[Samba] winbind / trust questions and issues

Eric A. Hall ehall at ntrg.com
Wed Dec 15 14:19:03 MST 2010

I have two domains, one called CORP (which is 2003 AD) and the other is
called LABS (which is running Samba 3.5.4-5.1.2). I have established
bi-directional trust between them and most of the basic tests show
apparent success. However there are a couple of issues left that I am
trying to chase down.

First issue is that I would like to filter out the local (LABS) users and
groups in winbind if possible. I am using LDAP for Posix/Samba accounts,
and adding winbind to nsswitch.conf results in PAM calling LDAP for users
and groups then calling winbind which in turn goes back and searches LDAP
all over again. This results in local users and groups appearing in both
channels but having different characteristics based on the lookup path
(different capitalization for group names, etc). The best fix I can see
here is to prevent Winbind from querying for the local domain, but I can't
find anything in the smb.conf to do this.

One big problem that has me stumped is that remote users do not seem  to
be inheriting the correct filesystem permissions from Samba. For example,
I have the built-in NT Users group mapped to the POSIX Users group in
LDAP, and all of the local user accounts are also direct members of that
group through Posix and NT. So when I assign rw permissions for that group
to a directory, the local users can create and/or modify files and folders
as expected from either Samba or Posix just the same, since the ACLs are
essentially the same for both sides. However if I add CORP\fred from the
remote domain to the local Users group (using the NT User Manager tool),
that account is not able to modify files or folders that other members of
the same group can modify. In fact, if I add CORP.fred (via winbind) to
the Posix Users group, then he is able to manipulate the files just fine,
so I know the local filesystem permissions are correct. What doesn't work
is adding the CORP\user to the NT Uses group--the user does not inherit
the NT filesystem ACLs.

Another problem that may possibly be related to the above is that the
remote domain does not always show up in the Samba tools. For example, I
can add CORP\fred to a group but when I use "net sam listmem Users" to
dump the user list for the group, the user shows up as "\user" and the
domain element is missing. Is this correct behavior or is something
misconfigured (I can see how inability to reverse-map the principal would
correlate with broken ACL inheritance, so maybe this is related to the
above problem?).

Any help appreciated

Eric A. Hall                                  http://www.eric-a-hall.com/
Network Technology Research Group                    http://www.ntrg.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list