[Samba] Samba winbind secondary group problem

asim_is at comcast.net asim_is at comcast.net
Mon Jan 26 14:22:03 GMT 2004 

> This problem went away for me in Samba 3.0.1.  A workaround in 3.0.0 is 
> to set
> 
> winbind use default domain = no
> 
> in the smb.conf.
This did in fact solve the group resolution problem on samba-3.0.0-14.3E.
I have not tried 3.0.1 yet but will this week and will post the results.

Thanks very much Mike!  
> This problem went away for me in Samba 3.0.1.  A workaround in 3.0.0 is 
> to set
> 
> winbind use default domain = no
> 
> in the smb.conf.
> 
> Mike
> 
> asim_is at comcast.net wrote:
> > Hello all,
> > 
> > I am having some serious problems getting winbind to recognize secondary group 
> memberships.  I have a samba server version samba-3.0.0-14.3E running on RHES 
> v.3.
> > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram.  nscd is not 
> running.  
> > See below for smb.conf.
> > 
> > cat /proc/version:  Linux version 2.4.21-9.ELsmp 
> (bhcompile at stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat 
> Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004
> > 
> > I have joined the domain with: net rpc join -U administrator -r PDC
> > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows 
> all the domain users and wbinfo -g shows all the domain groups.  ls -l shows the 
> correct domain user/group ownerships.  Users can access shares owned by them or 
> their PRIMARY domain group.  But when they try to access a share owned by a 
> secondary group that they belong to, it is access denied.  The only way I can 
> get a secondary group to resolve is by putting a local unix group in /etc/group 
> and giving it the same GID as the corresponding domain group, then adding the 
> users to the local unix group.  
> > 
> > I have a RedHat 9 box with the same configuration that works the way it's 
> supposed to - ie - honoring secondary group memberships from the domain(of 
> course it is samba version samba-2.2.7a-8.9.0).  
> > 
> > This is a very critical situation for us.  Any help/suggestions would be 
> greatly appreciated.
> > 
> > Below is a snip from the samba log file(shows 3 supplementary groups even 
> though this user belongs to about 20 groups).
> > 
> > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
> >   UNIX token of user 10504
> >   Primary group is 10013 and contains 3 supplementary groups
> >   Group[  0]: 10013
> >   Group[  1]: 10013
> >   Group[  2]: 10029
> > 
> > #Begin smb.conf
> > passdb backend = smbpasswd
> > #winbind configuration------>
> >         winbind separator = +
> >         winbind use default domain =  yes 
> >         template shell  = /bin/false
> >         template homedir = /netarray/shares/home/%U
> >         idmap uid = 10000-20000
> >         idmap gid = 10000-20000
> > #end winbind configuration----->
> >    security = domain 
> >    password server = PDC BDC
> >    password level = 8
> >    username level = 8
> > 
> > [Shared]
> >  available = yes
> >  browseable = yes
> >  comment = 
> >  path = /netarray/shares/Shared
> >  public = no
> >  writable = yes
> >  valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users 
> @d_admins @g_its
> >  invalid users = internet1 internet2 hrtest
> > 
> > 
> > 
> >

More information about the samba mailing list