Public bug reported:
We configure clients to use samba winbind for integrating into Active Directory.
The IDs of our AD-users and AD-groups start above 10.000 - so we set the filter
to
idmap config COMPANY : range = 10000-165000
Unfortunately, all AD-users get the AD-membership of group 1001 which is an
Active Directory BUILTIN-group:
getent -s winbind group 1001
BUILTIN\users:x:1001:
But since there exists a local user with id 1001 and also its group id
1001, all AD users within AD group 1001 (BUILTIN\users) are in the local
group 1001 what is not wanted.
I changed the order in /etc/nsswitch.conf from
passwd: files winbind systemd
group: files winbind systemd
to
passwd: winbind systemd files
group: winbind systemd files
and it is working as expected!
The question is, if it is right to change this behavior in nsswitch.conf
like I did, or if the idmap config range should filter these lower ids
around 1000?
smb.conf:
[global]
workgroup = COMPANY
realm = COMPANY.DE
security = ads
kerberos method = secrets and keytab
server role = member server
local master = no
domain master = no
disable netbios = yes
log level = 3
idmap config * : backend = tdb
idmap config * : range = 1000-5000
idmap config COMPANY : backend = ad
idmap config COMPANY : range = 10000-165000
idmap config COMPANY : schema_mode = rfc2307
idmap config COMPANY : unix_nss_info = no
idmap config COMPANY : unix_primary_group = yes
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
inherit permissions = Yes
inherit acls = Yes
acl group control = yes
nt acl support = yes
server string = %h server (Samba, Ubuntu)
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
usershare allow guests = yes
** Affects: samba4 (Ubuntu)
Importance: Undecided
Status: New
** Tags: nsswitch samba smb winbind
** Summary changed:
- idmap config range filter is not working anymore
+ idmap config range filter is not working
** Summary changed:
- idmap config range filter is not working
+ idmap config range filter is not working for group ids
--
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba4 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1988850
Title:
idmap config range filter is not working for group ids
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1988850/+subscriptions
--
Mailing list: https://launchpad.net/~enterprise-support
Post to : enterprise-support@lists.launchpad.net
Unsubscribe : https://launchpad.net/~enterprise-support
More help : https://help.launchpad.net/ListHelp
