[Samba] Winbind missing secondary groups depending on case & distro

Roger Prefontaine roger at interbaun.com
Tue Feb 13 20:45:32 GMT 2007

I've been at this on and off for a month, testing, searching, so please bear
with me :)  I think it's finally time to ask for help before I rip my hair

winbind is refusing to report a user's secondary groups depending on whether
I request it in mixed case, in lower case, and with the domain name.  Samba
is also refusing to see the user's secondary groups.  The username is mixed
case on the NT4 PDC server (i.e. "David")

I've built Ubuntu 6.06LTS, and 7.04 servers with 3.0.22, and 3.0.24
respectively.  Both these machines exhibit this problem.  I've also built a
CentOS 4.4 with 3.0.23d & 3.0.24, and it works *fine*, the problem is only
on the Ubuntu machines.  Considering they both run 3.0.24, this seems kind
of bizarre.

On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id
David" only list the primary group, and "id david" lists all groups.  All of
these combinations produce all groups on the CentOS server.

The NT4 PDC, and the Samba domain member servers have all been built from
scratch from bare-bones installs for the sole purpose of figuring this all
out (so the solution can be rolled into a production Ubuntu 6.06LTS server &
NT4 PDC).  They all run identical smb.conf and similar nsswitch.conf files.

wbinfo -u and -g list the correct users and groups, and getent passwd &
group also list local and PDC users and groups as expected.

A link to a level 10 log of log.winbindd is here ==>
It is a clean log that only contains startup, and a request (id David) on
the Ubuntu 7.04 server.

The Ubuntu machine also does not list any BUILTIN groups like the CentOS

The [global] section of smb.conf on all machines is:
	workgroup = TOILETWARS
	server string = Samba Server
	security = DOMAIN
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	preferred master = No
	local master = No
	domain master = No
	dns proxy = No
	ldap ssl = no
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	winbind separator = +
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	cups options = raw

What on earth could be the difference between these platforms that is
causing this?


More information about the samba mailing list