Re: [Samba] Odd default group behaviour.
- Date: Tue, 13 Mar 2018 22:03:46 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Odd default group behaviour.
On Tue, 13 Mar 2018 15:57:35 -0600
Jeff Sadowski <jeff.sadowski@xxxxxxxxx> wrote:
> On Tue, Mar 13, 2018 at 12:54 PM, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> wrote:
> > On Tue, 13 Mar 2018 12:13:32 -0600
> > Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >> My smb.conf file looks like so
> >> [global]
> >> security = ads
> >> realm = MIND.UNM.EDU
> >> workgroup = MIND
> >> idmap config * : backend = tdb
> >> idmap config * : range = 2000-7999
> >> idmap config MIND:backend = ad
> >> idmap config MIND:schema_mode = rfc2307
> >> idmap config MIND:range = 8000-9999999
> >> # added because 4.6+ no longer understands
> >> # winbind nss info = rfc2307
> >> idmap config MIND:unix_nss_info = yes
> >> # left because 4.5- don’t understand
> >> # idmap config MIND:unix_nss_info = yes
> >> winbind nss info = rfc2307
> > OK, what version Samba are using on the Unix domain member ?
> > If you are using 4.6 (or later), remove the 'winbind nss info' line.
> > If you are still using 4.5, then remove the 'idmap config
> > MIND:unix_info' line.
> I use both This config file is used across ubuntu 16.04 which has
> 4.3.11 And I am using Fedora 27 which has 4.7.5
> I thought I could leave them both uncommented for both as they should
> throw out what they don't understand is that not correct?
No, you should use one or the other (depending on the Samba version),
you cannot use both.
> >> restrict anonymous = 2
> >> #added the following 2 for the Badlock updates that change the
> >> defaults #to no longer work with my domain controllers
> >> ldap server require strong auth = no
> >> client ldap sasl wrapping = plain
> >> kerberos method = secrets and keytab
> > If you had to add the above lines after the Badlock updates, don't
> > you think it is about time you fixed your DCs, it will be more
> > secure. I also cannot see the reason for adding them, the first
> > line only makes sense on a DC, the second turns off 'sign & seal'
> > and the third only makes Kerberos look in /etc/krb5.keytab.
> I'm not sure how to fix my DCs It may have been fixed with updates.
> Also if I do fix it I don't know if it will break my Network storage
> and how to roll back if it does.
> I commented out "ldap server require strong auth = no", "client ldap
> sasl wrapping = plain" and "kerberos method = secrets and keytab"
> and restarted the winbind service in Fedora and it still works. I can
> still ssh as a domain user and type a password. I will try in ubuntu
> Does that mean my domain is fixed?
> I still am not getting the correct group for my dstephenson user.
> With "id dstephenson" or "getent passwd dstephenson"
> With all those changes nothing seems to have changed.
Have you run 'net cache flush' ?
To unsubscribe from this list go to the following URL and read the