[Samba] ID command does not show up correct group memberships on Winbind
James
james at mywisenet.com.sg
Tue Jun 2 21:52:23 MDT 2015
Hi,
I have these following configurations:
Active Directory 1 = DomainA.com
AD1 Primary Group = Domain Users
AD1 Group 1 = Linux (member: DomainB\ad2testuser1)
Server joined = linux1.DomainA.com (configured Kerberos and Winbind
Samba4 from sernet)
Active Directory 2 = DomainB.com
AD2 Primary Group = Domain Users (member: DomainB\ad2testuser1)
AD2 User 1 = ad2testuser1
note:
(1) configured one way trust from DomainA.com to DomainB.com
/etc/samba/smb.conf:
--------------------
workgroup = DOMAINA
password server = DC1.DOMAINA.COM
realm = DOMAINA.COM
security = ads
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = false
winbind refresh tickets = yes
idmap config * : range = 16777216-33554431
encrypt passwords = true
winbind expand groups = 10
--------------------
/etc/krb5.conf:
--------------------
[logging]
default = FILE:/var/log/krb5libs.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAINA.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[realms]
DOMAINA.COM = {
kdc = DC1.DOMAINA.COM:88
kdc = DC2.DOMAINA.COM:88
kdc = DC1.DOMAINA.COM
admin_server = DC1.DOMAINA.COM:749
admin_server = DC2.DOMAINA.COM:749
default_domain = DOMAINA.COM
kdc = DC1.DOMAINA.COM
}
[domain_realm]
.domaina.com = DOMAINA.COM
domaina.com = DOMAINA.COM
[appdefaults]
pam = {
degbug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
--------------------
/etc/nsswitch.conf:
--------------------
passwd: files winbind
shadow: files winbind
group: files winbind
--------------------
/etc/pam.d/system-auth-ac:
--------------------
auth sufficient pam_krb5.so use_first_pass
auth sufficient pam_winbind.so use_first_pass
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account [default=bad success=ok user_unknown=ignore]
pam_winbind.so
password sufficient pam_winbind.so use_authtok
session required pam_unix.so
session optional pam_krb5.so
--------------------
Question:
On server linux1.DomainA.com, when I issue the command "id" stated below,
it returns with wrong group membership which the group Linux on DomainA is
not visible.
$ id "DOMAINB\ad2testuser1"
uid=xxxxxxx(DOMAINB\ad2testuser1) gid=xxxxxxx(DOMAINB\domain users)
groups=xxxxxxx(DOMAINB\domain users)
$ wbinfo --group-info "DomainA\linux"
DOMAINA\linux:x:xxxxxxxx:DOMAINB\ad2testuser1
I tried to restart the winbind service and do the id command again but it
is still the same result.
I would appreciate if anyone could shed me some lights on:
(1) how to let "id" command reflect the correct group membership.
(2) how can I make Winbind to reflect the group membership automatically
once there is changes have been made in Active Directory.
Thank you.
James
More information about the samba
mailing list