[Samba] group enumerations fails

Travis Sidelinger travis at ilive4code.net
Thu Oct 8 09:34:02 MDT 2009 

Help, I've posted this before, but had no responses.  In reading the archives, I'm not seeing anyone else with this issue.

Our problem:
------------

  Samba will not enumerate Domain local groups in our Win2008 Active Directory.

Our Setup:
----------

# cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 2

# rpm -qa | grep -E '(samba3)|(smb)|(krb)|(wbclient)' | grep -v pam
krb5-32bit-1.4.3-19.35
libsmbclient-32bit-3.0.32-0.8
samba3-3.3.6-39.suse101
samba3-client-3.3.6-39.suse101
krb5-1.4.3-19.35
libsmbclient0-3.3.6-39.suse101
samba3-winbind-3.3.6-39.suse101
krb5-client-1.4.3-19.34
libwbclient0-3.3.6-39.suse101

# cat /etc/samba/smb.conf
[global]
    server string        = "Main Linux File Server"
    security             = ADS
    realm                = SOME.DOMAIN
    workgroup            = SOME
    encrypt passwords    = yes
    unix extensions      = yes
    log level            = 1 winbind:3
    username map         = /etc/samba/user-map

    winbind enum users         = Yes
    winbind enum groups        = Yes
    winbind use default domain = Yes
    winbind expand groups      = 4
    winbind nested groups      = Yes
    winbind separator          = \
    idmap uid                  = 10000-11000
    idmap gid                  = 10000-11000

[testing]
    path                 = /tmp/test
    write list           = @SOME\file1_shr_adm_f

# cat /etc/krb5.conf
[libdefaults]
        default_realm = SOME.DOMAIN
        clockskew = 300

[realms]
        ENT.CML.LIB.OH.US = {
                kdc = adserver.some.domain
        }

[domain_realm]
        .kerberos.server = SOME.DOMAIN

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

Ad Server: Windows 2008 server with up to date patches.

The problem explained:
----------------------

We put AD users into global groups, then global groups into domain local groups (as dictated best practices).  Domain local groups are used for access control.  Samba will not enumerate users in the groups.  It only works when the user account is directly used in "write list".  The symptom is Windows clients return "NT Access Denied".

wbinfo -g is able to list the groups.

Unrelated:
----------

I've also discovered AD user accounts cannot contain hyphens '-'s and work with Samba.


Any help would be appreciated.  Thanks.

-Travis Sidelinger

More information about the samba mailing list