[Samba] winbind and group permissions - Partially Solved

Wed Jan 5 11:18:29 MST 2011

> If you look at the man page for wbinfo, you will see there is an
>  option to allocate uid's and gid's, and to manually set a uid-to-sid
>  or gid-to-sid mapping.     You may want to manually try creating a 
> gid-to-sid mapping for one group and seeing if that group shows up in
>  "getent group."  It is not really a solution but it may provide some
>  additional insight.

While this wasn't the solution exactly, it led me to it.  
In trying to figure this stuff out, it occurred to me to try and reset
the entire idmap and start it over.  I did that by renaming the
secrets.tdb, winbind_idmap.tdb and group_mapping.ldb files.  I also
moved the two cache files idmap_cache.tdb and winbindd_cache.tdb files
out of the way.  I then restarted smbd/nmbd/winbind, which created all
those files again.  This totally destroyed group permissions for all
user accounts.  From there I tried allocating a new gid and making a new
map to it, but like my previous situation, it seemed like it was
working, but only in certain directions.
By fluke, I discovered that using net sam, I could get all the info
about the groups, so I tried `net same mapunixgroup`, and things started
working as expected.  So I wiped all the files again, started with a
blank group slate, used net sam mapunixgroup to export all my groups,
and now wbinfo -g and getent group work.  There were some other steps in
there (it sounds so much easier than it was), but that is the gist,
anyway.  The only down side is that user groups are not carried over,
but there is no place where I use those groups, so I do not see this as
a concern.

However, I am not completely out of the woods yet.  I expected that once
groups started resolving that permissions on my ubuntu workstations
would also resolve.  this has not proved to be the case.

On the ubuntu workstation, I can run getent group and wbinfo -g, both
return me the expected domain listing.  The groups and id commands
return expected results (except I am listed in a group called DOM\none).
however when I list the shares, all permissions list like so:

DOM\bob.miller at test5:~/Departments$ ls -aln
d---rws--- 14 15000 15000    0 2010-12-29 13:22 Finance
d---rws---  9 15000 15000    0 2011-01-04 23:10 IT

DOM\bob.miller at test5:~/Departments$ i=$(wbinfo -G 15000); wbinfo -s $i
DOM\None 2

What is that 2, anyway?  I looked in the manpage and searched google,
but I dont' find anything about it...

Seems the function of group permissions is not being passed to the file
system.  Mayhaps this is a function of pam_mount, or perhaps this is
because I do not have the same idmap on both server and workstation.  

Either way, thank you very much for helping resolve the wbinfo -g thing,
I am at least a step closer than I was :)

Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions