[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
Andreas Hauffe
andreas.hauffe at tu-dresden.de
Thu Jan 21 15:25:22 UTC 2021
Is there a way to allow winbind on a file server, which has restricted
access anyway, a general permission to get the user groups without a
logged in user? At least that would workaround my problem for now.
Andreas
Am 20.01.21 um 19:20 schrieb Andreas Hauffe via samba:
>
> Am 20.01.21 um 17:46 schrieb Rowland penny via samba:
>> On 20/01/2021 15:59, Andreas Hauffe wrote:
>>>>
>>>> Has the user logged in ?
>>> Yes and no. The user has logged in on the client and tries to access
>>> the NFS-share, but he has not logged in on the server.
>> I take it that you mean the user has logged into a Unix client and is
>> trying to access a share on another Samba server, if so, then the
>> user is getting authenticated on the other Samba server, or to put it
>> another way, the user is logged in on the other server.
>>>>
>>>> The group memberships didn't use to expand from trusted domains,
>>>> but from my understanding, this was supposed to have been fixed
>>>> from 4.9.0, see:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=13300
>>> In case of a smb-share accessed from windows everthing works fine.
>>
>> It is possible the bug wasn't fixed 😕
>
> Here is the point where I don't know, if it is a samba or an NFS
> problem or both. I tried "smbclient -k -L //ilrfs1/" from the Linux
> client and everything works fine. After the call, the fileserver has
> the correct groups from both domains in samLogon. But it is not
> working, when using NFSv4.
>
> At least this is a workaround. The user have to login on the Linux
> client and call "smbclient -k -L //ilrfs1/". Then the samLogon entry
> on the file server is correct and I have to clear the wrong cache on
> the file server with "date -d tomorrow +%s >
> /proc/net/rpc/auth.unix.gid/flush". Afterwards the user can access all
> accessible directories.
>
> Regards,
> Andreas
>
>
>
>
More information about the samba
mailing list