[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Wed Jan 20 12:58:49 UTC 2021
Hi,
I'm having a question, but do not know if it is a real samba issue. I
just want to ask if there is a hint.
We have a windows domain (dom.example.de) and a subdomain of this domain
(subdom.dom.example.de). Allmost all accounts are from dom.example.de
and the fileserver and all clients live in subdom.dom.example.de. Some
groups are defined in dom.example.de and others as domain local groups
in subdom.dom.example.de. The fileserver export smb-Shares and
kerberized NFSv4-shares to the clients, depending in the OS (Windows/Linux).
When an user with an account from dom or subdom logged on a Linux
client, wbinfo --user-groups is showing all groups (from dom and
subdom). This also works for windows clients. When trying to get the
groups for an account on the file server (wbinfo --user-groups), only
the groups of account domain are listed (dom -> dom groups, subdom ->
subdom groups). This seems to be correct, since the user credentials
(account tokens) are missing.
My problem is, that the file server, which is a simple domain member, is
never able to get the correct groups from subdom for an dom account.
When logging on a Linuxclient, the client shows all groups, but the file
server refuses access to directories of the NFSv4 shares, since the file
server itself is not able to get the full list of all groups. On the
windows/smb side this is working. When a users is using a windows client
at first, winbind gets the correct groups that are cached in samLogon
and /proc/net/rpc/auth.unix.gid/content . Then the user is able to
access also the NFSv4 shares. But, if the user only uses Linux, is not
working.
When using wbinfo -K dom\\username first and then wbinfo --user-groups
on the fileserver, the correct groups from dom and subdom are listed. It
seems to me, that the user credentials to get the groups from the other
domain are not transferred to the file server by NFS.
Is there a way to get this working?
Regards,
Andreas
More information about the samba
mailing list