[Samba] Problem with Universal Groups

Don Meyer dlmeyer at uiuc.edu
Thu Mar 2 23:06:02 GMT 2006


Check your winbind group memberships -- I'm willing to bet that your 
winbind will only show group membership for users in the same domain 
as the group.   We are seeing the same mis-behavior here.   Group 
members from other domains are simply not being enumerated by winbind 
as a group member (getent group), even though the other-domain user 
itself is properly listed (getent passwd).

I tried to report this as a bug, but it was closed/reopened as a 
feature request.  Discussion was left that I had to prove that the 
other-domain user can successfully connect to a resource with 
permissions mapped directly to that other-domain user, but fails to 
connect to the same resource when permissions are mapped to a domain 
local group in the local server's domain that contains the 
other-domain user.    (I have yet to create this test-case because of 
unrelated time-constraints...)

Cheers,
-D


At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
>Everyone,
>         With many thank to Jerry, my cross domain authentication is now
>working.  This leads to a new problem.  I cannot get samba to
>authenticate a remote domain user in a Universal group to authenticate
>properly.
>         Here are the details:
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
>S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
>S-1-5-21-606747145-879983540-1177238915-173280 User (1)
>
>USTR-LINUX-1:~ # wbinfo
>--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
>S-1-5-21-606747145-879983540-1177238915-513
>.
>.
>.
>S-1-5-21-606747145-879983540-1177238915-79634
>S-1-5-21-606747145-879983540-1177238915-79966
>S-1-5-21-725345543-2052111302-527237240-349134  **Here is the group!!**
>S-1-5-21-725345543-2052111302-527237240-177738
>S-1-5-21-725345543-2052111302-527237240-349185
>S-1-5-21-725345543-2052111302-527237240-307510
>S-1-5-21-725345543-2052111302-527237240-177742
>S-1-5-21-606747145-879983540-1177238915-90389
>S-1-5-21-606747145-879983540-1177238915-72164
>S-1-5-21-606747145-879983540-1177238915-91149
>S-1-5-21-606747145-879983540-1177238915-70785
>S-1-5-21-606747145-879983540-1177238915-91412
>
>However, when I try to set up a test web page to
>         require group "NA\USTR-LINUX-1-REDHAT-READ"
>
>And then attempt to access the page, I get the following error:
>error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
>group(s).
>
>Does anyone else have something like this working?  What am I doing
>wrong?
>
>Thanks,
>Ron
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 



More information about the samba mailing list