RFC [Patch] winbind expand groups doc

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
I (and I know others) have found the man page section for 'winbind
expand groups' a little confusing. I'm trying to make it a little less
so. Here's my first cut, I'd be grateful for comments (and especially
suggestions for improvements)
Thanks alot
Noel

0001-docs-Improve-wording-around-winbind-expand-groups-pa.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
On Thu, 28 Sep 2017 12:47:01 +0100
Noel Power via samba-technical <[hidden email]> wrote:

> I (and I know others) have found the man page section for 'winbind
> expand groups' a little confusing. I'm trying to make it a little less
> so. Here's my first cut, I'd be grateful for comments (and especially
> suggestions for improvements)
> Thanks alot
> Noel

You appear to have a stutter ;-)

+ <para>This option also also affects the return of non nested
                           ^^^^ ^^^^
Apart from that, it makes sense to me.

Rowland

Reply | Threaded
Open this post in threaded view
|

RE: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
Hai Noel,

If i may suggest and mentioning that winbind expand groups = 2 ,was a good minimal setting.
For example, imo, pretty normal thing, because of things like this.
Admin1 is member of Domain Admins, which is member of  BUILTIN\Administrator
So 2 depth.

In my case with RDP, the users is in the domain group (NTDOM\RDP-Allowed, which is added to the local group. ( .\Remote Desktop Users )
But just a guestion.

And "define" a "high value" ... If 0 and 1 are low. is 4 high? Or 10 or 100?
Adding a sample of a high value helps.



Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba-technical
> [mailto:[hidden email]] Namens
> Rowland Penny via samba-technical
> Verzonden: donderdag 28 september 2017 13:55
> Aan: [hidden email]
> Onderwerp: Re: RFC [Patch] winbind expand groups doc
>
> On Thu, 28 Sep 2017 12:47:01 +0100
> Noel Power via samba-technical
> <[hidden email]> wrote:
>
> > I (and I know others) have found the man page section for 'winbind
> > expand groups' a little confusing. I'm trying to make it a
> little less
> > so. Here's my first cut, I'd be grateful for comments (and
> especially
> > suggestions for improvements) Thanks alot Noel
>
> You appear to have a stutter ;-)
>
> + <para>This option also also affects the return of non nested
>                            ^^^^ ^^^^
> Apart from that, it makes sense to me.
>
> Rowland
>
>


Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
Hi Louis,

> If i may suggest and mentioning that winbind expand groups = 2 ,was a good minimal setting.
> For example, imo, pretty normal thing, because of things like this.
> Admin1 is member of Domain Admins, which is member of  BUILTIN\Administrator
> So 2 depth.
>
> In my case with RDP, the users is in the domain group (NTDOM\RDP-Allowed, which is added to the local group. ( .\Remote Desktop Users )

The effective group memberships are still in place. The unix token will
have them. "id" should be able to show them, after an successful
authentication.

This options is really only for broken applications which use something
like: getent group <group> in order to verify that a users if a member
of the group.

Is there an RDP service for linux that qualifies itself as such a broken
app?

metze


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
On Thu, Sep 28, 2017 at 10:02 AM, Stefan Metzmacher via
samba-technical <[hidden email]> wrote:

> Hi Louis,
>
>> If i may suggest and mentioning that winbind expand groups = 2 ,was a good minimal setting.
>> For example, imo, pretty normal thing, because of things like this.
>> Admin1 is member of Domain Admins, which is member of  BUILTIN\Administrator
>> So 2 depth.
>>
>> In my case with RDP, the users is in the domain group (NTDOM\RDP-Allowed, which is added to the local group. ( .\Remote Desktop Users )
>
> The effective group memberships are still in place. The unix token will
> have them. "id" should be able to show them, after an successful
> authentication.
>
> This options is really only for broken applications which use something
> like: getent group <group> in order to verify that a users if a member
> of the group.

How can applications enumerate membership in an AD group without doing this?

I have an application which needs to create some local resources for
every member of an AD group, so we poll for group membership using
getgrent and create those resources when we see users added to the
group. Right now, we use "winbind expand groups = 1" for this and ,
and get complaints about not supporting nested groups, so I was
considering increasing it to see if that helped. I have seen the
warning that this means we are a "broken application", but I don't see
a reference to what the alternative is; how to enumerate membership
without this.

