winbind separator and group name behavior in getent group, constantly changing

Question

I have a problem that occasionally apprears-dissapears and it drives me nuts.

My Debian servers are authenticated against AD and only "linuxadmins" group member can SSH to server and "sudo su".

SSH login works, no problems in there but users are getting errors "user xyz is not in sudoers " while using sudo

my /etc/sudoers contains AD group name

%linuxadmins ALL =(ALL) ALL

And samba conf

#GLOBAL PARAMETERS
[global]
   workgroup = RKAS
   realm = RKAS.RK
   preferred master = no
   server string = SEP DEV Server
   security = ADS
   encrypt passwords = true
   log level = 3
   log file = /var/log/samba/%m
   max log size = 50
   printcap name = cups
   printing = cups
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   #winbind separator = +
   #idmap uid = 600-20000
   #idmap gid = 600-20000
   ;template primary group = "Domain Users"
   template shell = /bin/bash
   template homedir = /home/%D/%U
   winbind offline logon = yes
   winbind refresh tickets = yes

The problem lies in group's separator that samba handles.

getent group | grep linuxadmins

gives back two different results in between few minutes

linuxadmins:x:784:xyz

or

\linuxadmins:x:784:xyz

Users are only able to sudo if there's no baskslash.

What's wrong? I cannot understand why it constantly adding backslash and removing it in the group names?

common-account:

account [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore]        pam_winbind.so
account required                        pam_permit.so

common-auth:

auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login require_membership_of=linuxadmins try_first_pass
auth    required                        pam_permit.so

and no common-system, only session

session     required    pam_mkhomedir.so umask=0022 skel=/etc/skel

I must add that this behavior is happening through all linux servers

Have all the users got uidNumber attributes, similarly gidNumber attributes for the groups? — Tom O'Connor, Jul 04 '13 at 08:43
I disabled the UID and GID from smb.conf since these are depicated But it seems that yes, users have their uid's without the smb.conf (using Debian 6 and 7) — user1492810, Jul 04 '13 at 09:10

score 0 · Answer 1 · answered Jul 04 '13 at 09:17

0

Right, so actually idmap uid range is deprecated, but it got replaced with this:

idmap backend = ad
idmap config *:backend = ad
idmap config *:range = 10000-20000

See, what I think is happening.. Is that samba (and associated modules) doesn't know how to assign the right id/uid to a user.

I'd drop those 3 lines into /etc/samba/smb.conf, Wipe out the samba cache files (they all get recreated) rm -rf /var/lib/samba/* Restart all the samba services, winbindd,smbd,nmbd and then have a go with wbinfo -u, wbinfo -g, wbinfo -i $id

You'll also want to make sure that all the users and groups have uidNumbers and gidNumbers (Active Directory Administrative Center, right click a user, open properties, find the Attribute Editor, set uidnumber and gidnumber if they're not already set).

You also need to have a gidNumber for groups up the tree, including Domain Users.

answered Jul 04 '13 at 09:17

Tom O'Connor

27,440
10
72
148

That didn't end well. Now wbinfo works but getent doesn't see AD users and groups. So I can log in as local service account I created for root replacement. – user1492810 Jul 04 '13 at 10:14
Interesting. Can you post /etc/pam.d/common-account, common-auth, and common-system ? – Tom O'Connor Jul 04 '13 at 10:16
i'll edit my original post – user1492810 Jul 04 '13 at 10:20
can you `su - $user` from root to be one of the AD users? or do a native login on PTY2 or something? – Tom O'Connor Jul 04 '13 at 10:40
I'm in with local sudo user. I discovered that the problem is related with net cache. I'm still unsure how. – user1492810 Jul 04 '13 at 10:43
i did net cache flush and hell broke loose. getent may or may not update the list and it's super slow. It seems that idmap doesn't work. When I rolled back to deprecated solution in smb.conf, it went back to normal – user1492810 Jul 04 '13 at 10:57
but the backslash in linuxadmins group name is still there. The odd thing is that this is the only group that has it. – user1492810 Jul 04 '13 at 11:10
How Peculiar... – Tom O'Connor Jul 04 '13 at 11:34
Why've you got `winbind separator` commented out? – Tom O'Connor Jul 04 '13 at 11:34
This is the root problem - if there's a separator then sudoers doesn't understand the group name and linuxadmins members wont get sudo access. – user1492810 Jul 04 '13 at 11:40
I think I found workaround, but I'm unsure if this is normal. I changed %linuxadmins ALL =(ALL) ALL to %+linuxadmins ALL =(ALL) ALL, enabled winbind separator to be +. Now sudo su works, but also I need to eg chown ADusername:+ADgroupname for AD groups. – user1492810 Jul 04 '13 at 12:00
Now on some server the only AD group I use has + sign, at some server there are no symbols in front of it's name..i give up for now and hardcode users into sudoers file. – user1492810 Jul 04 '13 at 12:13
You might've found a bug. Might be worth a bugpost to the samba team – Tom O'Connor Jul 04 '13 at 12:42
https://bugzilla.samba.org/show_bug.cgi?id=9999 – user1492810 Jul 05 '13 at 12:02
Hah! Bug ID 9999 :) – Tom O'Connor Jul 05 '13 at 12:39

winbind separator and group name behavior in getent group, constantly changing

1 Answers1