[Samba] Samba winbind secondary group problem

Mike Dawson mdawson at totton.ac.uk
Fri Jan 23 10:01:40 GMT 2004 

This problem went away for me in Samba 3.0.1.  A workaround in 3.0.0 is 
to set

winbind use default domain = no

in the smb.conf.

Mike

asim_is at comcast.net wrote:
> Hello all,
> 
> I am having some serious problems getting winbind to recognize secondary group memberships.  I have a samba server version samba-3.0.0-14.3E running on RHES v.3.
> This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram.  nscd is not running.  
> See below for smb.conf.
> 
> cat /proc/version:  Linux version 2.4.21-9.ELsmp (bhcompile at stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004
> 
> I have joined the domain with: net rpc join -U administrator -r PDC
> I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups.  ls -l shows the correct domain user/group ownerships.  Users can access shares owned by them or their PRIMARY domain group.  But when they try to access a share owned by a secondary group that they belong to, it is access denied.  The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group.  
> 
> I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0).  
> 
> This is a very critical situation for us.  Any help/suggestions would be greatly appreciated.
> 
> Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups).
> 
> [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
>   UNIX token of user 10504
>   Primary group is 10013 and contains 3 supplementary groups
>   Group[  0]: 10013
>   Group[  1]: 10013
>   Group[  2]: 10029
> 
> #Begin smb.conf
> passdb backend = smbpasswd
> #winbind configuration------>
>         winbind separator = +
>         winbind use default domain =  yes 
>         template shell  = /bin/false
>         template homedir = /netarray/shares/home/%U
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
> #end winbind configuration----->
>    security = domain 
>    password server = PDC BDC
>    password level = 8
>    username level = 8
> 
> [Shared]
>  available = yes
>  browseable = yes
>  comment = 
>  path = /netarray/shares/Shared
>  public = no
>  writable = yes
>  valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its
>  invalid users = internet1 internet2 hrtest
> 
> 
> 
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 256 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20040123/6f12b29e/attachment.bin

More information about the samba mailing list