Winbindd and Domain local groups
steve at steve-ss.com
Tue Nov 5 04:50:16 MST 2013
On Tue, 2013-11-05 at 04:07 -0700, Solaiyappan Perichiappan wrote:
> I have been trying to use Winbindd in SLES 11 SP3 (Samba version 3.6.3-17.25.1) to fetch AD (Windows 2008 R2) identities into the Linux box and currently running into some problem w.r.t domain local groups and thought I could get some help here..
> I have a two domain setup, in which DOMAIN1 is the parent domain and DOMAIN2 is the child domain. I have 2 users DOMAIN1\user1, DOMAIN2\user2 and they are part of a global group DOMAIN1\group1 and DOMAIN2\group2 respectively. I have joined my SLES box to the DOMAIN1 (net ads join -U Administrator). I have also created a new domain local group in DOMAIN2 called DOMAIN2\domainlocal2 and added DOMAIN1\group1 and DOMAIN2\group2 as members of this domain local group.
> With this setup, if I see wbinfo --user-sids=<SID of DOMAIN2\user2> or wbinfo --user-domgroups=<SID of DOMAIN2\user2>, I could see that the user is a member of DOMAIN2\domainlocal2 (along with the global group DOMAIN2\group2). But, If I do the same thing for the user DOMAIN1\user1, I don't find DOMAIN2\domainlocal2 as a valid group (I could find the global group DOMAIN1\group1 in the list)
> The same test works for universal groups, but not for domain local groups.
> Is there something wrong with my setup or my understanding (I expect the domain local groups to be a part of valid groups)?
> Or is there anything more to it?
Can you post smb.conf? But FWIW, we had problems with group mapping on
openSUSE with 3.6.6 until we went with sssd instead of winbind.
More information about the samba-technical