[Samba] AD returns only one group for all users
Nathan VanHoudnos
vanhoudn at uiuc.edu
Wed Dec 5 16:33:37 GMT 2007
Dear list,
I'm trying to get a Thumper (Sun Fire X4500) to play nice with AD so
that we can offer a nearline storage service. Since many of our users
will have multiple group memberships, it's imperative that samba be able
to recurse through the groups that a user is a member of to determine if
they have access to a resource.
What happens instead is that every user who authenticates is assigned
only one group, the "UIUC+domain users" group. Example:
# ls -l /export
total 72
d---rwx--- 2 root UIUC+domain users 8 Dec 4 14:12 arrakis
d---rwx---+ 3 UIUC+vanhoudn UIUC+wsg staff 3 Dec 3 16:49 wsg
# getent group UIUC+wsg\ staff
UIUC+wsg staff:x:10031:UIUC+cyliang,UIUC+vanhoudn,UIUC+cgoldsmi,UIUC+hougland,UIUC+johnshea,UIUC+jbooth,UIUC+mchesnut,UIUC+dbweber
#groups UIUC+vanhoudn
UIUC+domain users
# getent passwd UIUC+vanhoudn
UIUC+vanhoudn:*:10000:10004:vanhoudn:/home/samba/UIUC/vanhoudn:/usr/bin/false
So, even though UIUC+vanhoudn is listed as a member of "UIUC+wsg staff",
the groups command only sees that he is a member of "UIUC+domain
users".
I figured that maybe this had something to do with nested groups, so I
sat down with the docs. On page 256 of the Samba 3 howto, there is
mention of setting this up using
# net rpc group add ...
However, on my setup, it returns:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE
I'm assuming that this is because I'm using AD, instead of RPC. For
example:
# net rpc testjoin
Unable to find a suitable server
Join to domain 'UIUC' is not valid
# net ads testjoin
Join is OK
Which demonstrates that, AD is okay, and rpc is not.
Perhaps I'm barking up the wrong tree about nested groups. Any pointers
to documentation (or just out-and-out fixes!) would be appreciative.
Version information and my smb.conf file follows after my sig, in case
it is useful to you. Also, I mostly followed the howto here:
http://blogs.sun.com/jurasek/entry/ads_domain_member_server1
to initially set it up. (Just in case that helps.)
Cheers,
Nathan VanHoudnos
Kernel version:
# uname -a
SunOS shai-hulud.cites.uiuc.edu 5.10 Generic_127112-02 i86pc i386 i86pc
Samba version:
# /usr/sfw/smbd -V
Version 3.0.25c
/etc/sfw/smb.conf
[global]
realm = AD.UIUC.EDU
workgroup = UIUC
security = ADS
use kerberos keytab = true
encrypt passwords = yes
server string = Samba 3.0.x ADS
#Winbind configuration:
winbind separator = +
template homedir = /home/samba/%D/%U
# Make their shell fail, just in case
template shell = /usr/bin/false
idmap domains = UIUC
idmap config UIUC:default = yes
idmap config UIUC:backend = tdb
idmap config UIUC:range = 1000-200000
idmap alloc backend = tdb
idmap alloc config:range = 1000-200000
# Stuff to get all the users via winbind
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
idmap uid = 1000-200000
idmap gid = 1000-200000
# Logging
log level = 5
debug level = 3
log file = /var/log/syslog/samba.log.%m
[arrakis]
path = "/export/arrakis"
comment = "Arraken Test share"
writeable = yes
user = @"UIUC+domain users"
vfs objects = zfsacl
nfs4: mode = special
[wsg]
path = "/export/wsg"
comment = "Only WSG should be able to access"
writeable = yes
valid users = @"UIUC+wsg staff"
vfs objects = zfsacl
nfs4: mode = special
More information about the samba
mailing list