Le mar. 30 oct. 2018 à 00:27, Paul Szabo <paul.sz...@sydney.edu.au> a écrit : > > Dear Mathieu, > > > Why your UNIX groups don't match your Windows groups? This is usually > > the case, with nss_winbind. > > My site is mainly Linux; we have secondary groups in the /etc/group > file. I am trying to move from Samba3 to the Debian Samba4, setting up > Samba as an AD DC (for Windows10). I have the libnss-winbind package. > Still, Samba (winbidd?) seems to create separate "Domain\user" entities, > and does seem to add those to the groups that the Linux user belongs to. > > > Alternatively, you can reverse the logic with idmap_nss. > > I tried that, did not seem to help.
And have you tried "winbind use default domain = yes"? <<<< winbind use default domain (G) This parameter specifies whether the winbindd(8) daemon should operate on users without domain component in their username. Users without a domain component are treated as is part of the winbindd server's own domain. While this does not benefit Windows users, it makes SSH, FTP and e-mail function in a way much closer to the way they would in a native unix system. This option should be avoided if possible. It can cause confusion about responsibilities for a user or group. In many situations it is not clear whether winbind or /etc/passwd should be seen as authoritative for a user, likewise for groups. Default: winbind use default domain = no Example: winbind use default domain = yes >>>> Can you post your (redacted) smb.conf? > >> (Seems to me that Samba4.9 suffers from the same issue.) > > Have you tried it? ... > > I had tried to build Samba 4.9.1 the "Debian way", following the method > in the "experimental" packages, but failed on my "stretch" machine due > to some version incompatibility issues. (Did not try the "native way" > with configure/make, thought it would be best to follow Debian.) There is currently no official backport of samba, but you can test with a sid chroot/nspawn/whatever. > > ... This part of the code has changed a lot. > > The file source3/auth/auth_util.c did not change that much between > 4.5.12 and 4.9.1, the "essence" of my patch still seems to apply > (though not the patch file I posted). > > > Also please note that we don't accept patches that are not merged > > upstream first. > > Additionnaly, this patch target stable while it's not a security or > > stability patch. > > Understood. I have been using my own Samba for years, can keep doing > that. You are free to do so. Regards -- Mathieu Parent
