[Samba] Problem with Universal Groups
Don Meyer
dlmeyer at uiuc.edu
Thu Mar 2 23:06:02 GMT 2006
Check your winbind group memberships -- I'm willing to bet that your
winbind will only show group membership for users in the same domain
as the group. We are seeing the same mis-behavior here. Group
members from other domains are simply not being enumerated by winbind
as a group member (getent group), even though the other-domain user
itself is properly listed (getent passwd).
I tried to report this as a bug, but it was closed/reopened as a
feature request. Discussion was left that I had to prove that the
other-domain user can successfully connect to a resource with
permissions mapped directly to that other-domain user, but fails to
connect to the same resource when permissions are mapped to a domain
local group in the local server's domain that contains the
other-domain user. (I have yet to create this test-case because of
unrelated time-constraints...)
Cheers,
-D
At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
>Everyone,
> With many thank to Jerry, my cross domain authentication is now
>working. This leads to a new problem. I cannot get samba to
>authenticate a remote domain user in a Universal group to authenticate
>properly.
> Here are the details:
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
>S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
>S-1-5-21-606747145-879983540-1177238915-173280 User (1)
>
>USTR-LINUX-1:~ # wbinfo
>--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
>S-1-5-21-606747145-879983540-1177238915-513
>.
>.
>.
>S-1-5-21-606747145-879983540-1177238915-79634
>S-1-5-21-606747145-879983540-1177238915-79966
>S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!**
>S-1-5-21-725345543-2052111302-527237240-177738
>S-1-5-21-725345543-2052111302-527237240-349185
>S-1-5-21-725345543-2052111302-527237240-307510
>S-1-5-21-725345543-2052111302-527237240-177742
>S-1-5-21-606747145-879983540-1177238915-90389
>S-1-5-21-606747145-879983540-1177238915-72164
>S-1-5-21-606747145-879983540-1177238915-91149
>S-1-5-21-606747145-879983540-1177238915-70785
>S-1-5-21-606747145-879983540-1177238915-91412
>
>However, when I try to set up a test web page to
> require group "NA\USTR-LINUX-1-REDHAT-READ"
>
>And then attempt to access the page, I get the following error:
>error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
>group(s).
>
>Does anyone else have something like this working? What am I doing
>wrong?
>
>Thanks,
>Ron
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
More information about the samba
mailing list