[Samba] AD users from different AD domains - update

Don Meyer dlmeyer at uiuc.edu
Wed May 10 19:10:01 GMT 2006

Indeed!  It seems to me that if a member server of domain A can get 
the list of groups from DC in A, and can enumerate the users from 
both domains A & B, then it should be able to present the membership 
of a group in A, to the extent that the users belong to domain A or 
B.    Right now, winbind can only present that membership for users 
that are in the same domain as the group -- in this example, only 
from domain A.

Quite frankly, I can understand why a Samba member server in domain A 
might not be able to fully present the group membership for a group 
from domain B -- but it really ought to be able to do it more fully 
when the group in question is from its own domain...

And especially when other tools in the suite can do it:

         net rpc group members {groupname} -S {domain-name} -U {username%pass}

Will get you a correct listing of group membership if username%pass 
is valid credentials on the specified domain.  (Does not have to be 
admin in my testing.)

Since winbind has access to the "auth-user" that can be set by 
"wbinfo --set-auth-user=...", and it knows which domain to query from 
the group list, winbind should be able to put 2 & 2 together to get a 
proper group listing from the home domain.

(Yes, assuming "wbinfo --set-auth-user=" has been used to set the 
auth-user credentials to use, and assuming that those credentials are 
for the server's home domain.)

It would sure be nice if Winbind would at least try to derive a 
full(er) group list, rather than simply not bothering to try because 
it won't always succeed...


At 01:28 PM 5/10/2006, Trimble, Ronald D wrote:
>         I know you and I have been over this in the past, but I have a
>few questions based on this thread.  If winbind does correctly list the
>groups, why does it not correctly tell you that the user is indeed a
>member of that group?  Are you saying that if you were an admin in all
>domains it would work?  What if the server was not merely a member
>server?  Would it work then?
>         I am not trying to be a pain, I am just looking for solutions to
>a problem that lots of other Windows admins like myself see as a huge
>-----Original Message-----
>From: Volker Lendecke [mailto:vlendec at sernet.de] On Behalf Of Volker
>Sent: Wednesday, May 10, 2006 11:17 AM
>To: Trimble, Ronald D
>Cc: samba at lists.samba.org
>Subject: Re: [Samba] AD users from different AD domains - update
>On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote:
> > In other words, i would like to know if it is possible to
> > check the membership of a user in a group of another AD
> > domain ?
>No, it is not. The only operation regarding group membership
>that is doable reliably is getting the list of groups a user
>is member of directly while this user is logging in.
>Anything beyond that like asking the same question without
>having logged in, getting a list of members of a group,
>getting lists of users and groups and so on will sooner or
>later fail if you are not administrator of all domains in
>question. Winbind is not made for being admin in all
>domains, and this is nothing that you _want_ winbind on a
>member server to be.
>Please look at the explanations in bug #3530. Don't wait for
>this to be fixed.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba

Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759 

More information about the samba mailing list