[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)

Wed Jan 20 14:17:24 UTC 2021

Hi,

of course.

clients:

   OS: OpenSUSE Leap 15.1 & 15.2
   Samba version: 4.11.14

file server:

   OS: Debian 10 (Buster)
   Samba version: 4.13.3 (build after 
https://wiki.samba.org/index.php/Build_Samba_from_Source)
   Subdomain: ilrw.ing.dom.tu-dresden.de
   Domain: dom.tu-dresden.de

smb.conf (server):

------

# Global parameters
[global]
         bind interfaces only = Yes
         dedicated keytab file = /etc/krb5.keytab
         interfaces = lo enp1s0f0
         kerberos method = secrets and keytab
         realm = ILRW.ING.DOM.TU-DRESDEN.DE
         security = ADS
         server min protocol = SMB3_00
         template homedir = /home/users/linux/%U
         template shell = /bin/bash
         winbind refresh tickets = Yes
         winbind separator = +
         workgroup = ILRW
         idmap config * : range = 2000-2999
         idmap config ilrw : backend = rid
         idmap config ilrw : range = 3000-9999 # UID aus RID für POOL
         idmap config dom : backend = rid
         idmap config dom : range = 10000-9999999 # UID aus RID für DOM
         idmap config * : backend = tdb

------

krb5.conf (server + clients)
------

[libdefaults]
     default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
     dns_lookup_realm = true
     dns_lookup_realm = false
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     proxiable = true

[realms]
     ILRW.ING.DOM.TU-DRESDEN.DE = {
         auth_to_local = 
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at .*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
         auth_to_local = 
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
         auth_to_local = DEFAULT
     }

------

Andreas

**

Am 20.01.21 um 14:13 schrieb Rowland penny via samba:
> On 20/01/2021 12:58, Andreas Hauffe via samba wrote:
>> Hi,
>>
>> I'm having a question, but do not know if it is a real samba issue. I 
>> just want to ask if there is a hint.
>>
>> When using wbinfo -K dom\\username first and then wbinfo 
>> --user-groups on the fileserver, the correct groups from dom and 
>> subdom are listed. It seems to me, that the user credentials to get 
>> the groups from the other domain are not transferred to the file 
>> server by NFS.
>>
>> Is there a way to get this working?
>>
>
> Can you give us a bit more info:
>
> What OS are you using on the 'fileserver' ?
>
> What version of Samba ?
>
> What is smb.conf ?
>
> Rowland
>
>
>