[Samba] nss_winbind.so delivers first group only on Solaris 10

Preller, Markus Markus.Preller at uk-erlangen.de
Mon Mar 8 04:53:50 MST 2010


I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD running on 2003/2008 R2 servers.
After some compile trouble I finally managed to get the whole thing running including winbind in nsswitch.conf
for users and groups and PAM for authentication.

The problem is that winbind only reports the primary group of an AD user. 'wbinfo -r aduser' only reports  the GID of 
the primary group the user is in. When I do a 'su aduser' and then 'id -a' I also get just the primary group information.
But the user is a member of several AD groups. 

I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine with 3.0.37 and 3.2.15.

Can anybody help ?

My setup:
Solaris 10 10/09  X86 - latest patches installed.
I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler from SunStudio 12 
(Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I tried to compile
samba 3.4.6 with the following configure options / ENV variables set:

$ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads --with-pam --with-acl-support \
--with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap --with-shared-modules=idmap_ad --disable-cups 

LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib -R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib
CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include -I/usr/include

The build was successful but joining the domain failed with various errors. I kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW.
With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine now. Except the the fact thet I get no secondary group
information from AD.

My smb.conf:

        workgroup = XXXXXX
        realm = XXXXXX.YYYYYY.ZZ
        security = ADS
        map to guest = Bad User
        lanman auth = Yes
        client NTLMv2 auth = Yes
        kerberos method = system keytab
        log level = 3
        log file = /var/samba/log/%m
        load printers = No
        domain master = No
        wins server = wins04.xxxxxx.yyyyyy.zz
        idmap uid = 600-100000
        idmap gid = 600-100000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap config XXXXXX : range = 10000-19000
        idmap config XXXXXX : backend = ad

More information about the samba mailing list