[Samba] Samba 3.0.8 on Solaris with AD group

Mark Clarkson Mark.Clarkson at ff.com
Sat Nov 20 00:53:26 GMT 2004

I have the following configuration:

Solaris 9 (patch 112960-10 applied)
Samba 3.0.8 (configure --with-ads --with-pam --with-winbind)
MIT Kerberos 1.3.5 (configure --enable-dns --enable-dns-for-kdc
--enable-dns-for-realm --without-tcl)

I am using Samba to share files to our Windows users via a Samba share,
security = ads.  All the shares work just fine.

Here is the relevant section of my smb.conf file:

            workgroup = FFFC
            realm = FFFC.COM
            server string = Fileshare
            security = ads
            password server = *
            log level = 2
            log file = /var/log/samba/%m.log
            min protocol = NT1
            time server = Yes
            change notify timeout = 300
            deadtime = 7
            socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY
            load printers = No
            os level = 99
            domain master = No
            ldap ssl = no
            idmap uid = 50000-59999
            idmap gid = 50000-59999
            winbind separator = +
            winbind cache time = 10
            winbind nested groups = Yes
            hide unreadable = Yes
            delete veto files = Yes
            inherit acls = Yes
            inherit permissions = Yes
            wins server =
            use spnego = Yes

            comment = Test share
            path = /export/smbfiles/exlist
            create mask = 0777
            directory mask = 0777
            security mask = 0777
            force group = root
            force user = root
            writeable = Yes
            read only = No
            valid users = FFFC+Citrix_Base
            write list = FFFC+Citrix_Base
            veto files =
            hide files = /Thumbs.db/.*/
            dos filetimes = Yes

The problem that I am having is that some groups can not be accessed by a
`getent group` command.

I can see the group with wbinfo:

  $ wbinfo -g | grep FFFC+Citrix_Base

  $ wbinfo -n FFFC+Citrix_Base
  S-1-5-21-393102617-441343358-1233803906-9715 Domain Group (2)

  $ wbinfo -Y S-1-5-21-393102617-441343358-1233803906-9715

  $ wbinfo -G 50308

As you can clearly see, FFFC+Citric_Base is a valid Active Directory group.
But when I use `getent`, I get different numbers of groups:

  $ wbinfo -g | wc -l
  $ getent group | awk -F: '{print $1}'|wc -l

Also, when I try to view the group with a `getent` command, winbindd seems
to hang.  

  $ getent group FFFC+Citrix_Base

I left it for three hours and it still did not return the group.

The group FFFC+Citrix_Base contains a lot of users (more than 500 for sure,
possibly more than 1000).

This is preventing me from using FFFC+Citrix_Base as a way to control access
to this share.

Does anyone have any insight or better yet, a solution to this problem?

I see that 3.0.9 has just been released.  I may try that but looking at the
release notes, it does not appear that this problem is addressed by 3.0.9.

Thank you in advance.


More information about the samba mailing list