[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)

[Andreas Hauffe]

Is there a way to allow winbind on a file server, which has restricted 
access anyway, a general permission to get the user groups without a 
logged in user? At least that would workaround my problem for now.

Andreas

Am 20.01.21 um 19:20 schrieb Andreas Hauffe via samba:
>
> Am 20.01.21 um 17:46 schrieb Rowland penny via samba:
>> On 20/01/2021 15:59, Andreas Hauffe wrote:
>>>>
>>>> Has the user logged in ?
>>> Yes and no. The user has logged in on the client and tries to access 
>>> the NFS-share, but he has not logged in on the server.
>> I take it that you mean the user has logged into a Unix client and is 
>> trying to access a share on another Samba server, if so, then the 
>> user is getting authenticated on the other Samba server, or to put it 
>> another way, the user is logged in on the other server.
>>>>
>>>> The group memberships didn't use to expand from trusted domains, 
>>>> but from my understanding, this was supposed to have been fixed 
>>>> from 4.9.0, see:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=13300
>>> In case of a smb-share accessed from windows everthing works fine.
>>
>> It is possible the bug wasn't fixed 😕
>
> Here is the point where I don't know, if it is a samba or an NFS 
> problem or both. I tried "smbclient -k -L //ilrfs1/" from the Linux 
> client and everything works fine. After the call, the fileserver has 
> the correct groups from both domains in samLogon. But it is not 
> working, when using NFSv4.
>
> At least this is a workaround. The user have to login on the Linux 
> client and call "smbclient -k -L //ilrfs1/". Then the samLogon entry 
> on the file server is correct and I have to clear the wrong cache on 
> the file server with "date -d tomorrow +%s > 
> /proc/net/rpc/auth.unix.gid/flush". Afterwards the user can access all 
> accessible directories.
>
> Regards,
> Andreas
>
>
>
>