More info on this topic: Without giving my AD domain's Domain Users group an Unix gid, getent passwd enumerates no AD users. With the Domain Users group having a gid in the range of the idmap config range, I do get my users enumerated with a getent passwd.
In winbindd.log, for each cached user with rfc2307 information, it logs for nss_get_info_cached: result: homedir = '/home/user' shell = '/bin/bash' gecos = '(null)' (because I'm not using gecos attrib) gid = '60000' but the getent passwd result is user:*:10043:12011:User Name:/home/user:/bin/bash where 12011 is the gid I gave to "Domain Users." rfc2307 should have returned gid 60000 as per the nss_get_info_cached result. If I do: getent passwd user the result is: user:*:10043:60000:User Name:/home/user:/bin/bash as it should be. gid 60000 is a local group, not an AD-defined group, so as not to depend on AD for filesystem group ownership/permissions. If getent passwd doesn't enumerate the user data with the user having the proper default group, they will not inherit the proper permissions. > -----Original Message----- > From: Jim Stalewski > Sent: Thursday, January 20, 2011 7:26 PM > To: samba@lists.samba.org > Subject: [Samba] Possible bug in nss_winbind with ad backend > and rfc2307 > > I ran some tests to see why getent passwd was not enumerating > my domain users and discovered this: > > If I getent passwd <username> it returns the user information > including the primary group defined in the Unix attributes. > If I add a Unix GID in the idmap config range to the domain's > Domain Users group and getent passwd, it returns all of my > domain users with all of the Unix attributes as defined in AD > for them, BUT it replaces the primary group GID with the GID > I defined for the Domain Users group. > > Apparently, some genius decided that the best way to look up > users in AD is by membership in "Domain Users" rather than > iterating through the directory looking for users that have > rfc2307 attributes defined, totally ignoring the rfc2307 > group attribute on the user objects. > > The suspected bug is that it is not using the rfc2307 primary > GID attribute, but rather is defaulting the "Domain Users" > group as the primary group for all users regardless of the > rfc2307 attributes. > > Is there a way to force Winbind not to use the Domain Users > group as the primary group for the winbindd_getpwent process, > so it returns the > rfc2307 group attribute as it used to / should? Or do I have > to redo all of my group file ownership/permissions on all of > my servers to match "Domain Users" for some ungodly reason? > > Currently running Samba 3.4.3 on SLES 11.1, and > authenticating against Windows 2003R2 AD, but I suspect this > same bug/feature was introduced with the idmap changes in > 3.30 and above so should apply to all versions above 3.30. I > don't know if the same logic is being used in v4 winbind > idmap process... > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba