[Samba] ID command does not show up correct group memberships on Winbind

James james at mywisenet.com.sg
Tue Jun 2 21:52:23 MDT 2015 

Hi,

I have these following configurations:

Active Directory 1 = DomainA.com
  AD1 Primary Group = Domain Users
  AD1 Group 1 = Linux (member: DomainB\ad2testuser1)
  Server joined = linux1.DomainA.com (configured Kerberos and Winbind
Samba4 from sernet)

Active Directory 2 = DomainB.com
  AD2 Primary Group = Domain Users (member: DomainB\ad2testuser1)
  AD2 User 1 = ad2testuser1

note:
  (1) configured one way trust from DomainA.com to DomainB.com

/etc/samba/smb.conf:
--------------------
   workgroup = DOMAINA
   password server = DC1.DOMAINA.COM
   realm = DOMAINA.COM
   security = ads
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = false
   winbind refresh tickets = yes
   idmap config * : range = 16777216-33554431
   encrypt passwords = true
   winbind expand groups = 10
--------------------

/etc/krb5.conf:
--------------------
[logging]
default = FILE:/var/log/krb5libs.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAINA.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
DOMAINA.COM = {
  kdc = DC1.DOMAINA.COM:88
  kdc = DC2.DOMAINA.COM:88
  kdc = DC1.DOMAINA.COM
  admin_server = DC1.DOMAINA.COM:749
  admin_server = DC2.DOMAINA.COM:749
default_domain = DOMAINA.COM
  kdc = DC1.DOMAINA.COM
}

[domain_realm]
.domaina.com = DOMAINA.COM
domaina.com = DOMAINA.COM

[appdefaults]
pam = {
degbug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--------------------

/etc/nsswitch.conf:
--------------------
   passwd: files winbind
   shadow: files winbind
   group: files winbind
--------------------

/etc/pam.d/system-auth-ac:
--------------------
      auth        sufficient    pam_krb5.so use_first_pass
      auth        sufficient    pam_winbind.so use_first_pass
      account     required      pam_unix.so broken_shadow

      account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
      account     [default=bad success=ok user_unknown=ignore]
pam_winbind.so
      password    sufficient    pam_winbind.so use_authtok

      session     required      pam_unix.so
      session     optional      pam_krb5.so
--------------------


Question:

On server linux1.DomainA.com, when I issue the command "id" stated below,
it returns with wrong group membership which the group Linux on DomainA is
not visible.

$ id  "DOMAINB\ad2testuser1"
uid=xxxxxxx(DOMAINB\ad2testuser1) gid=xxxxxxx(DOMAINB\domain users)
groups=xxxxxxx(DOMAINB\domain users)

$ wbinfo --group-info "DomainA\linux"
DOMAINA\linux:x:xxxxxxxx:DOMAINB\ad2testuser1

I tried to restart the winbind service and do the id command again but it
is still the same result.

I would appreciate if anyone could shed me some lights on:

(1) how to let "id" command reflect the correct group membership.

(2) how can I make Winbind to reflect the group membership automatically
once there is changes have been made in Active Directory.


Thank you.
James

More information about the samba mailing list