[Samba] Problem with Universal Groups
Trimble, Ronald D
Ronald.Trimble at unisys.com
Fri Mar 3 14:30:30 GMT 2006
This is exactly what I am seeing. I think this should be reopened as a
bug. I could easily provide all of the diagnostics since I have it set
up like this right now.
The strange thing is, I can get it to work with Domain Global groups,
but not Universal groups which shows the SID properly. Domain Local
doesn't work at all unless the user is in the same domain as the group.
How do we get this escalated?
-----Original Message-----
From: Don Meyer [mailto:dlmeyer at uiuc.edu]
Sent: Thursday, March 02, 2006 6:06 PM
To: Trimble, Ronald D; samba at lists.samba.org
Subject: Re: [Samba] Problem with Universal Groups
Check your winbind group memberships -- I'm willing to bet that your
winbind will only show group membership for users in the same domain
as the group. We are seeing the same mis-behavior here. Group
members from other domains are simply not being enumerated by winbind
as a group member (getent group), even though the other-domain user
itself is properly listed (getent passwd).
I tried to report this as a bug, but it was closed/reopened as a
feature request. Discussion was left that I had to prove that the
other-domain user can successfully connect to a resource with
permissions mapped directly to that other-domain user, but fails to
connect to the same resource when permissions are mapped to a domain
local group in the local server's domain that contains the
other-domain user. (I have yet to create this test-case because of
unrelated time-constraints...)
Cheers,
-D
At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
>Everyone,
> With many thank to Jerry, my cross domain authentication is
now
>working. This leads to a new problem. I cannot get samba to
>authenticate a remote domain user in a Universal group to authenticate
>properly.
> Here are the details:
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
>S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
>
>USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
>S-1-5-21-606747145-879983540-1177238915-173280 User (1)
>
>USTR-LINUX-1:~ # wbinfo
>--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
>S-1-5-21-606747145-879983540-1177238915-513
>.
>.
>.
>S-1-5-21-606747145-879983540-1177238915-79634
>S-1-5-21-606747145-879983540-1177238915-79966
>S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!**
>S-1-5-21-725345543-2052111302-527237240-177738
>S-1-5-21-725345543-2052111302-527237240-349185
>S-1-5-21-725345543-2052111302-527237240-307510
>S-1-5-21-725345543-2052111302-527237240-177742
>S-1-5-21-606747145-879983540-1177238915-90389
>S-1-5-21-606747145-879983540-1177238915-72164
>S-1-5-21-606747145-879983540-1177238915-91149
>S-1-5-21-606747145-879983540-1177238915-70785
>S-1-5-21-606747145-879983540-1177238915-91412
>
>However, when I try to set up a test web page to
> require group "NA\USTR-LINUX-1-REDHAT-READ"
>
>And then attempt to access the page, I get the following error:
>error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
>group(s).
>
>Does anyone else have something like this working? What am I doing
>wrong?
>
>Thanks,
>Ron
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin,
1759
More information about the samba
mailing list