[Samba] Winbind being flakey
Charles Bueche
charles at bueche.ch
Mon Aug 9 07:36:16 GMT 2004
Hi,
I think it's UNIX history, I guess the 16 users limit of NFS is probably
because it is coded in 4 bits somewhere, but this is just a guess, I
haven't looked at the source.
My tests were done on Solaris, where the limit can be rised to 32, but
still not enough, as some users are members of 80-100 groups.
I haven't investigated more, no time for now. Just waiting that someone
else scratch their own itch :-)
Charles
On Sun, 08 Aug 2004 00:19:36 -0400
Jim Ross <jktross at umd.umich.edu> wrote:
>
> Hey Charles, do you have any ideas where the 32 group limit comes
> from?
> I thought I had this pegged to NGROUPS_MAX being 32, but I seem to
> run into the same issue of Fedora Core too, where NGROUPS_MAX is over
> 64k. I'm at a loss on it, but have plenty of users in more than 32
> groups. I haven't seen anyone in the list mention it but you did, so
> I thought you might have an idea on this.
>
> Thanks,
> Jim Ross
>
>
>
> Charles Bueche wrote:
>
> > Hi,
> >
> > you max out the 32 group limit of your UNIX (02-33), and the group
> > you want is over 33. Check how many Windows groups you are in.
> >
> > Charles
> >
> > On Wed, 4 Aug 2004 07:46:22 -0500
> > "Ziller, James" <James.Ziller at qg.com> wrote:
> >
> >
> >>After some more screwing around with leaving and rejoining the ADS
> >>domain I was finally able to access a share with "valid users =" set
> >>to a domain group I was a member of. The _only_ change I made after
> >>this was to add yet another group to the valid users on the share
> >and>restart samba...after that I could no longer access the share.
> >I>removed the additional group, restarted samba and could still not
> >>access the share. I then tried adding my domain username to "valid
> >>users=" and it worked fine. So im back in the same boat again,
> >users>work, groups don't. Has anyone seen this problem before? Or
> >does>anyone have advice for tracking down the root of this problem.
> >I've>had this problem with samba 3.0.4 and samba 3.0.5, recently
> >upgraded>kerberos from 1.2.7 to 1.3.3 but see no difference. Running
> >winbindd>in debug doesn't seem to indicate any problem. Heres the
> >output of>winbindd anyway, with debug level 3 after a failed login
> >attempt from>windows:
> >>
> >>[ 2627]: getgrnam QG+TEST
> >>rpc: name_to_sid name=TEST
> >>name_to_sid [rpc] TEST for domain QG
> >>ads: dn_lookup
> >>ads: dn_lookup
> >>ads: dn_lookup
> >>ads: dn_lookup
> >>ads: dn_lookup
> >>ads lookup_groupmem for
> >>sid=S-1-5-21-842925246-1647877149-1417001333-57015
> >>[ 2627]: getgrnam QG+TEST
> >>[ 2627]: getgrnam QG+TEST
> >>[ 2629]: request interface version
> >>[ 2629]: request location of privileged pipe
> >>[ 2629]: domain_info [QG.COM]
> >>[ 2629]: getpwnam qg+jzillera
> >>rpc: name_to_sid name=jzillera
> >>name_to_sid [rpc] jzillera for domain QG
> >>ads: query_user
> >>ads query_user gave JZILLERA
> >>[ 2629]: getgroups QG+jzillera
> >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for
> >>domain QG
> >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for
> >>domain QG
> >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for
> >>domain QG
> >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for
> >>domain QG
> >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for
> >>domain QG
> >>[ 2629]: gid to sid 10002
> >>[ 2629]: gid to sid 10003
> >>[ 2629]: gid to sid 10004
> >>[ 2629]: gid to sid 10005
> >>[ 2629]: gid to sid 10006
> >>[ 2629]: gid to sid 10007
> >>[ 2629]: gid to sid 10008
> >>[ 2629]: gid to sid 10009
> >>[ 2629]: gid to sid 10010
> >>[ 2629]: gid to sid 10011
> >>[ 2629]: gid to sid 10012
> >>[ 2629]: gid to sid 10013
> >>[ 2629]: gid to sid 10014
> >>[ 2629]: gid to sid 10015
> >>[ 2629]: gid to sid 10016
> >>[ 2629]: gid to sid 10017
> >>[ 2629]: gid to sid 10018
> >>[ 2629]: gid to sid 10019
> >>[ 2629]: gid to sid 10020
> >>[ 2629]: gid to sid 10021
> >>[ 2629]: gid to sid 10022
> >>[ 2629]: gid to sid 10023
> >>[ 2629]: gid to sid 10024
> >>[ 2629]: gid to sid 10025
> >>[ 2629]: gid to sid 10026
> >>[ 2629]: gid to sid 10027
> >>[ 2629]: gid to sid 10028
> >>[ 2629]: gid to sid 10029
> >>[ 2629]: gid to sid 10030
> >>[ 2629]: gid to sid 10031
> >>[ 2629]: gid to sid 10032
> >>[ 2629]: gid to sid 10033
> >>[ 2629]: getpwnam QG+jzillera
> >>[ 2629]: getgrnam QG+TEST
> >>
> >>That's it.
