Samba 3.0.23pre1 Available for Download

William Jojo jojowil at
Tue Apr 25 12:51:23 GMT 2006

On Mon, 24 Apr 2006, Volker Lendecke wrote:

> On Mon, Apr 24, 2006 at 09:55:51AM -0400, William Jojo wrote:
>> - User ACDEV\billtest denied access to machine joined to DEVEX with
>> following log snip (this worked in 3.0.21c). [DEVEX trusts ACDEV. Seems that
>> ACDEV\billtest is being mapped to additional DEVEX-513 Domain User group
>> SID. DEVEX domain has "winbind trusted domains only=yes" since we get user
>> information from shared POSIX user LDAP database in the underlying AIX
>> infrastructure.]:
> To fully understand: All DC's are Samba, or is Windows
> involved? Can we get the debug level 10 logs of the complete
> auths on both DCs and the member?

All DC's Samba, Trusted is 3.0.21c and trusting is 3.0.23pre1

> S-1-5-21-3269597203-4174657902-3103009261 is the domain SID
> of ACDEV? And S-1-5-21-556488586-4065355411-3599285718 the
> one of DEVEX?


> Do you use winbind?

Correct again, only on the trusting box. Not using idmap backend. Used to 
but not anymore since we can get Samba to do algorithmic mapping on the 
trusting box, which now maps to S-1-22-[12]-[uid|gid] (which, btw rocks as 
far as I'm concerned). The problem seems to be setting the default group 
of the ACDEV\billtest user to the "DEVEX\Domain Users" group instead of 
its POSIX gid.

We are doing the POSIX uid/gid in the LDAP tree shared by our AIX boxes. 
This is necessary due to our reliance on single sign on for proper cosmic 
planetary alignment. :-)

> Volker
> P.S.: Thanks for testing!

Always my pleasure.

I'm picking up my wife and son at the airport in a few, so I'll get the 
level 10 asap. Also, in the log, the winbindd auth was successful, it's 
just a group mapping issue from what I've seen so far.



More information about the samba-technical mailing list