Re: [Samba] Persistent Winbind gid cache
- Date: Mon, 8 Oct 2018 20:19:34 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Persistent Winbind gid cache
On Mon, 8 Oct 2018 19:20:51 +0200
Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Thank you very much for your help Rowland ! And sorry for my English,
> I'm french.
Never apologise for your English, it is a darned sight better than my
> Le lun. 8 oct. 2018 à 18:38, Rowland Penny via samba
> <samba@xxxxxxxxxxxxxxx> a écrit :
> > On Mon, 8 Oct 2018 18:11:39 +0200
> > Prunk Dump <prunkdump@xxxxxxxxx> wrote:
> > > Hi !
> > >
> > > I use samba 4.5 ( Debian stable ) and to get the primary group I
> > > want, I change the user's primaryGroupID in AD.
> > Bad idea
> > > -> It's difficult for my to move to samba 4.6 or newer because I
> > > lost Debian security updates. Security and stability is very
> > > important with 450 stations.
> > How can you lose 'security updates' ?
> The Debian security Team work only on Debian stable. So it does not
> always publish security updates for backports or sid samba version.
Andrew, is this correct, does Debian not backport security updates ?
> Moreover is difficult for me to use third party repositories as they
> change the samba version very often. I need to be as "stable" as
> possible to don't disturb my users.
I understand your problem, you want to keep things stable, but this
means you end up with a Samba version that is EOL as far as Samba is
concerned. Just because a new version of Samba comes out, it doesn't
mean you have to upgrade.
> So I prefer a workaround over switch to a Samba version other that the
> "Stable" version. But you're right, maybe this is not the right
> workaround. But actually I can't find another. I need to assign a
> correct gid to my users.
I personally use Louis's repo, but I don't update at every new
release, but if you did update to a Samba version >= 4.6.0 you could
use the new 'ad' backend lines. This would allow you to have the
correct primaryGroupID and a Unix primary group that isn't Domain
Users, this would make everybody happy.
> > > Here my smb.conf (on clients) :
> > >
> > > [global]
> > > workgroup = FICHLAN
> > > security = ADS
> > > realm = LAN.LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> > >
> > > dedicated keytab file = /etc/krb5.keytab
> > > kerberos method = secrets and keytab
> > > winbind refresh tickets = Yes
> > >
> > > winbind trusted domains only = no
> > > winbind use default domain = yes
> > > winbind enum users = no
> > > winbind enum groups = no
> > > winbind expand groups = 1
> > >
> > > idmap config *:backend = tdb
> > > idmap config *:range = 2000-9999
> > > idmap config FICHLAN:backend = ad
> > > idmap config FICHLAN:schema_mode = rfc2307
> > > idmap config FICHLAN:range = 3000000-9999999
> > > winbind nss info = rfc2307
>From Samba 4.6.0, you would remove the 'winbind nss info' line and add:
idmap config FICHLAN : unix_nss_info = yes
idmap config FICHLAN : unix_primary_group = yes
To unsubscribe from this list go to the following URL and read the