[Samba] Winbind being flakey

Ziller, James James.Ziller at qg.com
Wed Aug 4 12:46:22 GMT 2004 

After some more screwing around with leaving and rejoining the ADS
domain I was finally able to access a share with "valid users =" set to
a domain group I was a member of. The _only_ change I made after this
was to add yet another group to the valid users on the share and restart
samba...after that I could no longer access the share.   I removed the
additional group, restarted samba and could still not access the share.
I then tried adding my domain username to "valid users=" and it worked
fine.  So im back in the same boat again, users work, groups don't.  Has
anyone seen this problem before? Or does anyone have advice for tracking
down the root of this problem.  I've had this problem with samba 3.0.4
and samba 3.0.5, recently upgraded kerberos from 1.2.7 to 1.3.3 but see
no difference. Running winbindd in debug doesn't seem to indicate any
problem.  Heres the output of winbindd anyway, with debug level 3 after
a failed login attempt from windows:

[ 2627]: getgrnam QG+TEST
rpc: name_to_sid name=TEST
name_to_sid [rpc] TEST for domain QG
ads: dn_lookup
ads: dn_lookup
ads: dn_lookup
ads: dn_lookup
ads: dn_lookup
ads lookup_groupmem for
sid=S-1-5-21-842925246-1647877149-1417001333-57015
[ 2627]: getgrnam QG+TEST
[ 2627]: getgrnam QG+TEST
[ 2629]: request interface version
[ 2629]: request location of privileged pipe
[ 2629]: domain_info [QG.COM]
[ 2629]: getpwnam qg+jzillera
rpc: name_to_sid name=jzillera
name_to_sid [rpc] jzillera for domain QG
ads: query_user
ads query_user gave JZILLERA
[ 2629]: getgroups QG+jzillera
sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for
domain QG
sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for
domain QG
sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for
domain QG
sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for
domain QG
sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for
domain QG
[ 2629]: gid to sid 10002
[ 2629]: gid to sid 10003
[ 2629]: gid to sid 10004
[ 2629]: gid to sid 10005
[ 2629]: gid to sid 10006
[ 2629]: gid to sid 10007
[ 2629]: gid to sid 10008
[ 2629]: gid to sid 10009
[ 2629]: gid to sid 10010
[ 2629]: gid to sid 10011
[ 2629]: gid to sid 10012
[ 2629]: gid to sid 10013
[ 2629]: gid to sid 10014
[ 2629]: gid to sid 10015
[ 2629]: gid to sid 10016
[ 2629]: gid to sid 10017
[ 2629]: gid to sid 10018
[ 2629]: gid to sid 10019
[ 2629]: gid to sid 10020
[ 2629]: gid to sid 10021
[ 2629]: gid to sid 10022
[ 2629]: gid to sid 10023
[ 2629]: gid to sid 10024
[ 2629]: gid to sid 10025
[ 2629]: gid to sid 10026
[ 2629]: gid to sid 10027
[ 2629]: gid to sid 10028
[ 2629]: gid to sid 10029
[ 2629]: gid to sid 10030
[ 2629]: gid to sid 10031
[ 2629]: gid to sid 10032
[ 2629]: gid to sid 10033
[ 2629]: getpwnam QG+jzillera
[ 2629]: getgrnam QG+TEST

That's it.

Again, the output of 'getent group' shows my user as being a member of
QG+TEST:

QG+TEST:x:10000:QG+JZILLERA

	If you would like anymore info please ask....thanks!

	-James

>  -----Original Message-----
> From: 	Ziller, James  
> Sent:	Monday, August 02, 2004 4:08 PM
> To:	'samba at lists.samba.org'
> Subject:	Problems w/ winbind and AD group membership
> 
> Hello friends,
> 
> I am using samba to join a linux box to an active directory domain to
> use as a file server.  I would like to be able to control access to
> shares based on AD domain groups.  However, even though winbind seems
> to be seeing the groups fine, samba is not granting access to users
> who are members of the group. I am able to successfully join the
> system to the domain and granting access to shares based on Windows
> usernames works fine.
> 
> getent group returns:
> QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PL
> YNCHA
> 
> However an id lookup of my windows username doesn't list me as a group
> member of QG+TEST.(shouldn't it?)
> 
> [root at smbsrv root]# id qg+jzillera
> uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users)
> groups=10000(QG+Domain Users)
> 
> System Details:
> Redhat 9
> samba-3.0.5-2
> krb5-libs-1.2.7-10
> krb5-devel-1.2.7-10
> krb5-workstation-1.2.7-10
> pam_krb5-1.60-1
> 
> [root at smbsrv root]# wbinfo -t
> checking the trust secret via RPC calls succeeded
> 
> [root at smbsrv root]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[test]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>  
> # Global parameters
> [global]
>         workgroup = QG
>         realm = QG.COM
>         server string = Samba Server
>         security = ADS
>         obey pam restrictions = Yes
>         password server = wadc2
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /etc/printcap
>         local master = No
>         domain master = No
>         dns proxy = No
>         wins support = Yes
>         idmap uid = 10000-30000
>         idmap gid = 10000-30000
>         winbind separator = +  (tried with # and \ as well)
>         winbind use default domain = Yes (tried with No)
>  
> [test]
>         comment = testing
>         path = /mnt/qdsfsl01/resources/testing
>         valid users = @QG+TEST
>         write list = @QG+TEST
> 
> Winbind logs show nothing that indicates any error, even when run with
> debug level 3.  Ive been beating myself over the head with this
> problem for months...any help or suggestions would be greatly
> appreciated. 
> 
> Thanks!
> 
> James Ziller
> Systems Administrator
> 
> Quad/Graphics - Q/DS
> West Allis, Wisconsin
> james.ziller at qg.com
>

More information about the samba mailing list