enterprise-support team mailing list archive

Thread
Date

[Bug 1988850] [NEW] idmap config range filter is not working for group ids

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Alexander Fieroch <1988850@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Sep 2022 13:44:35 -0000
Reply-to: Bug 1988850 <1988850@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

We configure clients to use samba winbind for integrating into Active Directory.
The IDs of our AD-users and AD-groups start above 10.000 - so we set the filter to
  idmap config COMPANY : range   = 10000-165000
Unfortunately, all AD-users get the AD-membership of group 1001 which is an Active Directory BUILTIN-group:

  getent -s winbind group 1001
  BUILTIN\users:x:1001:

But since there exists a local user with id 1001 and also its group id
1001, all AD users within AD group 1001 (BUILTIN\users) are in the local
group 1001 what is not wanted.

I changed the order in /etc/nsswitch.conf from

passwd:         files winbind systemd
group:          files winbind systemd

to

passwd:         winbind systemd files
group:          winbind systemd files

and it is working as expected!

The question is, if it is right to change this behavior in nsswitch.conf
like I did, or if the idmap config range should filter these lower ids
around 1000?


smb.conf:

[global]
  workgroup = COMPANY
  realm = COMPANY.DE
  security = ads
  kerberos method = secrets and keytab
  server role = member server
  local master = no
  domain master = no
  disable netbios = yes
  log level = 3
  idmap config * : backend            = tdb
  idmap config * : range              = 1000-5000
  idmap config COMPANY : backend = ad
  idmap config COMPANY : range   = 10000-165000
  idmap config COMPANY : schema_mode = rfc2307
  idmap config COMPANY : unix_nss_info = no
  idmap config COMPANY : unix_primary_group = yes
  template homedir = /home/%U
  template shell = /bin/bash
  winbind use default domain = yes
  winbind refresh tickets = yes
  winbind offline logon = yes
  winbind enum users = yes
  winbind enum groups = yes
  vfs objects = acl_xattr
  map acl inherit = yes
  store dos attributes = yes
  inherit permissions = Yes
  inherit acls = Yes
  acl group control = yes
  nt acl support = yes
  server string = %h server (Samba, Ubuntu)
  log file = /var/log/samba/log.%m
  max log size = 1000
  logging = file
  panic action = /usr/share/samba/panic-action %d
  obey pam restrictions = yes
  unix password sync = yes
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
  pam password change = yes
  map to guest = bad user
  usershare allow guests = yes

** Affects: samba4 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: nsswitch samba smb winbind

** Summary changed:

- idmap config range filter is not working anymore
+ idmap config range filter is not working

** Summary changed:

- idmap config range filter is not working
+ idmap config range filter is not working for group ids

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to samba4 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1988850

Title:
  idmap config range filter is not working for group ids

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba4/+bug/1988850/+subscriptions