[Samba] Problems w/ winbind and AD group membership

Ziller, James James.Ziller at qg.com
Wed Aug 4 15:19:07 GMT 2004 

I just checked...my user is only a member of 6 groups...so this doesn't
appear to be my problem.  I have also tried using the group "Domain
Users" with no luck.

-james

-----Original Message-----
From: Charles Bueche [mailto:charles at bueche.ch] 
Sent: Wednesday, August 04, 2004 7:57 AM
To: Ziller, James
Cc: samba at lists.samba.org
Subject: Re: [Samba] Problems w/ winbind and AD group membership


Hi,

I have the same problem when a user is member of more than 16 windows
groups, the list returned by winbind is greater than the max of 16 in
Solaris (can be brought to 32 when you accept to break NFS9 (or 32 in
linux IIRC).

If the group you check is in the first 16, it works. In the place I made
this setup, users are members of 30-80 windows groups. I know it's dumb,
but I can't fix it.

I ended up using "preexec" and "preexec close" and check for group
membership using LDAP. Ugly, isn't it ?

Charles

On Mon, 2 Aug 2004 16:08:28 -0500
"Ziller, James" <James.Ziller at qg.com> wrote:

> Hello friends,
> 
> I am using samba to join a linux box to an active directory domain to 
> use as a file server.  I would like to be able to control access to 
> shares based on AD domain groups.  However, even though winbind seems 
> to be seeing the groups fine, samba is not granting access to users 
> who are members of the group. I am able to successfully join the 
> system to the domain and granting access to shares based on Windows 
> usernames works fine.
> 
> getent group returns:
> QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+P
> LYN CHA
> 
> However an id lookup of my windows username doesn't list me as a group

> member of QG+TEST.(shouldn't it?)
> 
> [root at smbsrv root]# id qg+jzillera
> uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) 
> groups=10000(QG+Domain Users)
> 
> System Details:
> Redhat 9
> samba-3.0.5-2
> krb5-libs-1.2.7-10
> krb5-devel-1.2.7-10
> krb5-workstation-1.2.7-10
> pam_krb5-1.60-1
> 
> [root at smbsrv root]# wbinfo -t
> checking the trust secret via RPC calls succeeded
> 
> [root at smbsrv root]# testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[test]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>  
> # Global parameters
> [global]
>         workgroup = QG
>         realm = QG.COM
>         server string = Samba Server
>         security = ADS
>         obey pam restrictions = Yes
>         password server = wadc2
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         load printers = No
>         printcap name = /etc/printcap
>         local master = No
>         domain master = No
>         dns proxy = No
>         wins support = Yes
>         idmap uid = 10000-30000
>         idmap gid = 10000-30000
>         winbind separator = +  (tried with # and \ as well)
>         winbind use default domain = Yes (tried with No)
>  
> [test]
>         comment = testing
>         path = /mnt/qdsfsl01/resources/testing
>         valid users = @QG+TEST
>         write list = @QG+TEST
> 
> Winbind logs show nothing that indicates any error, even when run with

> debug level 3.  Ive been beating myself over the head with this 
> problem for months...any help or suggestions would be greatly 
> appreciated.
> 
> Thanks!
> 
> James Ziller
> Systems Administrator
> 
> Quad/Graphics - Q/DS
> West Allis, Wisconsin
> james.ziller at qg.com
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba


-- 
Charles Bueche <charles at bueche.ch>
sand, snow, wave, wind and net -surfer

More information about the samba mailing list