Samba 3.0.23pre1 Available for Download
William Jojo
jojowil at hvcc.edu
Tue Apr 25 12:51:23 GMT 2006
On Mon, 24 Apr 2006, Volker Lendecke wrote:
> On Mon, Apr 24, 2006 at 09:55:51AM -0400, William Jojo wrote:
>> - User ACDEV\billtest denied access to machine joined to DEVEX with
>> following log snip (this worked in 3.0.21c). [DEVEX trusts ACDEV. Seems that
>> ACDEV\billtest is being mapped to additional DEVEX-513 Domain User group
>> SID. DEVEX domain has "winbind trusted domains only=yes" since we get user
>> information from shared POSIX user LDAP database in the underlying AIX
>> infrastructure.]:
>
> To fully understand: All DC's are Samba, or is Windows
> involved? Can we get the debug level 10 logs of the complete
> auths on both DCs and the member?
>
All DC's Samba, Trusted is 3.0.21c and trusting is 3.0.23pre1
> S-1-5-21-3269597203-4174657902-3103009261 is the domain SID
> of ACDEV? And S-1-5-21-556488586-4065355411-3599285718 the
> one of DEVEX?
Correct.
>
> Do you use winbind?
>
Correct again, only on the trusting box. Not using idmap backend. Used to
but not anymore since we can get Samba to do algorithmic mapping on the
trusting box, which now maps to S-1-22-[12]-[uid|gid] (which, btw rocks as
far as I'm concerned). The problem seems to be setting the default group
of the ACDEV\billtest user to the "DEVEX\Domain Users" group instead of
its POSIX gid.
We are doing the POSIX uid/gid in the LDAP tree shared by our AIX boxes.
This is necessary due to our reliance on single sign on for proper cosmic
planetary alignment. :-)
> Volker
>
> P.S.: Thanks for testing!
>
Always my pleasure.
I'm picking up my wife and son at the airport in a few, so I'll get the
level 10 asap. Also, in the log, the winbindd auth was successful, it's
just a group mapping issue from what I've seen so far.
Cheers,
Bill
More information about the samba-technical
mailing list