[Samba] AD returns only one group for all users

Nathan VanHoudnos vanhoudn at uiuc.edu
Wed Dec 5 16:33:37 GMT 2007 

Dear list,

I'm trying to get a Thumper (Sun Fire X4500) to play nice with AD so
that we can offer a nearline storage service. Since many of our users
will have multiple group memberships, it's imperative that samba be able
to recurse through the groups that a user is a member of to determine if
they have access to a resource.

What happens instead is that every user who authenticates is assigned
only one group, the "UIUC+domain users" group. Example:

   # ls -l /export
   total 72
   d---rwx---   2 root     UIUC+domain users       8 Dec  4 14:12 arrakis
   d---rwx---+  3 UIUC+vanhoudn UIUC+wsg staff       3 Dec  3 16:49 wsg

   # getent group UIUC+wsg\ staff
   UIUC+wsg staff:x:10031:UIUC+cyliang,UIUC+vanhoudn,UIUC+cgoldsmi,UIUC+hougland,UIUC+johnshea,UIUC+jbooth,UIUC+mchesnut,UIUC+dbweber
 
   #groups UIUC+vanhoudn
   UIUC+domain users

   # getent passwd UIUC+vanhoudn
   UIUC+vanhoudn:*:10000:10004:vanhoudn:/home/samba/UIUC/vanhoudn:/usr/bin/false

So, even though UIUC+vanhoudn is listed as a member of "UIUC+wsg staff",
the groups command only sees that he is a member of "UIUC+domain
users". 

I figured that maybe this had something to do with nested groups, so I
sat down with the docs. On page 256 of the Samba 3 howto, there is
mention of setting this up using 
  # net rpc group add ...

However, on my setup, it returns:
  Could not connect to server 127.0.0.1
  The username or password was not correct.
  Connection failed: NT_STATUS_LOGON_FAILURE

I'm assuming that this is because I'm using AD, instead of RPC. For
example: 
  # net rpc testjoin
  Unable to find a suitable server
  Join to domain 'UIUC' is not valid
  # net ads testjoin
  Join is OK

Which demonstrates that, AD is okay, and rpc is not. 

Perhaps I'm barking up the wrong tree about nested groups. Any pointers
to documentation (or just out-and-out fixes!) would be appreciative.
Version information and my smb.conf file follows after my sig, in case
it is useful to you. Also, I mostly followed the howto here:
   http://blogs.sun.com/jurasek/entry/ads_domain_member_server1
to initially set it up. (Just in case that helps.) 

Cheers,

Nathan VanHoudnos 

Kernel version:
# uname -a
SunOS shai-hulud.cites.uiuc.edu 5.10 Generic_127112-02 i86pc i386 i86pc

Samba version: 
# /usr/sfw/smbd -V
Version 3.0.25c

/etc/sfw/smb.conf
[global]
        realm = AD.UIUC.EDU
        workgroup = UIUC
        security = ADS
        use kerberos keytab = true

   encrypt passwords = yes
   server string = Samba 3.0.x ADS

#Winbind configuration:
   winbind separator = +
   template homedir = /home/samba/%D/%U
# Make their shell fail, just in case
   template shell = /usr/bin/false

   idmap domains = UIUC
   idmap config UIUC:default = yes
   idmap config UIUC:backend = tdb
   idmap config UIUC:range = 1000-200000

   idmap alloc backend = tdb
   idmap alloc config:range = 1000-200000

# Stuff to get all the users via winbind
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind nested groups = Yes
   idmap uid = 1000-200000
   idmap gid = 1000-200000

        # Logging
        log level = 5
        debug level = 3
        log file = /var/log/syslog/samba.log.%m

[arrakis]
        path = "/export/arrakis"
        comment = "Arraken Test share"
        writeable = yes
   user = @"UIUC+domain users"
   vfs objects = zfsacl
   nfs4: mode = special

[wsg]
        path = "/export/wsg"
        comment = "Only WSG should be able to access"
        writeable = yes
   valid users = @"UIUC+wsg staff"
   vfs objects = zfsacl
   nfs4: mode = special

More information about the samba mailing list