[Samba] wbinfo -r not listing domain local groups

Wed, 07 Dec 2011 07:42:32 -0800 

Hi,
Between Samba 3.4.15 and 3.5.11 there was a change in how 'wbinfo -r' gathers the groups of which a given user is member of. 


Assume there is a Windows 2003 domain called DOMA. This domain has a 
child domain DOMB. On DOMA there is a security group G-DL-DOMA which has 
domain local scope. On DOMB there is a security group G-U-DOMB which has 
universal scope. Group G-U-DOMB is member of group G-DL-DOMA. Due to the 
domain local scope of G-DL-DOMA, this membership is only known to DOMA. 
Group G-U-DOMB has a user john from DOMB as member.


DOMA G-DL-DOMA
    |
DOMB G-U-DOMB
    |
DOMB john


A Linux system that is running winbind is joined into DOMA. On this 
system "wbinfo -r DOMB+john" is run to get the Unix GIDs of the groups 
in which the user from DOMB is member of. With Samba 3.4.15 (and 3.3.13) 
the GID of group G-DL-DOMA is shown, with Samba 3.5.11 (and 3.5.12) it 
is missing.



This probably has to do with which DC the Samba host is asking about 
membership of group G-U-DOMB. A DC from DOMB does not know that this 
group is member of G-DL-DOMA because the latter is from another domain 
and has domain local scope. Only a DC in DOMA will know that the group 
from DOMB is member of the domain local group of DOMA.



Does the behaviour of Samba 3.5 have to be considered a bug? Does anyone 
know what caused this change of behaviour? Was this intentional? Are 
there any plans to change the behaviour back to how it was in Samba 3.3 
and 3.4?


Regards,

Fabian


smb.conf from host running 'wbinfo -r':
[global]
  netbios name = PHI
  server string = phi
  workgroup = DOMA
  realm = doma.com
  security = ads
  winbind separator = +
  winbind cache time = 1800
  winbind offline logon = true
  winbind use default domain = yes
  name resolve order = host wins
  encrypt passwords = yes
  template shell = /bin/false
  template homedir = /home/%D/%U
  syslog only = yes
  log file = /dev/null
  idmap uid = 10000-999999
  idmap gid = 10000-999999
  idmap cache time = 3600
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba














    











					Reply via email to