[Samba] Problems w/ winbind and AD group membership

Ziller, James James.Ziller at qg.com
Tue Aug 3 13:49:35 GMT 2004 

Thanks for the reply.  I installed MIT kerberos 1.3.1 andand rejoined
the domain.  Still cant access the share based on domain groups.  My
nsswitch.conf file looks like :

passwd:     files winbind ldap
shadow:     files ldap
group:      files winbind ldap

I have also tried swapping around the order.

-James

-----Original Message-----
From: Paul Gienger [mailto:pgienger at ae-solutions.com] 
Sent: Monday, August 02, 2004 4:13 PM
To: Ziller, James
Cc: samba at lists.samba.org
Subject: Re: [Samba] Problems w/ winbind and AD group membership


What does your nsswitch.conf file look like?  Also, there's the issue of

your krb libraries.  I believe it's been stated that you need to be 
using MIT krb >= 1.3.

Ziller, James wrote:

>Hello friends,
>
>I am using samba to join a linux box to an active directory domain to 
>use as a file server.  I would like to be able to control access to 
>shares based on AD domain groups.  However, even though winbind seems 
>to be seeing the groups fine, samba is not granting access to users who

>are members of the group. I am able to successfully join the system to 
>the domain and granting access to shares based on Windows usernames 
>works fine.
>
>getent group returns:
>QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLY
>QG+N
>CHA
>
>However an id lookup of my windows username doesn't list me as a group 
>member of QG+TEST.(shouldn't it?)
>
>[root at smbsrv root]# id qg+jzillera
>uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) 
>groups=10000(QG+Domain
>Users)
>
>System Details:
>Redhat 9
>samba-3.0.5-2
>krb5-libs-1.2.7-10
>krb5-devel-1.2.7-10
>krb5-workstation-1.2.7-10
>pam_krb5-1.60-1
>
>[root at smbsrv root]# wbinfo -t
>checking the trust secret via RPC calls succeeded
>
>[root at smbsrv root]# testparm
>Load smb config files from /etc/samba/smb.conf
>Processing section "[test]"
>Loaded services file OK.
>Server role: ROLE_DOMAIN_MEMBER
>Press enter to see a dump of your service definitions
> 
># Global parameters
>[global]
>        workgroup = QG
>        realm = QG.COM
>        server string = Samba Server
>        security = ADS
>        obey pam restrictions = Yes
>        password server = wadc2
>        log file = /var/log/samba/log.%m
>        max log size = 50
>        load printers = No
>        printcap name = /etc/printcap
>        local master = No
>        domain master = No
>        dns proxy = No
>        wins support = Yes
>        idmap uid = 10000-30000
>        idmap gid = 10000-30000
>        winbind separator = +  (tried with # and \ as well)
>        winbind use default domain = Yes (tried with No)
> 
>[test]
>        comment = testing
>        path = /mnt/qdsfsl01/resources/testing
>        valid users = @QG+TEST
>        write list = @QG+TEST
>
>Winbind logs show nothing that indicates any error, even when run with 
>debug level 3.  Ive been beating myself over the head with this problem

>for months...any help or suggestions would be greatly appreciated.
>
>Thanks!
>
>James Ziller
>Systems Administrator
>
>Quad/Graphics - Q/DS
>West Allis, Wisconsin
>james.ziller at qg.com
>
>  
>

-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com

More information about the samba mailing list