enterprise-support team mailing list archive

Thread
Date

[Question #646591]: Does Winbind return a false group when there is a valid user with the same name?

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Andrey de Oliveira <question646591@xxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 06 Jul 2017 17:13:31 -0000
Reply-to: question646591@xxxxxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

New question #646591 on samba in Ubuntu:
https://answers.launchpad.net/ubuntu/+source/samba/+question/646591

Hi

I use winbind (Version 4.3.11-Ubuntu) to authenticate Active Directory users on some Linux servers (nss + winbind).

When I tried to create a local group, I got the message that the group already exists, but the group did not exist either locally or in Active Directory.

It was then that when doing more tests I realized that all searches by a group that already has a user with the same name, it returns a false group as an existing one.

I noticed that the problem occurred at least since Samba 4.1 on Ubuntu Linux.

But in Oracle Linux / RedHat (Version 4.2.10) or even in old versions of Winbind (Version 3.6.3) in the old Ubuntu, I could not reproduce the same behavior, even using the same smb.conf file and adapted the default parameters that were different between the distributions.

I have not found how to control this behavior in documentation or changelogs, could someone help me by indicating what controls this behavior?

In ubuntu:

root@testubuntu:~# winbindd -V
Version 4.3.11-Ubuntu
root@testubuntu:~# wbinfo --group-info=testgroup
testgroup:x:1029538:testgroup
root@testubuntu:~#

In oraclelinux

root@testoraclelinux:~# winbindd -V
Version 4.2.10
root@testoraclelinux:~# wbinfo --group-info=ensitec
root@testoraclelinux:~# 

Testgroup is a non-existent group but with a user with the same name in Active Directory.

# cat /etc/samba/smb.conf

[global]
   realm = COMPANY.COM
   workgroup = COMPANY
   server string = %h server
   security = ads
   allow trusted domains = no
   idmap config COMPANY: default = yes
   idmap config COMPANY: backend = rid
   idmap config COMPANY: readonly = yes
   idmap config COMPANY: range= 1000000-10000000
   idmap alloc config: range = 1000000-10000000

   idmap uid = 1000000-10000000
   idmap gid = 1000000-10000000

   template shell = /bin/bash
   template homedir = /home/%U
   winbind use default domain = yes
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes

   load printers = no
   domain master = no
   preferred master = no
   domain logons = no
   wins support = no
   wins proxy = no
   dns proxy = no
   password server = *

   winbind offline logon = yes


-- 
You received this question notification because your team Ubuntu
Server/Client Support Team is an answer contact for samba in Ubuntu.