I am really working in an Active Directory environment and using Samba with Winbind on my Linux systems to have the users and groups of my domain recognized. However this always worked for me in pam_mount. See the comparison of same configuration on a computer with Ubuntu 16.04 and another with Ubuntu 18.04 in my environment. The example with "MYGROUP" was hypothetical. My real scenario is as follows:
Outputs in Ubuntu 16.04 and libpam-mount 2.14-1.1:
eduardo.moraes@URU0095285LVM03:~$ id
uid=111141(eduardo.moraes) gid=110513(usuários do domínio) groups=110513(usuários do domínio),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare),10000(BUILTIN\administrators),10001(BUILTIN\users),110512(admins. do domínio),110572(grupo de replicação de senha rodc negado),111141(eduardo.moraes),111240(adm),111251(ngti),112043(mdd_sra),112047(autenticadores),112756(cfcv)
eduardo.moraes@URU0095285LVM03:~$ mount | grep 'NGTI'
//sca01uru/NGTI$ on /home/eduardo.moraes/NGTI type cifs (rw,relatime,vers=default,cache=strict,username=eduardo.moraes,domain=,uid=111141,forceuid,gid=111251,forcegid,addr=10.120.100.71,file_mode=0770,dir_mode=0770,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
//sca01uru/SCAN_NGTI$ on /home/eduardo.moraes/SCAN_NGTI type cifs (rw,relatime,vers=default,cache=strict,username=eduardo.moraes,domain=,uid=111141,forceuid,gid=111251,forcegid,addr=10.120.100.71,file_mode=0770,dir_mode=0770,soft,nounix,serverino,mapposix,rsize=1048576,wsize=1048576,echo_interval=60,actimeo=1)
Outputs in Ubuntu 18.04 and libpam-mount 2.16-3ubuntu0.1:
eduardo.moraes@URU0095285LVM02:~$ id
uid=111141(eduardo.moraes) gid=110513(usuários do domínio) groups=110513(usuários do domínio),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lpadmin),126(sambashare),10000(BUILTIN\administrators),10001(BUILTIN\users),110512(admins. do domínio),110572(grupo de replicação de senha rodc negado),111141(eduardo.moraes),111240(adm),111251(ngti),112043(mdd_sra),112047(autenticadores),112756(cfcv)
eduardo.moraes@URU0095285LVM02:~$ mount | grep 'NGTI'
eduardo.moraes@URU0095285LVM02:~$
Although the NGTI group is on the remote base of the AD Domain Controller, the "libnss-winbind" library allows the name service switch (NSS) to availables domain users and groups to the local system. Look:
eduardo.moraes@URU0095285LVM03:~$ getent group ngti
ngti:x:111251:eduardo.moraes,miliane.oliveira,virgilio.rodrigues,noel.costa
eduardo.moraes@URU0095285LVM02:~$ getent group ngti
ngti:x:111251:virgilio.rodrigues,noel.costa,miliane.oliveira,eduardo.moraes
I do not know what has changed in libpam-mount from version 2.14 to 2.16, but something does not allow sgrp and any other control attributes to evaluate my users and AD domain groups. I also do not know if there's anything to Samba or Winbind right now, but apparently everything that is related to these is normal and does not seem to have had some kind of alteration in the overall operation.
