[Samba] Problems w/ winbind and AD group membership

Ziller, James James.Ziller at qg.com
Mon Aug 2 21:08:28 GMT 2004 

Hello friends,

I am using samba to join a linux box to an active directory domain to
use as a file server.  I would like to be able to control access to
shares based on AD domain groups.  However, even though winbind seems to
be seeing the groups fine, samba is not granting access to users who are
members of the group. I am able to successfully join the system to the
domain and granting access to shares based on Windows usernames works
fine.

getent group returns:
QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLYN
CHA

However an id lookup of my windows username doesn't list me as a group
member of QG+TEST.(shouldn't it?)

[root at smbsrv root]# id qg+jzillera
uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) groups=10000(QG+Domain
Users)

System Details:
Redhat 9
samba-3.0.5-2
krb5-libs-1.2.7-10
krb5-devel-1.2.7-10
krb5-workstation-1.2.7-10
pam_krb5-1.60-1

[root at smbsrv root]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root at smbsrv root]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[test]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
 
# Global parameters
[global]
        workgroup = QG
        realm = QG.COM
        server string = Samba Server
        security = ADS
        obey pam restrictions = Yes
        password server = wadc2
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        printcap name = /etc/printcap
        local master = No
        domain master = No
        dns proxy = No
        wins support = Yes
        idmap uid = 10000-30000
        idmap gid = 10000-30000
        winbind separator = +  (tried with # and \ as well)
        winbind use default domain = Yes (tried with No)
 
[test]
        comment = testing
        path = /mnt/qdsfsl01/resources/testing
        valid users = @QG+TEST
        write list = @QG+TEST

Winbind logs show nothing that indicates any error, even when run with
debug level 3.  Ive been beating myself over the head with this problem
for months...any help or suggestions would be greatly appreciated. 

Thanks!

James Ziller
Systems Administrator

Quad/Graphics - Q/DS
West Allis, Wisconsin
james.ziller at qg.com

More information about the samba mailing list