[Samba] "id" and "id username" don't match up when using Winbind groups

Gerald (Jerry) Carter jerry at samba.org
Fri Jun 10 18:15:32 GMT 2005

Hash: SHA1

Graeme Humphries wrote:
| On Fri, 2005-06-10 at 12:54 -0500, Gerald (Jerry) Carter wrote:
|>Try this as root:  wbinfo -a 'domain\user%pw'
|>(filling in the approriate username and password.
|>Then su - 'domain\username' and run id.
| I'm using '+' as a delimiter, but in any case:
| # wbinfo -a 'DOMAIN+graemehu%password'
| plaintext password authentication succeeded
| challenge/response password authentication succeeded
| root at oberon:~ # su - 'DOMAIN+graemehu'
| graemehu at oberon:~$ id
| uid=10670(graemehu) gid=10047(maingroup)
| groups=10011(the_group_that_never_showed_up)
| Yay! And, connecting to the share controlled by that
| group, I can now get into it! HOORAY!
| So, my next question is, how do I force this to happen
| on a global level for all users, say, every 5 minutes. ;)

are you using security = domain or ads ?  If the latter
then stop winbindd and remove $(lockdir)/netsamlogon_cache.tdb.
If the former, then the cache should be updated every time
the user's logs in.

In technical terms, the cache is a copy of the NET_USER_INFO_3
structure in the samlogin() reply (used for NTLM authenication).
You're not the first one to be bitten by this.  It was more
useful in Samba 2.2.x installations.  We'll definitely fix
this somehow before the next stable release.

cheers, jerry
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


More information about the samba mailing list