[Samba] group enumerations fails

Travis Sidelinger travis at ilive4code.net
Wed Jun 24 17:46:26 GMT 2009


The problem:
------------

  Samba will not enumerate Domain local groups in our Win2008 Active
Directory.

Our Setup:
----------

# cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (x86_64)
VERSION = 10
PATCHLEVEL = 2

# rpm -qa | grep -E '(samba3)|(smb)|(krb)|(wbclient)' | grep -v pam
krb5-32bit-1.4.3-19.35
libsmbclient-32bit-3.0.32-0.8
samba3-3.3.6-39.suse101
samba3-client-3.3.6-39.suse101
krb5-1.4.3-19.35
libsmbclient0-3.3.6-39.suse101
samba3-winbind-3.3.6-39.suse101
krb5-client-1.4.3-19.34
libwbclient0-3.3.6-39.suse101

# cat /etc/samba/smb.conf
[global]
    server string        = "Main Linux File Server"
    security             = ADS
    realm                = SOME.DOMAIN
    workgroup            = SOME
    encrypt passwords    = yes
    unix extensions      = yes
    log level            = 1 winbind:3
    username map         = /etc/samba/user-map

    winbind enum users         = Yes
    winbind enum groups        = Yes
    winbind use default domain = Yes
    winbind expand groups      = 4
    winbind nested groups      = Yes
    winbind separator          = \
    idmap uid                  = 10000-11000
    idmap gid                  = 10000-11000

[testing]
    path                 = /tmp/test
    write list           = @SOME\file1_shr_adm_f

# cat /etc/krb5.conf
[libdefaults]
        default_realm = SOME.DOMAIN
        clockskew = 300

[realms]
        ENT.CML.LIB.OH.US = {
                kdc = adserver.some.domain
        }

[domain_realm]
        .kerberos.server = SOME.DOMAIN

[logging]
        default = SYSLOG:NOTICE:DAEMON
        kdc = FILE:/var/log/kdc.log
        kadmind = FILE:/var/log/kadmind.log

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

Ad Server: Windows 2008 server with up to date patches.

The problem explained:
----------------------

We put AD users into global groups, then global groups into domain local
groups.  Domain local groups are used for access control.  Samba will
not enumerate users in the groups.  It only works when the user account
is directly used in "write list".  The symptom is Windows clients return
"NT Access Denied".

wbinfo -g is able to list the groups.

Unrelated:
----------

I've also discovered AD user accounts cannot contain hyphens '-'s and
work with Samba.


Any help would be appreciated.  Thanks.

-Travis Sidelinger


More information about the samba mailing list