[Samba] Winbind being flakey

Ziller, James James.Ziller at qg.com
Thu Aug 5 19:33:00 GMT 2004 

Im only in 6 windows groups...:/

-----Original Message-----
From: Charles Bueche [mailto:charles at bueche.ch] 
Sent: Wednesday, August 04, 2004 2:11 PM
To: Ziller, James
Cc: samba at lists.samba.org
Subject: Re: [Samba] Winbind being flakey


Hi,

you max out the 32 group limit of your UNIX (02-33), and the group you
want is over 33. Check how many Windows groups you are in.

Charles

On Wed, 4 Aug 2004 07:46:22 -0500
"Ziller, James" <James.Ziller at qg.com> wrote:

> After some more screwing around with leaving and rejoining the ADS 
> domain I was finally able to access a share with "valid users =" set 
> to a domain group I was a member of. The _only_ change I made after 
> this was to add yet another group to the valid users on the share and
> restart samba...after that I could no longer access the share.   I
> removed the additional group, restarted samba and could still not 
> access the share. I then tried adding my domain username to "valid 
> users=" and it worked fine.  So im back in the same boat again, users 
> work, groups don't.  Has anyone seen this problem before? Or does 
> anyone have advice for tracking down the root of this problem.  I've 
> had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded 
> kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd 
> in debug doesn't seem to indicate any problem.  Heres the output of 
> winbindd anyway, with debug level 3 after a failed login attempt from
> windows:
> 
> [ 2627]: getgrnam QG+TEST
> rpc: name_to_sid name=TEST
> name_to_sid [rpc] TEST for domain QG
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads lookup_groupmem for 
> sid=S-1-5-21-842925246-1647877149-1417001333-57015
> [ 2627]: getgrnam QG+TEST
> [ 2627]: getgrnam QG+TEST
> [ 2629]: request interface version
> [ 2629]: request location of privileged pipe
> [ 2629]: domain_info [QG.COM]
> [ 2629]: getpwnam qg+jzillera
> rpc: name_to_sid name=jzillera
> name_to_sid [rpc] jzillera for domain QG
> ads: query_user
> ads query_user gave JZILLERA
> [ 2629]: getgroups QG+jzillera
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for 
> domain QG sid_to_name [rpc] 
> S-1-5-21-842925246-1647877149-1417001333-53735 for domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for
> domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for
> domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for
> domain QG
> [ 2629]: gid to sid 10002
> [ 2629]: gid to sid 10003
> [ 2629]: gid to sid 10004
> [ 2629]: gid to sid 10005
> [ 2629]: gid to sid 10006
> [ 2629]: gid to sid 10007
> [ 2629]: gid to sid 10008
> [ 2629]: gid to sid 10009
> [ 2629]: gid to sid 10010
> [ 2629]: gid to sid 10011
> [ 2629]: gid to sid 10012
> [ 2629]: gid to sid 10013
> [ 2629]: gid to sid 10014
> [ 2629]: gid to sid 10015
> [ 2629]: gid to sid 10016
> [ 2629]: gid to sid 10017
> [ 2629]: gid to sid 10018
> [ 2629]: gid to sid 10019
> [ 2629]: gid to sid 10020
> [ 2629]: gid to sid 10021
> [ 2629]: gid to sid 10022
> [ 2629]: gid to sid 10023
> [ 2629]: gid to sid 10024
> [ 2629]: gid to sid 10025
> [ 2629]: gid to sid 10026
> [ 2629]: gid to sid 10027
> [ 2629]: gid to sid 10028
> [ 2629]: gid to sid 10029
> [ 2629]: gid to sid 10030
> [ 2629]: gid to sid 10031
> [ 2629]: gid to sid 10032
> [ 2629]: gid to sid 10033
> [ 2629]: getpwnam QG+jzillera
> [ 2629]: getgrnam QG+TEST
> 
> That's it.
> 
> Again, the output of 'getent group' shows my user as being a member of
> QG+TEST:
> 
> QG+TEST:x:10000:QG+JZILLERA
> 
> 	If you would like anymore info please ask....thanks!
> 
> 	-James
> 
> >  -----Original Message-----
> > From: 	Ziller, James  
> > Sent:	Monday, August 02, 2004 4:08 PM
> > To:	'samba at lists.samba.org'
> > Subject:	Problems w/ winbind and AD group membership
> > 
> > Hello friends,
> > 
> > I am using samba to join a linux box to an active directory domain 
> > to use as a file server.  I would like to be able to control access 
> > to shares based on AD domain groups.  However, even though winbind 
> > seems to be seeing the groups fine, samba is not granting access to 
> > users who are members of the group. I am able to successfully join 
> > the system to the domain and granting access to shares based on 
> > Windows usernames works fine.
> > 
> > getent group returns:
> > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG
> > +PL YNCHA
> > 
> > However an id lookup of my windows username doesn't list me as a 
> > group member of QG+TEST.(shouldn't it?)
> > 
> > [root at smbsrv root]# id qg+jzillera
> > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) 
> > groups=10000(QG+Domain Users)
> > 
> > System Details:
> > Redhat 9
> > samba-3.0.5-2
> > krb5-libs-1.2.7-10
> > krb5-devel-1.2.7-10
> > krb5-workstation-1.2.7-10
> > pam_krb5-1.60-1
> > 
> > [root at smbsrv root]# wbinfo -t
> > checking the trust secret via RPC calls succeeded
> > 
> > [root at smbsrv root]# testparm
> > Load smb config files from /etc/samba/smb.conf
> > Processing section "[test]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >  
> > # Global parameters
> > [global]
> >         workgroup = QG
> >         realm = QG.COM
> >         server string = Samba Server
> >         security = ADS
> >         obey pam restrictions = Yes
> >         password server = wadc2
> >         log file = /var/log/samba/log.%m
> >         max log size = 50
> >         load printers = No
> >         printcap name = /etc/printcap
> >         local master = No
> >         domain master = No
> >         dns proxy = No
> >         wins support = Yes
> >         idmap uid = 10000-30000
> >         idmap gid = 10000-30000
> >         winbind separator = +  (tried with # and \ as well)
> >         winbind use default domain = Yes (tried with No)
> >  
> > [test]
> >         comment = testing
> >         path = /mnt/qdsfsl01/resources/testing
> >         valid users = @QG+TEST
> >         write list = @QG+TEST
> > 
> > Winbind logs show nothing that indicates any error, even when run 
> > with debug level 3.  Ive been beating myself over the head with this

> > problem for months...any help or suggestions would be greatly 
> > appreciated.
> > 
> > Thanks!
> > 
> > James Ziller
> > Systems Administrator
> > 
> > Quad/Graphics - Q/DS
> > West Allis, Wisconsin
> > james.ziller at qg.com
> > 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba


-- 
Charles Bueche <charles at bueche.ch>
sand, snow, wave, wind and net -surfer

More information about the samba mailing list