[Samba] Problems w/ winbind and AD group membership

Paul Gienger pgienger at ae-solutions.com
Mon Aug 2 21:13:05 GMT 2004 

What does your nsswitch.conf file look like?  Also, there's the issue of 
your krb libraries.  I believe it's been stated that you need to be 
using MIT krb >= 1.3.

Ziller, James wrote:

>Hello friends,
>
>I am using samba to join a linux box to an active directory domain to
>use as a file server.  I would like to be able to control access to
>shares based on AD domain groups.  However, even though winbind seems to
>be seeing the groups fine, samba is not granting access to users who are
>members of the group. I am able to successfully join the system to the
>domain and granting access to shares based on Windows usernames works
>fine.
>
>getent group returns:
>QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLYN
>CHA
>
>However an id lookup of my windows username doesn't list me as a group
>member of QG+TEST.(shouldn't it?)
>
>[root at smbsrv root]# id qg+jzillera
>uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) groups=10000(QG+Domain
>Users)
>
>System Details:
>Redhat 9
>samba-3.0.5-2
>krb5-libs-1.2.7-10
>krb5-devel-1.2.7-10
>krb5-workstation-1.2.7-10
>pam_krb5-1.60-1
>
>[root at smbsrv root]# wbinfo -t
>checking the trust secret via RPC calls succeeded
>
>[root at smbsrv root]# testparm
>Load smb config files from /etc/samba/smb.conf
>Processing section "[test]"
>Loaded services file OK.
>Server role: ROLE_DOMAIN_MEMBER
>Press enter to see a dump of your service definitions
> 
># Global parameters
>[global]
>        workgroup = QG
>        realm = QG.COM
>        server string = Samba Server
>        security = ADS
>        obey pam restrictions = Yes
>        password server = wadc2
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        load printers = No
>        printcap name = /etc/printcap
>        local master = No
>        domain master = No
>        dns proxy = No
>        wins support = Yes
>        idmap uid = 10000-30000
>        idmap gid = 10000-30000
>        winbind separator = +  (tried with # and \ as well)
>        winbind use default domain = Yes (tried with No)
> 
>[test]
>        comment = testing
>        path = /mnt/qdsfsl01/resources/testing
>        valid users = @QG+TEST
>        write list = @QG+TEST
>
>Winbind logs show nothing that indicates any error, even when run with
>debug level 3.  Ive been beating myself over the head with this problem
>for months...any help or suggestions would be greatly appreciated. 
>
>Thanks!
>
>James Ziller
>Systems Administrator
>
>Quad/Graphics - Q/DS
>West Allis, Wisconsin
>james.ziller at qg.com
>
>  
>

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list