[Samba] Problem with Universal Groups

Trimble, Ronald D Ronald.Trimble at unisys.com
Fri Mar 3 14:30:30 GMT 2006 

This is exactly what I am seeing.  I think this should be reopened as a
bug.  I could easily provide all of the diagnostics since I have it set
up like this right now.

The strange thing is, I can get it to work with Domain Global groups,
but not Universal groups which shows the SID properly.  Domain Local
doesn't work at all unless the user is in the same domain as the group.

How do we get this escalated?

-----Original Message-----
From: Don Meyer [mailto:dlmeyer at uiuc.edu] 
Sent: Thursday, March 02, 2006 6:06 PM
To: Trimble, Ronald D; samba at lists.samba.org
Subject: Re: [Samba] Problem with Universal Groups

Check your winbind group memberships -- I'm willing to bet that your 
winbind will only show group membership for users in the same domain 
as the group.   We are seeing the same mis-behavior here.   Group 
members from other domains are simply not being enumerated by winbind 
as a group member (getent group), even though the other-domain user 
itself is properly listed (getent passwd).

I tried to report this as a bug, but it was closed/reopened as a 
feature request.  Discussion was left that I had to prove that the 
other-domain user can successfully connect to a resource with 
permissions mapped directly to that other-domain user, but fails to 
connect to the same resource when permissions are mapped to a domain 
local group in the local server's domain that contains the 
other-domain user.    (I have yet to create this test-case because of 
unrelated time-constraints...)

Cheers,
-D


At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
>Everyone,
>         With many thank to Jerry, my cross domain authentication is
now
>working.  This leads to a new problem.  I cannot get samba to
>authenticate a remote domain user in a Universal group to authenticate
>properly.
>         Here are the details:
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
>S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
>S-1-5-21-606747145-879983540-1177238915-173280 User (1)
>
>USTR-LINUX-1:~ # wbinfo
>--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
>S-1-5-21-606747145-879983540-1177238915-513
>.
>.
>.
>S-1-5-21-606747145-879983540-1177238915-79634
>S-1-5-21-606747145-879983540-1177238915-79966
>S-1-5-21-725345543-2052111302-527237240-349134  **Here is the group!!**
>S-1-5-21-725345543-2052111302-527237240-177738
>S-1-5-21-725345543-2052111302-527237240-349185
>S-1-5-21-725345543-2052111302-527237240-307510
>S-1-5-21-725345543-2052111302-527237240-177742
>S-1-5-21-606747145-879983540-1177238915-90389
>S-1-5-21-606747145-879983540-1177238915-72164
>S-1-5-21-606747145-879983540-1177238915-91149
>S-1-5-21-606747145-879983540-1177238915-70785
>S-1-5-21-606747145-879983540-1177238915-91412
>
>However, when I try to set up a test web page to
>         require group "NA\USTR-LINUX-1-REDHAT-READ"
>
>And then attempt to access the page, I get the following error:
>error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
>group(s).
>
>Does anyone else have something like this working?  What am I doing
>wrong?
>
>Thanks,
>Ron
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin,
1759

More information about the samba mailing list