[Samba] winbind group membership

Volker Lendecke Volker.Lendecke at SerNet.DE
Sat Jan 28 02:03:28 MST 2012

On Fri, Jan 27, 2012 at 10:23:14PM +0600, Eugene M. Zheganin wrote:
> On 27.01.2012 14:48, Eugene M. Zheganin wrote:
> >Hi.
> >
> >FreeBSD 8.2
> >Samba 3.5.11 from ports
> >
> >I have an issue with group membership. id shows only small part of
> >the groups a user is member of. I'm aware about UNIX max group
> >issue, but this isn't related to it - for example for a user which
> >is member of the 6 griups id shows only 3. Although wbinfo -r
> >shows correct number of groups and wbinfo -G is able to
> >successfully translate UNIX group to a domain SID.
> >
> >
> I was able to localize the problem a bit more.
> First of all, winbind doesn't recognize at all the Universal domain
> groups. Since I have only one domain, I simply changed all the
> universal group I'm interested in to global ones (still wonder who
> and why created all these groups as universal).
> But this solved only a part of the problem. I sill don't see all of
> the domain groups in 'id' output for the user.
> I compared the 'wbinfo -g' output and the 'getent group' output. In
> the 'getent group' some groups are missing !
> These are the same groups that are missing from 'id user'.
> So.... any ideas ?

"id user" can not work reliably without a successful
authentication using "wbinfo -a" before. There are just too
many group combinations to take care of, and certain trust
scenarios just can never work due to insufficient access to
the trusted domains.

If you have a problem with "id" after having successfully
logged in to the box, this is a problem that we will
definitely chase.

With best regards,

Volker Lendecke

SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list