[Samba] winbindd 4.1.7 resolves group memberships for all but primary group
steve
steve at steve-ss.com
Tue Jun 3 07:39:51 MDT 2014
On Tue, 2014-06-03 at 15:11 +0200, Sven Schwedas wrote:
> I don't know where exactly the problem was, even with debug 5 I was only
> able to see that idmap failed… somewhere (STATUS_SOME_UNMAPPED).
> "Solved" by adding gids/uids to every single AD group and user.
Hi
Glad it's solved but the solution confuses us. Are you saying that (the
command) groups does not return group membership without the posix
memberUid? I ask, since you are already a member of Domain Users by
primaryGroupID.
We do not use memberUid, but the member and primaryGroupID attributes
are mapped correctly:
getent passwd steve2
steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
groups steve2
steve2 : Domain Users staff2
getent group Domain\ Users
Domain Users:*:20513:
Not sure if memberUid is necessary.
But this is with winbind running with sssd. Maybe winbind alone needs
it?
Would like to know the official answer on memberUid.
Cheers,
Steve
>
> On 2014-05-28 12:12, Sven Schwedas wrote:
> > We're using a bunch of AD groups – all users/groups are created and
> > managed with ADUC. Domain Users is the primary group for all users, plus
> > a few for our departments (and Domain Admins). All groups have their
> > posixGroup attributes filled out.
> >
> > wbinfo --group-info and getent group show the correct membership for all
> > groups except Domain Users.
> >
> > smb.conf: http://pastebin.com/ymrXZJ5u
> > Already tried with winbind nss info = sfu, no improvement.
> >
> > LDAP excerpt (members pruned) for Domain Users:
> > http://pastebin.com/3ysX0S7C
> >
> > LDAP excerpt for Domain Admins:
> > http://pastebin.com/vYTu70dV
> >
> > The only difference I can see is the member field. ADUC apparently
> > doesn't explicitly set it for the primary group (and doesn't allow me to
> > set it manually), it only sets memberUid and msSFU30PosixMember (which
> > are both ignored by winbindd). Is there some way I can make winbindd use
> > the correct field, or is there a configuration problem somewhere else?
> >
> >
> >
>
More information about the samba
mailing list