[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)

Andreas Hauffe andreas.hauffe at tu-dresden.de
Wed Jan 20 18:20:03 UTC 2021

Am 20.01.21 um 17:46 schrieb Rowland penny via samba:
> On 20/01/2021 15:59, Andreas Hauffe wrote:
>>> Has the user logged in ?
>> Yes and no. The user has logged in on the client and tries to access 
>> the NFS-share, but he has not logged in on the server.
> I take it that you mean the user has logged into a Unix client and is 
> trying to access a share on another Samba server, if so, then the user 
> is getting authenticated on the other Samba server, or to put it 
> another way, the user is logged in on the other server.
>>> The group memberships didn't use to expand from trusted domains, but 
>>> from my understanding, this was supposed to have been fixed from 
>>> 4.9.0, see:
>>> https://bugzilla.samba.org/show_bug.cgi?id=13300
>> In case of a smb-share accessed from windows everthing works fine.
> It is possible the bug wasn't fixed 😕

Here is the point where I don't know, if it is a samba or an NFS problem 
or both. I tried "smbclient -k -L //ilrfs1/" from the Linux client and 
everything works fine. After the call, the fileserver has the correct 
groups from both domains in samLogon. But it is not working, when using 

At least this is a workaround. The user have to login on the Linux 
client and call "smbclient -k -L //ilrfs1/". Then the samLogon entry on 
the file server is correct and I have to clear the wrong cache on the 
file server with "date -d tomorrow +%s > 
/proc/net/rpc/auth.unix.gid/flush". Afterwards the user can access all 
accessible directories.


More information about the samba mailing list