If we're updating the documentation, it might be good to also include
a reference to how to properly enumerate membership of an AD group
from a system joined to the domain using winbind.

Here are the things that I have tried:

$ wbinfo --group-info=<group>

This gives me the same results as "getent group <group>", so doesn't
work without "winbind expand groups".

$ net ads group -P

This lists the groups in AD, but there is no "net ads group members <group>"

$ net rpc group members <group> -P

This tells me it can't find <group>

Various variations of the above using the -w or -W options to specify
the AD workgroup also fail similarly.

Note: I am running Samba 4.3.8, I haven't yet tried later versions. If
there is a way to do this in later versions I'd be happy to upgrade.

-- Brian

>
> Is there an RDP service for linux that qualifies itself as such a broken
> app?
>
> metze
>

Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
On Thu, 28 Sep 2017 13:42:20 -0400
Brian Campbell via samba-technical <[hidden email]>
wrote:

> How can applications enumerate membership in an AD group without
> doing this?
>
> I have an application which needs to create some local resources for
> every member of an AD group, so we poll for group membership using
> getgrent and create those resources when we see users added to the
> group. Right now, we use "winbind expand groups = 1" for this and ,
> and get complaints about not supporting nested groups, so I was
> considering increasing it to see if that helped. I have seen the
> warning that this means we are a "broken application", but I don't see
> a reference to what the alternative is; how to enumerate membership
> without this.
>
> If we're updating the documentation, it might be good to also include
> a reference to how to properly enumerate membership of an AD group
> from a system joined to the domain using winbind.
>
> Here are the things that I have tried:
>
> $ wbinfo --group-info=<group>
>
> This gives me the same results as "getent group <group>", so doesn't
> work without "winbind expand groups".
>
> $ net ads group -P
>
> This lists the groups in AD, but there is no "net ads group members
> <group>"
>
> $ net rpc group members <group> -P
>
> This tells me it can't find <group>
>
> Various variations of the above using the -w or -W options to specify
> the AD workgroup also fail similarly.
>
> Note: I am running Samba 4.3.8, I haven't yet tried later versions. If
> there is a way to do this in later versions I'd be happy to upgrade.
>

This is a patch to the documentation, it refers to a change that
happened back with 4.2 and is trying to make it easier to understand.

The actually change was 'winbind expand groups = 1' to 'winbind expand
groups = 0', but this is just the default setting, there is nothing
stopping you using a different value.

Rowland


Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Thu, 2017-09-28 at 16:02 +0200, Stefan Metzmacher via samba-
technical wrote:
> Hi Louis,

> The effective group memberships are still in place. The unix token
> will
> have them. "id" should be able to show them, after an successful
> authentication.
>
> This options is really only for broken applications which use
> something
> like: getent group <group> in order to verify that a users if a
> member
> of the group.

It should be noted for context that this is quite rare, because it is
very slow on larger groups most applications were fixed to use the unix
token or nss's getgrouplist() instead.

Andrew Bartlett

> Is there an RDP service for linux that qualifies itself as such a
> broken
> app?
>
> metze
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc V2

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
I've updated the patch to correct the 'stutter'. If someone is feeling
kind they might RB and push perhaps :-)

Noel
On 28/09/17 12:47, Noel Power via samba-technical wrote:
> I (and I know others) have found the man page section for 'winbind
> expand groups' a little confusing. I'm trying to make it a little less
> so. Here's my first cut, I'd be grateful for comments (and especially
> suggestions for improvements)
> Thanks alot
> Noel



0001-docs-Improve-wording-around-winbind-expand-groups-pa.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc V2

Samba - samba-technical mailing list
On Fri, Sep 29, 2017 at 09:36:30AM +0100, Noel Power via samba-technical wrote:
> I've updated the patch to correct the 'stutter'. If someone is feeling
> kind they might RB and push perhaps :-)

RB+. Someone else?

Thanks, Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: RFC [Patch] winbind expand groups doc V2

Samba - samba-technical mailing list
On 09/29/2017 08:32 AM, Volker Lendecke via samba-technical wrote:
> On Fri, Sep 29, 2017 at 09:36:30AM +0100, Noel Power via samba-technical wrote:
>> I've updated the patch to correct the 'stutter'. If someone is feeling
>> kind they might RB and push perhaps :-)
>
> RB+. Someone else?
Done, pushed.


Jim