[Samba] Problem with Universal Groups

Don Meyer dlmeyer at uiuc.edu
Fri Mar 3 19:56:27 GMT 2006 

I can't speak for Domain Universal/Global groups -- our read of the 
MS documentation indicated that other-domain users were not valid 
within Universal/Global groups, but were in a Domain Local Group.

As far as trying to at least get Domain Local group handling fixed in 
winbind, I would suggest looking at Bug 3530 on 
bugzilla.samba.org.   The more people that can show similar failure 
cases, the more likely we can convince them that this is a bug that 
needs fixing, and not a "feature request".

Cheers,
-D


At 08:30 AM 3/3/2006, Trimble, Ronald D wrote:
>This is exactly what I am seeing.  I think this should be reopened as a
>bug.  I could easily provide all of the diagnostics since I have it set
>up like this right now.
>
>The strange thing is, I can get it to work with Domain Global groups,
>but not Universal groups which shows the SID properly.  Domain Local
>doesn't work at all unless the user is in the same domain as the group.
>
>How do we get this escalated?
>
>-----Original Message-----
>From: Don Meyer [mailto:dlmeyer at uiuc.edu]
>Sent: Thursday, March 02, 2006 6:06 PM
>To: Trimble, Ronald D; samba at lists.samba.org
>Subject: Re: [Samba] Problem with Universal Groups
>
>Check your winbind group memberships -- I'm willing to bet that your
>winbind will only show group membership for users in the same domain
>as the group.   We are seeing the same mis-behavior here.   Group
>members from other domains are simply not being enumerated by winbind
>as a group member (getent group), even though the other-domain user
>itself is properly listed (getent passwd).
>
>I tried to report this as a bug, but it was closed/reopened as a
>feature request.  Discussion was left that I had to prove that the
>other-domain user can successfully connect to a resource with
>permissions mapped directly to that other-domain user, but fails to
>connect to the same resource when permissions are mapped to a domain
>local group in the local server's domain that contains the
>other-domain user.    (I have yet to create this test-case because of
>unrelated time-constraints...)
>
>Cheers,
>-D
>
>
>At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
> >Everyone,
> >         With many thank to Jerry, my cross domain authentication is
>now
> >working.  This leads to a new problem.  I cannot get samba to
> >authenticate a remote domain user in a Universal group to authenticate
> >properly.
> >         Here are the details:
> >
> >USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
> >S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
> >
> >USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
> >S-1-5-21-606747145-879983540-1177238915-173280 User (1)
> >
> >USTR-LINUX-1:~ # wbinfo
> >--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
> >S-1-5-21-606747145-879983540-1177238915-513
> >.
> >.
> >.
> >S-1-5-21-606747145-879983540-1177238915-79634
> >S-1-5-21-606747145-879983540-1177238915-79966
> >S-1-5-21-725345543-2052111302-527237240-349134  **Here is the group!!**
> >S-1-5-21-725345543-2052111302-527237240-177738
> >S-1-5-21-725345543-2052111302-527237240-349185
> >S-1-5-21-725345543-2052111302-527237240-307510
> >S-1-5-21-725345543-2052111302-527237240-177742
> >S-1-5-21-606747145-879983540-1177238915-90389
> >S-1-5-21-606747145-879983540-1177238915-72164
> >S-1-5-21-606747145-879983540-1177238915-91149
> >S-1-5-21-606747145-879983540-1177238915-70785
> >S-1-5-21-606747145-879983540-1177238915-91412
> >
> >However, when I try to set up a test web page to
> >         require group "NA\USTR-LINUX-1-REDHAT-READ"
> >
> >And then attempt to access the page, I get the following error:
> >error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
> >group(s).
> >
> >Does anyone else have something like this working?  What am I doing
> >wrong?
> >
> >Thanks,
> >Ron
> >
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>Don Meyer                                           <dlmeyer at uiuc.edu>
>Network Manager, ACES Academic Computing Facility
>Technical System Manager, ACES TeleNet System
>UIUC College of ACES, Information Technology and Communication Services
>
>    "They that can give up essential liberty to obtain a little
>temporary safety,
>          deserve neither liberty or safety."     -- Benjamin Franklin,
>1759

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list