[Samba] Winbind being flakey
Ziller, James
James.Ziller at qg.com
Thu Aug 5 19:33:00 GMT 2004
Im only in 6 windows groups...:/
-----Original Message-----
From: Charles Bueche [mailto:charles at bueche.ch]
Sent: Wednesday, August 04, 2004 2:11 PM
To: Ziller, James
Cc: samba at lists.samba.org
Subject: Re: [Samba] Winbind being flakey
Hi,
you max out the 32 group limit of your UNIX (02-33), and the group you
want is over 33. Check how many Windows groups you are in.
Charles
On Wed, 4 Aug 2004 07:46:22 -0500
"Ziller, James" <James.Ziller at qg.com> wrote:
> After some more screwing around with leaving and rejoining the ADS
> domain I was finally able to access a share with "valid users =" set
> to a domain group I was a member of. The _only_ change I made after
> this was to add yet another group to the valid users on the share and
> restart samba...after that I could no longer access the share. I
> removed the additional group, restarted samba and could still not
> access the share. I then tried adding my domain username to "valid
> users=" and it worked fine. So im back in the same boat again, users
> work, groups don't. Has anyone seen this problem before? Or does
> anyone have advice for tracking down the root of this problem. I've
> had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded
> kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd
> in debug doesn't seem to indicate any problem. Heres the output of
> winbindd anyway, with debug level 3 after a failed login attempt from
> windows:
>
> [ 2627]: getgrnam QG+TEST
> rpc: name_to_sid name=TEST
> name_to_sid [rpc] TEST for domain QG
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads: dn_lookup
> ads lookup_groupmem for
> sid=S-1-5-21-842925246-1647877149-1417001333-57015
> [ 2627]: getgrnam QG+TEST
> [ 2627]: getgrnam QG+TEST
> [ 2629]: request interface version
> [ 2629]: request location of privileged pipe
> [ 2629]: domain_info [QG.COM]
> [ 2629]: getpwnam qg+jzillera
> rpc: name_to_sid name=jzillera
> name_to_sid [rpc] jzillera for domain QG
> ads: query_user
> ads query_user gave JZILLERA
> [ 2629]: getgroups QG+jzillera
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for
> domain QG sid_to_name [rpc]
> S-1-5-21-842925246-1647877149-1417001333-53735 for domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for
> domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for
> domain QG
> sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for
> domain QG
> [ 2629]: gid to sid 10002
> [ 2629]: gid to sid 10003
> [ 2629]: gid to sid 10004
> [ 2629]: gid to sid 10005
> [ 2629]: gid to sid 10006
> [ 2629]: gid to sid 10007
> [ 2629]: gid to sid 10008
> [ 2629]: gid to sid 10009
> [ 2629]: gid to sid 10010
> [ 2629]: gid to sid 10011
> [ 2629]: gid to sid 10012
> [ 2629]: gid to sid 10013
> [ 2629]: gid to sid 10014
> [ 2629]: gid to sid 10015
> [ 2629]: gid to sid 10016
> [ 2629]: gid to sid 10017
> [ 2629]: gid to sid 10018
> [ 2629]: gid to sid 10019
> [ 2629]: gid to sid 10020
> [ 2629]: gid to sid 10021
> [ 2629]: gid to sid 10022
> [ 2629]: gid to sid 10023
> [ 2629]: gid to sid 10024
> [ 2629]: gid to sid 10025
> [ 2629]: gid to sid 10026
> [ 2629]: gid to sid 10027
> [ 2629]: gid to sid 10028
> [ 2629]: gid to sid 10029
> [ 2629]: gid to sid 10030
> [ 2629]: gid to sid 10031
> [ 2629]: gid to sid 10032
> [ 2629]: gid to sid 10033
> [ 2629]: getpwnam QG+jzillera
> [ 2629]: getgrnam QG+TEST
>
> That's it.
>
> Again, the output of 'getent group' shows my user as being a member of
> QG+TEST:
>
> QG+TEST:x:10000:QG+JZILLERA
>
> If you would like anymore info please ask....thanks!
>
> -James
>
> > -----Original Message-----
> > From: Ziller, James
> > Sent: Monday, August 02, 2004 4:08 PM
> > To: 'samba at lists.samba.org'
> > Subject: Problems w/ winbind and AD group membership
> >
> > Hello friends,
> >
> > I am using samba to join a linux box to an active directory domain
> > to use as a file server. I would like to be able to control access
> > to shares based on AD domain groups. However, even though winbind
> > seems to be seeing the groups fine, samba is not granting access to
> > users who are members of the group. I am able to successfully join
> > the system to the domain and granting access to shares based on
> > Windows usernames works fine.
> >
> > getent group returns:
> > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG
> > +PL YNCHA
> >
> > However an id lookup of my windows username doesn't list me as a
> > group member of QG+TEST.(shouldn't it?)
> >
> > [root at smbsrv root]# id qg+jzillera
> > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users)
> > groups=10000(QG+Domain Users)
> >
> > System Details:
> > Redhat 9
> > samba-3.0.5-2
> > krb5-libs-1.2.7-10
> > krb5-devel-1.2.7-10
> > krb5-workstation-1.2.7-10
> > pam_krb5-1.60-1
> >
> > [root at smbsrv root]# wbinfo -t
> > checking the trust secret via RPC calls succeeded
> >
> > [root at smbsrv root]# testparm
> > Load smb config files from /etc/samba/smb.conf
> > Processing section "[test]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >
> > # Global parameters
> > [global]
> > workgroup = QG
> > realm = QG.COM
> > server string = Samba Server
> > security = ADS
> > obey pam restrictions = Yes
> > password server = wadc2
> > log file = /var/log/samba/log.%m
> > max log size = 50
> > load printers = No
> > printcap name = /etc/printcap
> > local master = No
> > domain master = No
> > dns proxy = No
> > wins support = Yes
> > idmap uid = 10000-30000
> > idmap gid = 10000-30000
> > winbind separator = + (tried with # and \ as well)
> > winbind use default domain = Yes (tried with No)
> >
> > [test]
> > comment = testing
> > path = /mnt/qdsfsl01/resources/testing
> > valid users = @QG+TEST
> > write list = @QG+TEST
> >
> > Winbind logs show nothing that indicates any error, even when run
> > with debug level 3. Ive been beating myself over the head with this
> > problem for months...any help or suggestions would be greatly
> > appreciated.
> >
> > Thanks!
> >
> > James Ziller
> > Systems Administrator
> >
> > Quad/Graphics - Q/DS
> > West Allis, Wisconsin
> > james.ziller at qg.com
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
--
Charles Bueche <charles at bueche.ch>
sand, snow, wave, wind and net -surfer
More information about the samba
mailing list