> >>
> >>Again, the output of 'getent group' shows my user as being a member
> >of>QG+TEST:
> >>
> >>QG+TEST:x:10000:QG+JZILLERA
> >>
> >> If you would like anymore info please ask....thanks!
> >>
> >> -James
> >>
> >>
> >>> -----Original Message-----
> >>>From: Ziller, James
> >>>Sent: Monday, August 02, 2004 4:08 PM
> >>>To: 'samba at lists.samba.org'
> >>>Subject: Problems w/ winbind and AD group membership
> >>>
> >>>Hello friends,
> >>>
> >>>I am using samba to join a linux box to an active directory domain
> >>>to use as a file server. I would like to be able to control access
> >>>to shares based on AD domain groups. However, even though winbind
> >>>seems to be seeing the groups fine, samba is not granting access to
> >>>users who are members of the group. I am able to successfully join
> >>>the system to the domain and granting access to shares based on
> >>>Windows usernames works fine.
> >>>
> >>>getent group returns:
> >>>QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG
> >>>+PL YNCHA
> >>>
> >>>However an id lookup of my windows username doesn't list me as a
> >>>group member of QG+TEST.(shouldn't it?)
> >>>
> >>>[root at smbsrv root]# id qg+jzillera
> >>>uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users)
> >>>groups=10000(QG+Domain Users)
> >>>
> >>>System Details:
> >>>Redhat 9
> >>>samba-3.0.5-2
> >>>krb5-libs-1.2.7-10
> >>>krb5-devel-1.2.7-10
> >>>krb5-workstation-1.2.7-10
> >>>pam_krb5-1.60-1
> >>>
> >>>[root at smbsrv root]# wbinfo -t
> >>>checking the trust secret via RPC calls succeeded
> >>>
> >>>[root at smbsrv root]# testparm
> >>>Load smb config files from /etc/samba/smb.conf
> >>>Processing section "[test]"
> >>>Loaded services file OK.
> >>>Server role: ROLE_DOMAIN_MEMBER
> >>>Press enter to see a dump of your service definitions
> >>>
> >>># Global parameters
> >>>[global]
> >>> workgroup = QG
> >>> realm = QG.COM
> >>> server string = Samba Server
> >>> security = ADS
> >>> obey pam restrictions = Yes
> >>> password server = wadc2
> >>> log file = /var/log/samba/log.%m
> >>> max log size = 50
> >>> load printers = No
> >>> printcap name = /etc/printcap
> >>> local master = No
> >>> domain master = No
> >>> dns proxy = No
> >>> wins support = Yes
> >>> idmap uid = 10000-30000
> >>> idmap gid = 10000-30000
> >>> winbind separator = + (tried with # and \ as well)
> >>> winbind use default domain = Yes (tried with No)
> >>>
> >>>[test]
> >>> comment = testing
> >>> path = /mnt/qdsfsl01/resources/testing
> >>> valid users = @QG+TEST
> >>> write list = @QG+TEST
> >>>
> >>>Winbind logs show nothing that indicates any error, even when run
> >>>with debug level 3. Ive been beating myself over the head with
> >this>>problem for months...any help or suggestions would be greatly
> >>>appreciated.
> >>>
> >>>Thanks!
> >>>
> >>>James Ziller
> >>>Systems Administrator
> >>>
> >>>Quad/Graphics - Q/DS
> >>>West Allis, Wisconsin
> >>>james.ziller at qg.com
> >>>
> >>
> >>--
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions: http://lists.samba.org/mailman/listinfo/samba
> >
> >
> >
--
Charles Bueche <charles at bueche.ch>
sand, snow, wave, wind and net -surfer
More information about the samba
mailing list