[Samba] Problem with Universal Groups

Don Meyer dlmeyer at uiuc.edu
Thu Mar 2 23:06:02 GMT 2006

Check your winbind group memberships -- I'm willing to bet that your 
winbind will only show group membership for users in the same domain 
as the group.   We are seeing the same mis-behavior here.   Group 
members from other domains are simply not being enumerated by winbind 
as a group member (getent group), even though the other-domain user 
itself is properly listed (getent passwd).

I tried to report this as a bug, but it was closed/reopened as a 
feature request.  Discussion was left that I had to prove that the 
other-domain user can successfully connect to a resource with 
permissions mapped directly to that other-domain user, but fails to 
connect to the same resource when permissions are mapped to a domain 
local group in the local server's domain that contains the 
other-domain user.    (I have yet to create this test-case because of 
unrelated time-constraints...)


At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
>         With many thank to Jerry, my cross domain authentication is now
>working.  This leads to a new problem.  I cannot get samba to
>authenticate a remote domain user in a Universal group to authenticate
>         Here are the details:
>USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
>S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
>USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
>S-1-5-21-606747145-879983540-1177238915-173280 User (1)
>USTR-LINUX-1:~ # wbinfo
>S-1-5-21-725345543-2052111302-527237240-349134  **Here is the group!!**
>However, when I try to set up a test web page to
>         require group "NA\USTR-LINUX-1-REDHAT-READ"
>And then attempt to access the page, I get the following error:
>error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
>Does anyone else have something like this working?  What am I doing
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list