[Samba] Winbind problem w/ ADS domain local group and other-domain members

Don Meyer dlmeyer at uiuc.edu
Tue Feb 14 04:12:46 GMT 2006


This one is probably going off into the esoteric side of things, but 
Samba/winbind doesn't seem to be working quite as expected in one 
particular area -- domain local groups having members from other 
trusted domains.   I've searched extensively (google and 
elsewhere...), and have found little/no mention of this particular 
problem:  "domain local group" members from other trusted domains are 
not showing up in group lists as enumerated via winbind.   Yet group 
members from the same domain as the domain local group are 
enumerated/listed properly.


In a rather complex ADS arrangement (described below), I have several 
RHEL4 systems with Samba/Winbind installed and 
configured.  Everything appears to be working properly thus far: 
users & groups from the default domain are properly enumerated and 
resource permissions are mapping correctly.  Users and groups from 
2-way trusted domains are also enumerated.   (This was evaluated with 
"wbinfo -u|g" & "getent passwd|group".)

The domain structure & relationships are a bit hairy though, and need 
to be spelled out:
         Three independent ADS domains in separate forests:    "A","B","C"
                 "A" & "B" have an established 2-way trust.
                 "A" has a 1-way trust: trusting "C"
         There is also a single NT4 domain:   "Z"
                 "A" & "Z" have an established 2-way trust.

For simplicity, we will only deal with "A" & "B" here.  The RHEL4 
systems are member servers in domain "A".  This is tested under Samba 
versions 3.0.10-1.4E2 & 3.0.21b-3.

I can see groups from domain "B" just fine in the output, and their 
membership of users from domain "B" -- these should be the 
global|universal groups from domain "B".

Also, both "A\g-wiz" and "B\j-bogus" show up properly in output from:
         wbinfo -u
         getent passwd


The PROBLEM:

There are domain local groups defined in "A" that have members from 
these other domains.   (E.g. domain local group "A\dl_grp" is defined 
on the Win2K3 DCs as consisting of two users: "A\g-wiz" and "B\j-bogus".)

On the linux systems, the command:
         getent group
           shows a group membership for "A\dl_grp" of only one user: 
"A\g-wiz".


Now, when I run the command:
         net rpc group members dl_grp -S "A" -U:A\\admin%passwd

I receive the full and proper list of users:
         A\g-wiz
         B\j-bogus


Furthermore, testing user account group membership:
         net ads user info g-wiz -S "A" -U:admin%passwd
            yields the single response:
         "dl_grp"

         net ads user info A\\g-wiz -S "A" -U:admin%passwd
            yields an empty list.

         net ads user info B\\j-bogus -S "A" -U:admin%passwd
            yields an empty list.


Now, to get more interesting:
         net rpc user info g-wiz -S "A" -U:admin%passwd
            yields the more complete response:
         "dl_grp"
         "Domain Users"

**NOTE the difference between "ads" & "rpc" methods...**

As above with ads, both of the following commands:
         net rpc user info A\\g-wiz -S "A" -U:admin%passwd
         net rpc user info B\\j-bogus -S "A" -U:admin%passwd
    ... still yield an empty list.



When I test group membership from a Windows-based member server, we 
get the proper list of both "A\g-wiz" & "B\j-bogus".

I have tested these scenarios under both versions of Samba mentioned 
above, as well as with the option "winbind use default domain" both 
yes & no.   I've tested independently with the "winbind separator" 
set to "\\" and to "/".   Results were identical under all variations tested.


My suspicion is that winbind is somehow limiting its enumeration of 
group membership to users from the same domain to which the group 
belongs.    I believe this to be incorrect behavior, given that a 
windows server reports the full list, and that at least one command 
on the linux system can properly obtain the full list from the W2K3 
DCs.   (That said, I remain open to the thought that it might be a 
misconfiguration on my part - despite the apparent normal operation 
of all other aspects on the linux/samba system.)

I am more than willing to work in- or out-of-band to try to narrow 
down the problem/answer questions/test patches/etc.





smb.conf (testparm output) follows:
--------------------------------------------------------------------------------------------
[global]
         workgroup = ACES
         realm = COLLEGE.ACESNET.UIUC.EDU
         netbios name = X-ACES-LBE-2
         server string = %L (Samba v%v)
         security = ADS
         password server = college.acesnet.uiuc.edu
         username map = /etc/samba/smbusers
         log file = /var/log/samba/%m.log
         max log size = 50
         name resolve order = host lmhosts wins bcast
         deadtime = 15
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         local master = No
         dns proxy = No
         wins server = 128.###.#.#0, 128.###.#.#1
         idmap uid = 10000-100000000
         idmap gid = 10000-100000000
         template homedir = /home/gaol
         winbind separator = \
         winbind cache time = 10
         hosts allow = 127., 128.###.###.0/255.255.254.0, 
128.###.###.0/255.255.254.0, 130.###., 128.###.##.
         case sensitive = No
#       include = /etc/samba/smb.conf.lbe-2

[dev-W]
         path = /export/dev/W
         valid users = "@ITCS CSS Team", "@Domain Admins", IUSR_ACESWEB
         admin users = "@Domain Admins"
         read only = No
         create mask = 0664
         directory mask = 02770
         inherit permissions = Yes
         veto oplock files = /*.TTF/*.XLS/*.DOC/

[prod-W]
         path = /export/prod/W
         valid users = "@ITCS CSS Team", "@Domain Admins", IUSR_ACESWEB
         admin users = "@Domain Admins"
         read only = No
         create mask = 0664
         directory mask = 02770
         inherit permissions = Yes
         veto oplock files = /*.TTF/*.XLS/*.DOC/

[tmp]
         comment = Temporary file space
         path = /tmp
         valid users = "@ITCS CSS Team", "@Domain Admins"
         admin users = "@Domain Admins"
         read only = No
         create mask = 0664
         directory mask = 02770
         dos filetime resolution = Yes
--------------------------------------------------------------------------------------------


Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list