[Samba] Winbind nested groups not working

Joshua Penix jpenix at binarytribe.com
Mon Jan 15 17:27:22 GMT 2007

Is the "winbind nested groups" functionality not currently working in  
Samba 3.0.23d?  The readme files seem to indicate it should be (since  
3.0.3), but then this message by Jerry to the list...


...seems to indicate that there's some patch waiting for 3.0.24.   
Unfortunately he's not specific as to what it solves.

I've actually tried it with the 3.0.10 that comes with RHEL4, 3.0.23d  
straight from Samba.org, and 3.0.22 from Ubuntu on three different  
servers.  I have no trouble getting winbind talking to AD on any of  
them, but all of them absolutely refuse to resolve membership of  
anything nested in a local group.

My smb.conf is as follows:

         workgroup = DOM1
         realm = DOM1.DOMAIN.COM
         security = ADS
         password server =
         log file = /var/log/samba/%m.log
         max log size = 50
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         dns proxy = No
         ldap ssl = no
         idmap uid = 10000-20000
         idmap gid = 10000-20000
         winbind separator = +
         winbind nested groups = yes
         winbind enum groups = yes
         winbind enum users = yes
         winbind use default domain = no
         allow trusted domains = yes

The goal is to create a local group on DOM1 that contains a global  
group of users from DOM1 as well as a global group from trusted  
domain DOM2.  I'd like to assign rights to the local group, and  
therefore allow anyone in either of the global groups access.

Am I just missing something?

Joshua Penix                                http://www.binarytribe.com
Binary Tribe           Linux Integration Services & Network Consulting

More information about the samba mailing list