[Samba] Does Samba/Winbind not follow nested groups in AD?!?

Fri Dec 8 16:50:55 GMT 2006

Native mode, global groups.

Try the test server with a stock installation and adding ACLs and 
extended DOS attributes. If you do not have success with that, I can 
only conclude there is corruption in your AD forest. That isn't unheard 
of by the way.

If you upgraded from mixed mode to native mode, I'd wager a good chance 
that your corruption started there.

James A. Dinkel wrote:
>
> The tdb thing didn’t work. Are you running your Win 2000 domain in 
> mixed-mode or native-mode? (ours is native mode, so I’m wondering if 
> that is a problem for samba). Also what is the scope on your groups, 
> we have “global” for the scope on all our groups.
>
> **James Dinkel**
>
> Network Engineer
>
> Butler County of Kansas
>
> //There are 10 types of people in the world: those who understand 
> binary, and those who don't.//
>
> ------------------------------------------------------------------------
>
> *From:* Aaron Kincer [mailto:kincera at gmail.com]
> *Sent:* Thursday, December 07, 2006 5:43 PM
> *To:* James A. Dinkel
> *Cc:* samba at lists.samba.org
> *Subject:* Re: [Samba] Does Samba/Winbind not follow nested groups in 
> AD?!?
>
> I had some problems with authentication on a Red Hat server due to 
> corrupted .tdb files in /var/cache/samba and fixed it by deleting 
> them. You could give it a shot by stopping Samba and Winbind, backing 
> up those files to be safe, delete them and restart Samba and WInbind.
>
> If that doesn't work, I suspect there is a problem with your AD 
> forest. All the pieces should be there for you.
>
> On 12/7/06, *James A. Dinkel* < jdinkel at bucoks.com 
> <mailto:jdinkel at bucoks.com>> wrote:
>
> Well, I think I'm giving up. I've tried following that guide. I've
> tried replacing my smb.conf to look just like yours. I've tried a bunch
> of other things that I though might do something.
>
> For the life of me, I can not get nested groups to work on this server.
>
> James Dinkel
>
> > -----Original Message-----
> > From: Aaron Kincer
> >
> > James,
> >
> > You are correct--I don't have windbind nested groups = yes set in my
> > smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> > instructions to the letter found in the Ubuntu forums that I've posted
> > before with only the changes you've seen in my smb.conf. Here is the
> > link to the forum post:
> >
> > http://ubuntuforums.org/archive/index.php/t-91510.html
> >
> > If you have a machine you can throw together as a test machine, fire
> it
> > up as a stock install and follow these instructions to the letter (if
> > you didn't on your production box) and see if you have any success.
> >
> > Here's where the rubber meets the road. If your test machine correctly
> > nests permissions, then there is something wrong with your production
> > config. If it doesn't, then you have something going on in Active
> > Directory.
> >
> > One more thing--I'm using POSIX ACLs for permissions. Are you?
> >
> > James A. Dinkel wrote:
> > >> -----Original Message-----
> > >> From: Matt Skerritt
> > >>
> > >> There is an option in smb.conf called "winbind nested groups" ...
> and
> > >> the help text from swat says:
> > >>
> > >> "winbind nested groups (G)
> > >>
> > >> If set to yes, this parameter activates the support for nested
> > >> groups. Nested groups are also called local groups or aliases. They
> > >> work like their counterparts in Windows: Nested groups are defined
> > >> locally on any machine (they are shared between DC's through their
> > >> SAM) and can contain users and global groups from any trusted SAM.
> To
> > >> be able to use nested groups, you need to run nss_winbind.
> > >>
> > >> Please note that per 3.0.3 this is a new feature, so handle
> with
> > >> care.
> > >>
> > >> Default: winbind nested groups = no"
> > >>
> > >> So I'm guessing that you want to set winbind nested groups = yes in
> > >> your smb.conf.
> > >>
> > >> --
> > >> Matt Skerritt
> > >> matt.skerritt at agrav.net <mailto:matt.skerritt at agrav.net>
> > >>
> > >
> > > I've put the "winbind nested groups = yes" in the global section of
> my
> > > samba.conf. (Sorry, I did go over the swat help text, I must have
> > > missed this). I went ahead and rebooted the server and tried it
> again,
> > > but it's still a no-go.
> > >
> > > Aaron, in the smb.conf you showed me, you did not have "winbind
> nested
> > > groups = yes" ?!? I don't remember if you've told me, but are you
> using
> > > the default Samba 3.0.22 that comes with Ubuntu 6.06?
> > >
> > > Could there be something wrong with my Winbind setup? Something
> that
> > > has to do with nss_winbind maybe? Is there any way I can test this
> from
> > > the Samba server, using wbinfo maybe?
> > >
> > >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>