[Samba] Does Samba/Winbind not follow nested groups in AD?!?

Thu Dec 7 23:42:30 GMT 2006

I had some problems with authentication on a Red Hat server due to corrupted
.tdb files in /var/cache/samba and fixed it by deleting them. You could give
it a shot by stopping Samba and Winbind, backing up those files to be safe,
delete them and restart Samba and WInbind.

If that doesn't work, I suspect there is a problem with your AD forest. All
the pieces should be there for you.

On 12/7/06, James A. Dinkel <jdinkel at bucoks.com> wrote:
>
> Well, I think I'm giving up.  I've tried following that guide.  I've
> tried replacing my smb.conf to look just like yours.  I've tried a bunch
> of other things that I though might do something.
>
> For the life of me, I can not get nested groups to work on this server.
>
> James Dinkel
>
> > -----Original Message-----
> > From: Aaron Kincer
> >
> > James,
> >
> > You are correct--I don't have windbind nested groups = yes set in my
> > smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> > instructions to the letter found in the Ubuntu forums that I've posted
> > before with only the changes you've seen in my smb.conf. Here is the
> > link to the forum post:
> >
> > http://ubuntuforums.org/archive/index.php/t-91510.html
> >
> > If you have a machine you can throw together as a test machine, fire
> it
> > up as a stock install and follow these instructions to the letter (if
> > you didn't on your production box) and see if you have any success.
> >
> > Here's where the rubber meets the road. If your test machine correctly
> > nests permissions, then there is something wrong with your production
> > config. If it doesn't, then you have something going on in Active
> > Directory.
> >
> > One more thing--I'm using POSIX ACLs for permissions. Are you?
> >
> > James A. Dinkel wrote:
> > >> -----Original Message-----
> > >> From: Matt Skerritt
> > >>
> > >> There is an option in smb.conf called "winbind nested groups" ...
> and
> > >> the help text from swat says:
> > >>
> > >> "winbind nested groups (G)
> > >>
> > >>      If set to yes, this parameter activates the support for nested
> > >> groups. Nested groups are also called local groups or aliases. They
> > >> work like their counterparts in Windows: Nested groups are defined
> > >> locally on any machine (they are shared between DC's through their
> > >> SAM) and can contain users and global groups from any trusted SAM.
> To
> > >> be able to use nested groups, you need to run nss_winbind.
> > >>
> > >>      Please note that per 3.0.3 this is a new feature, so handle
> with
> > >> care.
> > >>
> > >>      Default: winbind nested groups = no"
> > >>
> > >> So I'm guessing that you want to set winbind nested groups = yes in
> > >> your smb.conf.
> > >>
> > >> --
> > >> Matt Skerritt
> > >> matt.skerritt at agrav.net
> > >>
> > >
> > > I've put the "winbind nested groups = yes" in the global section of
> my
> > > samba.conf.  (Sorry, I did go over the swat help text, I must have
> > > missed this).  I went ahead and rebooted the server and tried it
> again,
> > > but it's still a no-go.
> > >
> > > Aaron, in the smb.conf you showed me, you did not have "winbind
> nested
> > > groups = yes" ?!?  I don't remember if you've told me, but are you
> using
> > > the default Samba 3.0.22 that comes with Ubuntu 6.06?
> > >
> > > Could there be something wrong with my Winbind setup?  Something
> that
> > > has to do with nss_winbind maybe?  Is there any way I can test this
> from
> > > the Samba server, using wbinfo maybe?
> > >
> > >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>