[Samba] RE: wbinfo - Missing Domain Groups

[Ryan Frantz]

In delving deeper into my problem, I have found one common denominator
in all of the domain groups that are not presented when I run 'wbinfo
-g'.  Each of them is set up with a Global Scope of 'Domain Local'.  The
other options available for this configuration setting are 'Global'
(these groups show up!), and 'Universal' (don't have any of these).

I don't know much about this setting.  Any MCSEs out there that do?

I could recreate those groups, but I'm worried that it may impact my
current protections since a new SID will be created.

Anybody have any ideas?  Can winbind be configured to see these types of
groups as well?

See my original post below for more information.

TIA,

ry

-----Original Message-----
From: Ryan Frantz 
Sent: Thursday, June 17, 2004 6:26 PM
To: 'samba at lists.samba.org'
Subject: wbinfo - Missing Domain Groups

Has anybody found that the 'wbinfo' command does not list all groups in
a Windows domain?

Here's what's in my playground:

Windows 2000 Server SP4 PDC

RH 9 (2.4.20-6)
OpenSSL 3.8p1
MIT Kerberos 1.3.3
Samba 3.0.4

--begin 'smb.conf' snip-

   winbind separator = .
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes

   security = ads

   password server = *

;   passdb backend = tdbsam

--end 'smb.conf' snip-

As you can see, I have Samba (winbind, really) configured to enumerate
users and groups.  However, when I run 'wbinfo -g' the output does not
show all of my Windows groups.  Neither does 'getent group'.  I'm
looking for something in the Windows/domain configuration but haven't
found anything yet.

This is hindering me from deploying a Samba file server as some of those
'missing' groups own sensitive directories on our aging (Windows) file
server.

Anyone have any ideas?

ry