[Samba] Winbind missing secondary groups depending on case & distro

yvan yvan at skywalker.is-a-chef.com
Wed Feb 14 09:18:37 GMT 2007 

Please note that the result of the "id" command (or the "groups" command 
as well) is different if it is run by root or by the user.

As root :
# id david  : gives only the primary groups membership

As regular user :
david at localhost$ id    : gives the full membership of all "groups in 
groups" managed by winbind and A.D.

at least under Debian (Etch + Sarge).

But it seems that winbind on some occasions doesn't use the right 
credentials to resolve nested groups. I have to tweak security in Active 
Directory to gi ve additionnal "Read Permission" rights in Active 
Directory in order to make it work, otherwise I only get primary groups. 
Or it may be our active directory that is broken.

Yvan Broccard

Chris Smith a écrit :
> On Tuesday 13 February 2007, Roger Prefontaine wrote:
>   
>> On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id
>> David" only list the primary group, and "id david" lists all groups.  All
>> of these combinations produce all groups on the CentOS server.
>>     
>
>   
>> 	winbind use default domain = Yes
>>     
>
> May not be much help but out of curiosity I tried the same test on a Samba 
> server that is also a member of an NT4 domain. It is running 3.0.24 plus the 
> 6 Vista patches on a Gentoo server.
>
> I don't use the "winbind use default domain = Yes" in smb.conf, but I did test 
> that way as well. Also I didn't change the default seperator.
>
> With the "normal" setup (winbind use default domain = No):
> --------------------------------------
> id DOMAINNAME\\username - shows all groups
>
> id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only 
> primary group
>
> id username - returns "No such user"
>
> id USERNAME (or any permutation with a cap in the username) - returns "No such 
> user"
> --------------------------------------
>
> If I set "winbind use default domain = Yes" then:
> --------------------------------------
> id DOMAINNAME\\username - only primary group
>
> id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only 
> primary group
>
> id username - shows all groups
>
> id USERNAME (or any permutation with a cap in the username) - only primary 
> group
> --------------------------------------
>
> Chris
>
> EDITED to add the other cases (id USERNAME).
>

More information about the samba mailing list