[Samba] Group permissions and recursion
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Jun 28 17:38:59 GMT 2006
On Tue, Jun 27, 2006 at 05:45:08PM -0700, Rob Tanner wrote:
> So, at this point, I'm not sure how to go about starting to debug why
> winbind isn't showing my membership in the 'CATNET\adm' group as well.
> I've followed the procedures in the official HOWTO, but if there's
> something I missed that would cause just this particular problem, do you
> know what that might be?
Using something like 'getent group | grep <whatever>' is
unreliable and will always be.
However, we are trying to get you access via SMB or after
having logged in via pam_winbind even on heavily nested
group memberships. It might be true that we are not there
yet, but it is achievable.
This getent group thing does not work reliably, there's just
too many games you can play with group membership in AD.
There is one thing that should *always* work however: When
presenting the correct username and password to a domain
controller, it's this DC's task to untangle the group
memberships for us and present the correct group list in the
reply to the query whether user Joe has typed in his
password correctly. This is a completely different query
from listing the groups and figuring out the memberships
yourself.
It might be possible that we don't yet make proper use of
the information the DC has figured out for us. If you have a
case where it fails against 3.0.23rc3, please file a bug
report at https://bugzilla.samba.org/ with debug level 10
logs of smbd and winbind. I know that there already is one
with a similar problem, I just did not yet get around to
really walk that stuff.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20060628/5522c1a5/attachment.bin
More information about the samba
mailing list