[Samba] AD users from different AD domains - update

Trimble, Ronald D Ronald.Trimble at unisys.com
Wed May 10 18:28:25 GMT 2006


Volker, 
	I know you and I have been over this in the past, but I have a
few questions based on this thread.  If winbind does correctly list the
groups, why does it not correctly tell you that the user is indeed a
member of that group?  Are you saying that if you were an admin in all
domains it would work?  What if the server was not merely a member
server?  Would it work then?
	I am not trying to be a pain, I am just looking for solutions to
a problem that lots of other Windows admins like myself see as a huge
issue.  

Sincerely,
Ron


-----Original Message-----
From: Volker Lendecke [mailto:vlendec at sernet.de] On Behalf Of Volker
Lendecke
Sent: Wednesday, May 10, 2006 11:17 AM
To: Trimble, Ronald D
Cc: samba at lists.samba.org
Subject: Re: [Samba] AD users from different AD domains - update

On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote:
> In other words, i would like to know if it is possible to
> check the membership of a user in a group of another AD
> domain ?

No, it is not. The only operation regarding group membership
that is doable reliably is getting the list of groups a user
is member of directly while this user is logging in.

Anything beyond that like asking the same question without
having logged in, getting a list of members of a group,
getting lists of users and groups and so on will sooner or
later fail if you are not administrator of all domains in
question. Winbind is not made for being admin in all
domains, and this is nothing that you _want_ winbind on a
member server to be.

Please look at the explanations in bug #3530. Don't wait for
this to be fixed.

Volker


More information about the samba mailing list