[Samba] Win2003 ADS group membership: * varying * delay getting
access to shares
Kel Way
kpwspam-samba at yahoo.com
Wed Dec 15 22:09:23 GMT 2004
User A is a member of Global Group Public in Windows 2003 Active Directory. Global Group
Maintenance is a member of Domain Local Group Maintenance. Domain Local Group Maintenance is
afforded access to Linux directory /home/maint with this smb.conf share definition:
[maintenance]
comment = Maintenance Share
valid users = "MYDOMAIN+Pulaski - Maintenance - DLoc" "MYDOMAIN+shawnadm"
path = /home/maint
writeable = yes
create mode = 0660
directory mode = 0770
the directory:
[root at pulaski-fs-001 home]# ll | grep maint
drwxrwx--- 2 root MYDOMAIN+Domain Users 4096 Dec 15 13:11 maint
getent group from the Samba box shows that user MYDOMAIN+bwatkins, for instance, IS a member of
the following Maintenance groups:
[root at pulaski-fs-001 proc]# getent group | grep Maint
MYDOMAIN+Pulaski - Maintenance
-Glo:x:10541:MYDOMAIN+tnewton,MYDOMAIN+jwillia1,MYDOMAIN+bwatkins,MYDOMAIN+rwilliam,MYDOMAIN+dkermicl,MYDOMAIN+jburress
MYDOMAIN+Pulaski - Maintenance - DLoc:x:10524:
Note group #'s 10541 and 10524. The logs for the IP address of the machine that bwatkins logs in
from show the following. Note that supplementary groups 10541 and 10524 are not present. Because
of this, access is denied to the share defined above.
[2004/12/15 14:28:20, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 10002
Primary group is 10000 and contains 8 supplementary groups
Group[ 0]: 10000
Group[ 1]: 10020
Group[ 2]: 10035
Group[ 3]: 10037
Group[ 4]: 10039
Group[ 5]: 10042
Group[ 6]: 10507
Group[ 7]: 10508
We've noticed that after some time - and it certainly seems to vary - access is granted. Until
then, the user is denied access and is challenged for credentials. *** Is there some GID cache
that I'm not aware of? ***
Relevant System Info:
Fedora Core 2: Linux version 2.6.5-1.358
[root at pulaski-fs-001 home]# rpm -qa | grep samba
samba-common-3.0.9-1.fc2
samba-client-3.0.9-1.fc2
samba-3.0.9-1.fc2
smb.conf global section:
[global]
unix charset = LOCALE
workgroup = MYDOMAIN
realm = MYDOMAIN.ORG
server string = PULASKI-FS-001
security = ADS
username map = /etc/samba/smbusers
log level = 9
syslog = 0
log file = /var/log/samba/%M
max log size = 50
printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
winbind separator = +
winbind cache time = 10
printing = cups
client use spnego = yes
invalid users = root bin daemon adm sync shutdown halt mail news uucp operator
printer admin = "MYDOMAIN+Americas Zone Admins" "MYDOMAIN+shawnadm"
# commented out 12-15-04 by Kel: encrypt password = yes
oplocks = no
level2 oplocks = no
More information about the samba
mailing list