[Samba] Samba winbind secondary group problem

PIGNOL, Christian christian_pignol at merck.com
Thu Jan 22 15:54:09 GMT 2004


I have a similar problem with a RH9 using the kernel 2.4.20-20.9.1 with ACL
patchs. I have updated some source (/include/linux/limits.h and
/include/asm/param.h) to increase the maximum number of groups value before
compiling this kernel.

My samba is the 3.0.1-2 (compiled with "--with-winbind --with-acl-support")

when the windows domain users try to access (just the "net use") the samba
share everything is OK ... In the Acl of this share whe have some linux
equivalent to the classical windows permissions "Everyone read" ...

But ... whe a specific user try to create/update/delete a file in this share
he receive the "Access Denied" message !
However this user in included in a Domain Global Group and this group is
also included in the Acl !

Do you have solve your first problem ? If yes could you send me your
solution ?

Any help for my problem would be greatly appreciated.

Best regards.

Christian PIGNOL
* (+33) 473 67 62 96
* (+33) 473 67 61 29
* christian_pignol at merck.com

-----Original Message-----
From: samba-bounces+christian_pignol=merck.com at lists.samba.org
[mailto:samba-bounces+christian_pignol=merck.com at lists.samba.org] On Behalf
Of asim_is at comcast.net
Sent: mercredi 21 janvier 2004 02:40
To: samba at lists.samba.org
Subject: [Samba] Samba winbind secondary group problem

Hello all,

I am having some serious problems getting winbind to recognize secondary
group memberships.  I have a samba server version samba-3.0.0-14.3E running
on RHES v.3.
This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram.  nscd is not
See below for smb.conf.

cat /proc/version:  Linux version 2.4.21-9.ELsmp
(bhcompile at stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat
Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004

I have joined the domain with: net rpc join -U administrator -r PDC
I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u
shows all the domain users and wbinfo -g shows all the domain groups.  ls -l
shows the correct domain user/group ownerships.  Users can access shares
owned by them or their PRIMARY domain group.  But when they try to access a
share owned by a secondary group that they belong to, it is access denied.
The only way I can get a secondary group to resolve is by putting a local
unix group in /etc/group and giving it the same GID as the corresponding
domain group, then adding the users to the local unix group.  

I have a RedHat 9 box with the same configuration that works the way it's
supposed to - ie - honoring secondary group memberships from the domain(of
course it is samba version samba-2.2.7a-8.9.0).  

This is a very critical situation for us.  Any help/suggestions would be
greatly appreciated.

Below is a snip from the samba log file(shows 3 supplementary groups even
though this user belongs to about 20 groups).

[2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10504
  Primary group is 10013 and contains 3 supplementary groups
  Group[  0]: 10013
  Group[  1]: 10013
  Group[  2]: 10029

#Begin smb.conf
passdb backend = smbpasswd
#winbind configuration------>
        winbind separator = +
        winbind use default domain =  yes 
        template shell  = /bin/false
        template homedir = /netarray/shares/home/%U
        idmap uid = 10000-20000
        idmap gid = 10000-20000
#end winbind configuration----->
   security = domain 
   password server = PDC BDC
   password level = 8
   username level = 8

 available = yes
 browseable = yes
 comment = 
 path = /netarray/shares/Shared
 public = no
 writable = yes
 valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users
@d_admins @g_its
 invalid users = internet1 internet2 hrtest

To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Notice:  This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New
Jersey, USA 08889), and/or its affiliates (which may be known outside the
United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan as
Banyu) that may be confidential, proprietary copyrighted and/or legally
privileged. It is intended solely for the use of the individual or entity
named on this message.  If you are not the intended recipient, and have
received this message in error, please notify us immediately by reply e-mail
and then delete it from your system.

More information about the samba mailing list