[Samba] nss_winbind.so delivers first group only on Solaris 10
Preller, Markus
Markus.Preller at uk-erlangen.de
Mon Mar 8 06:43:57 MST 2010
Hello,
sometimes it's so easy ...
Having a look at the GIDs in their numeric form I saw that using the following line in smb.conf
---
idmap config XXXXXX : range = 10000-19000
---
excluded all my groups I'm interested in. So I changed my smb.conf to
---
idmap config XXXXXX : range = 1000-19000
---
and I feel fine.
best regards,
Markus
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im Auftrag von Preller, Markus
Gesendet: Montag, 8. März 2010 12:54
An: samba at lists.samba.org
Betreff: [Samba] nss_winbind.so delivers first group only on Solaris 10
Hello,
I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD running on 2003/2008 R2 servers.
After some compile trouble I finally managed to get the whole thing running including winbind in nsswitch.conf
for users and groups and PAM for authentication.
The problem is that winbind only reports the primary group of an AD user. 'wbinfo -r aduser' only reports the GID of
the primary group the user is in. When I do a 'su aduser' and then 'id -a' I also get just the primary group information.
But the user is a member of several AD groups.
I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine with 3.0.37 and 3.2.15.
Can anybody help ?
My setup:
Solaris 10 10/09 X86 - latest patches installed.
I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler from SunStudio 12
(Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I tried to compile
samba 3.4.6 with the following configure options / ENV variables set:
$ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads --with-pam --with-acl-support \
--with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap --with-shared-modules=idmap_ad --disable-cups
CC=cc
LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib -R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib
CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include -I/usr/include
The build was successful but joining the domain failed with various errors. I kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW.
With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine now. Except the the fact thet I get no secondary group
information from AD.
My smb.conf:
[global]
workgroup = XXXXXX
realm = XXXXXX.YYYYYY.ZZ
security = ADS
map to guest = Bad User
lanman auth = Yes
client NTLMv2 auth = Yes
kerberos method = system keytab
log level = 3
log file = /var/samba/log/%m
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
load printers = No
domain master = No
wins server = wins04.xxxxxx.yyyyyy.zz
idmap uid = 600-100000
idmap gid = 600-100000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
idmap config XXXXXX : range = 10000-19000
idmap config XXXXXX : backend = ad
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list