I am really working in an Active Directory environment and using Samba with Winbind on my Linux systems to have the users and groups of my domain recognized. However this always worked for me in pam_mount. See the comparison of same configuration on a computer with Ubuntu 16.04 and another with Ubuntu 18.04 in my environment. The example with "MYGROUP" was hypothetical. My real scenario is as follows:
Outputs in Ubuntu 16.04 and libpam-mount 2.14-1.1:
eduardo. moraes@ URU0095285LVM03 :~$ grep NGTI /etc/security/ pam_mount. conf.xml "gid=NGTI, iocharset= utf8,file_ mode=0770, dir_mode= 0770" /> "~/SCAN_ NGTI" options= "gid=NGTI, iocharset= utf8,file_ mode=0770, dir_mode= 0770" />
<volume sgrp="NGTI" fstype="cifs" server="sca01uru" path="NGTI$" mountpoint="~/NGTI" options=
<volume sgrp="NGTI" fstype="cifs" server="sca01uru" path="SCAN_NGTI$" mountpoint=
eduardo. moraes@ URU0095285LVM03 :~$ id eduardo. moraes) gid=110513(usuários do domínio) groups= 110513( usuários do domínio) ,4(adm) ,24(cdrom) ,27(sudo) ,30(dip) ,46(plugdev) ,113(lpadmin) ,128(sambashare ),10000( BUILTIN\ administrators) ,10001( BUILTIN\ users), 110512( admins. do domínio) ,110572( grupo de replicação de senha rodc negado) ,111141( eduardo. moraes) ,111240( adm),111251( ngti),112043( mdd_sra) ,112047( autenticadores) ,112756( cfcv)
uid=111141(
eduardo. moraes@ URU0095285LVM03 :~$ mount | grep 'NGTI' moraes/ NGTI type cifs (rw,relatime, vers=default, cache=strict, username= eduardo. moraes, domain= ,uid=111141, forceuid, gid=111251, forcegid, addr=10. 120.100. 71,file_ mode=0770, dir_mode= 0770,soft, nounix, serverino, mapposix, rsize=1048576, wsize=1048576, echo_interval= 60,actimeo= 1) SCAN_NGTI$ on /home/eduardo. moraes/ SCAN_NGTI type cifs (rw,relatime, vers=default, cache=strict, username= eduardo. moraes, domain= ,uid=111141, forceuid, gid=111251, forcegid, addr=10. 120.100. 71,file_ mode=0770, dir_mode= 0770,soft, nounix, serverino, mapposix, rsize=1048576, wsize=1048576, echo_interval= 60,actimeo= 1)
//sca01uru/NGTI$ on /home/eduardo.
//sca01uru/
Outputs in Ubuntu 18.04 and libpam-mount 2.16-3ubuntu0.1:
eduardo. moraes@ URU0095285LVM02 :~$ grep NGTI /etc/security/ pam_mount. conf.xml "gid=NGTI, iocharset= utf8,file_ mode=0770, dir_mode= 0770" /> "~/SCAN_ NGTI" options= "gid=NGTI, iocharset= utf8,file_ mode=0770, dir_mode= 0770" />
<volume sgrp="NGTI" fstype="cifs" server="sca01uru" path="NGTI$" mountpoint="~/NGTI" options=
<volume sgrp="NGTI" fstype="cifs" server="sca01uru" path="SCAN_NGTI$" mountpoint=
eduardo. moraes@ URU0095285LVM02 :~$ id eduardo. moraes) gid=110513(usuários do domínio) groups= 110513( usuários do domínio) ,4(adm) ,24(cdrom) ,27(sudo) ,30(dip) ,46(plugdev) ,116(lpadmin) ,126(sambashare ),10000( BUILTIN\ administrators) ,10001( BUILTIN\ users), 110512( admins. do domínio) ,110572( grupo de replicação de senha rodc negado) ,111141( eduardo. moraes) ,111240( adm),111251( ngti),112043( mdd_sra) ,112047( autenticadores) ,112756( cfcv)
uid=111141(
eduardo. moraes@ URU0095285LVM02 :~$ mount | grep 'NGTI' moraes@ URU0095285LVM02 :~$
eduardo.
Although the NGTI group is on the remote base of the AD Domain Controller, the "libnss-winbind" library allows the name service switch (NSS) to availables domain users and groups to the local system. Look:
eduardo. moraes@ URU0095285LVM03 :~$ getent group ngti 111251: eduardo. moraes, miliane. oliveira, virgilio. rodrigues, noel.costa
ngti:x:
eduardo. moraes@ URU0095285LVM02 :~$ getent group ngti 111251: virgilio. rodrigues, noel.costa, miliane. oliveira, eduardo. moraes
ngti:x:
I do not know what has changed in libpam-mount from version 2.14 to 2.16, but something does not allow sgrp and any other control attributes to evaluate my users and AD domain groups. I also do not know if there's anything to Samba or Winbind right now, but apparently everything that is related to these is normal and does not seem to have had some kind of alteration in the overall operation.