[Pkg-samba-maint] Bug#912193: Bug#912193: samba: Ignores UNIX groups

Mathieu Parent math.parent at gmail.com
Tue Oct 30 15:19:41 GMT 2018 

Le mar. 30 oct. 2018 à 00:27, Paul Szabo <paul.szabo at sydney.edu.au> a écrit :
>
> Dear Mathieu,
>
> > Why your UNIX groups don't match your Windows groups? This is usually
> > the case, with nss_winbind.
>
> My site is mainly Linux; we have secondary groups in the /etc/group
> file. I am trying to move from Samba3 to the Debian Samba4, setting up
> Samba as an AD DC (for Windows10). I have the libnss-winbind package.
> Still, Samba (winbidd?) seems to create separate "Domain\user" entities,
> and does seem to add those to the groups that the Linux user belongs to.
>
> > Alternatively, you can reverse the logic with idmap_nss.
>
> I tried that, did not seem to help.

And have you tried "winbind use default domain = yes"?

<<<<
winbind use default domain (G)
This parameter specifies whether the winbindd(8) daemon should operate
on users without domain component in their username. Users without a
domain component are treated as is part of the winbindd server's own
domain. While this does not benefit Windows users, it makes SSH, FTP
and e-mail function in a way much closer to the way they would in a
native unix system.

This option should be avoided if possible. It can cause confusion
about responsibilities for a user or group. In many situations it is
not clear whether winbind or /etc/passwd should be seen as
authoritative for a user, likewise for groups.

Default: winbind use default domain = no
Example: winbind use default domain = yes
>>>>

Can you post your (redacted) smb.conf?

> >> (Seems to me that Samba4.9 suffers from the same issue.)
> > Have you tried it? ...
>
> I had tried to build Samba 4.9.1 the "Debian way", following the method
> in the "experimental" packages, but failed on my "stretch" machine due
> to some version incompatibility issues. (Did not try the "native way"
> with configure/make, thought it would be best to follow Debian.)

There is currently no official backport of samba, but you can test
with a sid chroot/nspawn/whatever.

> > ... This part of the code has changed a lot.
>
> The file source3/auth/auth_util.c did not change that much between
> 4.5.12 and 4.9.1, the "essence" of my patch still seems to apply
> (though not the patch file I posted).
>
> > Also please note that we don't accept patches that are not merged
> > upstream first.
> > Additionnaly, this patch target stable while it's not a security or
> > stability patch.
>
> Understood. I have been using my own Samba for years, can keep doing
> that.

You are free to do so.

Regards
-- 
Mathieu Parent

More information about the Pkg-samba-maint mailing list