Bug 5689 - "Use default domain" not applied for users with "getent group"
Summary: "Use default domain" not applied for users with "getent group"
Status: RESOLVED DUPLICATE of bug 5571
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: Other Windows XP
: P3 normal
Target Milestone: ---
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-13 05:54 UTC by Arno
Modified: 2008-09-29 13:59 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arno 2008-08-13 05:54:56 UTC
I've just setup a brand new Debian/Lenny machine with Samba 3.2.0 . Our old setup previously used Samba 3.0.14a (Debian/Etch). The problem is that we now are no longer able to restrict ie. cups printers to certain user group (in the printers.conf with @group). The problem is most certainly caused by the fact that we use "winbind use default domain". With the setting enabled things work ok for ie. "getent passwd", we get entries like:

wassenaar:*:17456:10513:Wassenaar, R.:/mnt/data:/usr/bin/scponly
weel:*:17457:10513:Weel, A. van der:/mnt/data:/usr/bin/scponly
werf:*:17458:10513:Werf, R. van der:/mnt/data:/usr/bin/scponly
wiegerinck:*:17459:10513:Wiegerinck, E.:/mnt/data:/usr/bin/scponly
heuvelman:*:12868:10513:Heuvelman, J.L. Th. mw.:/mnt/data:/usr/bin/scponly

But when we issue "getent group", we get entries like:

manage_fmd_printers:x:11445:PHYSICS+Egmondr,PHYSICS+Verpoorten
tekendocent:x:12910:PHYSICS+Fasseur,PHYSICS+Heuvelman,PHYSICS+Meerh,PHYSICS+Verpoorten,PHYSICS+Vos

As you can see, the group name is without the domain name (PHYSICS+) but the users in the group are. This causes applications like cups to be confused as they don't understand user "Heuvelman" is in the group "tekendocent", so using @manage_fmd_printers in /etc/cups/printers.conf doesn't work as they names mismatch.
Comment 1 Arno 2008-08-13 05:56:19 UTC
Oh, the relevant settings in my smb.conf look like this:
idmap domains = PHYSICS
idmap config PHYSICS:default = yes
idmap config PHYSICS:backend = rid
idmap config PHYSICS:base_rid = 0
idmap config PHYSICS:range =10000-60000

allow trusted domains = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nested groups = no
winbind separator = +
winbind offline logon = true
winbind refresh tickets = true
template homedir = /mnt/data
template shell = /usr/bin/scponly
Comment 2 Gerald (Jerry) Carter (dead mail address) 2008-08-13 07:38:11 UTC
I've got this one.
Comment 3 Arno 2008-08-14 01:44:41 UTC
As a workaround I moved the group policies from cups to smb.conf (until this gets fixed) but now I've stumbled onto another bug which is (I guess) also related to this problem. When using the "valid users" option in smb.conf using just "valid users = @windows_group" doesn't work, you MUST use "valid users = @"DOMAIN\windows_group". IMHO when "use default domain = yes" one should never be forced to use the "DOMAIN\" in front of usernames & groups, right?
Comment 4 Gerald (Jerry) Carter (dead mail address) 2008-08-14 10:32:43 UTC
(In reply to comment #3)

> IMHO when "use default domain = yes" one should never
> be forced to use the "DOMAIN\" in front of usernames & groups, right?
> 

No.  "Winbind use default domain" only applies to pam logins and should be
reported back from NSS.  Always use fully qualified names in smb.conf.  This has been a
documented recommendation since Samba 3.0.8.
Comment 5 Jelmer Vernooij 2008-09-29 13:59:57 UTC

*** This bug has been marked as a duplicate of 5571 ***