[Samba] Nested groups when using RFC2307

Andrew Bartlett abartlet at samba.org
Tue May 26 01:18:41 UTC 2020


On Tue, 2020-05-26 at 01:21 +0100, Sérgio Basto via samba wrote:
> On Mon, 2020-05-25 at 17:09 -0300, Marcio Merlone via samba wrote:
> > Hi,
> > 
> > Just noticed, I am unable to use nested groups when relying on
> > RFC2307 
> > for filesystem permissions, am I wright? What have I missed?
> > 
> > (Samba 4.12 on Buster, 2008R2 domain level)
> > 
> > Any migration path to stop using RFC2307 and go to pure idmap
> > without 
> > loosing all permissions on a 6T filesystem? Is that a solution?
> 
> have you checked "winbind expand groups" options ? 
> 
> # Check depth of nested groups, ! slows down you samba, if to much
> groups depth
> # Samba default is 0, i suggest a minimal of 2 in this setup, advices
> is 4.
> winbind expand groups = 4

This should only be needed if you are running non-samba things in a
very strange way.  Samba provides the initgroups() hook in nss_winbind,
and populates the full group list on the user token for non-Samba
tasks.

For Samba, we directly obtain the group list, flattened, from the
Kerberos PAC or SamLogon 'info3' reponse (for NTLM).

This option is only needed if you need to see the nested group members
in a group membership list with posix tools, eg getent group.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba






More information about the samba mailing list