain for the Windows machines, >>> you have virtually the same users and groups in both. Why two >>> domains, why not just use the AD for both ? This would make your >>> setup trivial. I feel this is probably all down to department politics. >>> >> >> Yes this is correct. I'm not sure why there are two domains. I'm not >> working at the central computer center, but i'm sure, they have their >> reasons why they are doing it this way. We are only using this >> infrastructure. The LDAP is storing much more information than only >> simple posixAccounts. It might be, that an AD is not so flexible if >> you want to store more than the standard attributes. But i don't now >> in detail as i am not so familiar with windows ad services. > > There are no posixAccounts in AD, there are just Accounts (but all the > RFC2307 attributes are available, so any account can be a Unix > account) and you will be surprised just how extendable the AD schema > is. No, I think it is just down to politics, Windows versus Linux > politics :-) > > Rowland > > >-- // Michael Schwarz - Universit?t Paderborn - PC2 // O2.152 - Warburger Str. 100 - 33098 Paderborn // Telefon: +49 5251 601728 - Fax: +49 5251 601714 // E-Mail: schwarz at uni-paderborn.de
Possibly Parallel Threads
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- Is Samba unable to resolve secodary group membership?
- samba-4.10.15 - Unable to demote secodary DC