[Samba] Samba 3.0.8 on Solaris with AD group
Mark Clarkson
Mark.Clarkson at ff.com
Sat Nov 20 00:53:26 GMT 2004
I have the following configuration:
Solaris 9 (patch 112960-10 applied)
Samba 3.0.8 (configure --with-ads --with-pam --with-winbind)
MIT Kerberos 1.3.5 (configure --enable-dns --enable-dns-for-kdc
--enable-dns-for-realm --without-tcl)
I am using Samba to share files to our Windows users via a Samba share,
security = ads. All the shares work just fine.
Here is the relevant section of my smb.conf file:
[global]
workgroup = FFFC
realm = FFFC.COM
server string = Fileshare
security = ads
password server = *
log level = 2
log file = /var/log/samba/%m.log
min protocol = NT1
time server = Yes
change notify timeout = 300
deadtime = 7
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 99
domain master = No
ldap ssl = no
idmap uid = 50000-59999
idmap gid = 50000-59999
winbind separator = +
winbind cache time = 10
winbind nested groups = Yes
hide unreadable = Yes
delete veto files = Yes
inherit acls = Yes
inherit permissions = Yes
wins server = 10.1.240.90 10.1.240.91
use spnego = Yes
[exlist$]
comment = Test share
path = /export/smbfiles/exlist
create mask = 0777
directory mask = 0777
security mask = 0777
force group = root
force user = root
writeable = Yes
read only = No
valid users = FFFC+Citrix_Base
write list = FFFC+Citrix_Base
veto files =
/*.?pg/*.avi/favicon.ico/robots.txt/.htaccess/*.wm*/.rhosts/*.rm/*.mp?/*.asf
/*.wav/*.?peg/*.midi/*.aif*/*.au/*.as?/*.wpl/
hide files = /Thumbs.db/.*/
dos filetimes = Yes
The problem that I am having is that some groups can not be accessed by a
`getent group` command.
I can see the group with wbinfo:
$ wbinfo -g | grep FFFC+Citrix_Base
FFFC+Citrix_Base
$ wbinfo -n FFFC+Citrix_Base
S-1-5-21-393102617-441343358-1233803906-9715 Domain Group (2)
$ wbinfo -Y S-1-5-21-393102617-441343358-1233803906-9715
50308
$ wbinfo -G 50308
S-1-5-21-393102617-441343358-1233803906-9715
As you can clearly see, FFFC+Citric_Base is a valid Active Directory group.
But when I use `getent`, I get different numbers of groups:
$ wbinfo -g | wc -l
327
$ getent group | awk -F: '{print $1}'|wc -l
315
Also, when I try to view the group with a `getent` command, winbindd seems
to hang.
$ getent group FFFC+Citrix_Base
I left it for three hours and it still did not return the group.
The group FFFC+Citrix_Base contains a lot of users (more than 500 for sure,
possibly more than 1000).
This is preventing me from using FFFC+Citrix_Base as a way to control access
to this share.
Does anyone have any insight or better yet, a solution to this problem?
I see that 3.0.9 has just been released. I may try that but looking at the
release notes, it does not appear that this problem is addressed by 3.0.9.
Thank you in advance.
Mark.
More information about the samba
mailing list