Rowland penny
2021-May-13 19:01 UTC
[Samba] 'getent group mygroup' fails when 'winbind use default domain = yes'
On 13/05/2021 19:29, Kees van Vloten wrote:> Hi Rowland, > > These are the results of the 2 commands: > > 100016 > > 2000 > > So that matches your expectations :-)Just checking, there have been instances when an OP has claimed that they have added things when they hadn't, not that I really thought this was the problem in your case because 'id' showed the groups.> > > To make a long story short, I have found the culprit, it is called > 'winbind normalize names = yes'. The interesting bit is that in the > first output I sent that line was commented, I guess the bad results > then were due to not flushing the cache.Probably, always flush the cache after making changes, even if you restart Samba.> I found this as a working configuration: > > global] > > ??????? allow insecure wide links = yesSome of those are defaults and, as such, could be removed. The last line is interesting, you appear to have attempted to harden your Unix domain member and then you go and blow a large hole in it by adding that line ?> > I looked up 'winbind normalize names' in 'man 5 smb.conf ': > > This parameter controls whether winbindd will replace whitespace in > user and group names with an underscore > (_) character. For example, whether the name "Space Kadet" should be > replaced with the string > "space_kadet". > > And that sounds useful to me. However it looks like it has a > side-effect on groups that already contain an underscore. > Unfortunately all groups in my AD have underscores in their names. > > What do we do now?Remove the line.> Should I file a bug?No, because the smb.conf manpage goes on to say: If your domain possesses names containing the underscore character, this option may cause problems unless the name aliasing feature is supported by your nss_info plugin. So, it is a known feature ? Rowland