samba 3.5.6: winbind: relation UNIX groups vs Windows domain groups

joris.weijters at lekkerland.nl joris.weijters at lekkerland.nl
Tue Feb 22 03:33:04 MST 2011


Due to a new implementation of the Microsoft domain infrastructure, an
upgrade from 2003 to 2008R2, We can't use our old Samba setup, where the
samba server could use Server security and user mappings to our AIX
environment, using an easy setup, we have to migrate to a new structure.
The only setup which seems to work is useing ADS Security.
However we now run into an other problem, the maximum amount of groups for
a user. In AIX 6.1 this is limited to 128.
There is a strange thing happening with groups however. This is what I
encounter

In the Windows AD i am in 30 groups.
however at the samba server I seem to be in 44 groups.
If I look at the samba server using wbinfo is see:


wbinfo -r j.weijters |wc -l
      44

wbinfo -n j.weijters
S-1-5-21-3557417485-523919932-4117696306-1580 SID_USER (1)

wbinfo --user-domgroups S-1-5-21-3557417485-523919932-4117696306-1580 |wc
-l
      30

This is the WINBID part of my smb.conf

# WINBIND
        winbind separator = +
        winbind normalize names = yes
        idmap uid = 10001-30000
        idmap gid = 10001-30000
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind nested groups = no
        winbind expand groups = 0
        hide special files = Yes
        template homedir = /usrdata/home/%U
        template shell = /usr/bin/ksh
        load printers = No

What is the relation between the Windos groups and the Unix groups?





More information about the samba-technical mailing list