Re: [Samba] Samba winbind secondary group problem

[Mike Dawson]

This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set

winbind use default domain = no

in the smb.conf.

Mike

[EMAIL PROTECTED] wrote:

Hello all,

I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3.
This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf.

cat /proc/version: Linux version 2.4.21-9.ELsmp ([EMAIL PROTECTED]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004

I have joined the domain with: net rpc join -U administrator -r PDC
I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group.

I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0).

This is a very critical situation for us. Any help/suggestions would be greatly appreciated.

Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups).

[2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 10504
  Primary group is 10013 and contains 3 supplementary groups
  Group[  0]: 10013
  Group[  1]: 10013
  Group[  2]: 10029

#Begin smb.conf
passdb backend = smbpasswd
#winbind configuration------>
winbind separator = +
winbind use default domain = yes template shell = /bin/false
template homedir = /netarray/shares/home/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
#end winbind configuration----->
security = domain password server = PDC BDC
password level = 8
username level = 8

[Shared]
available = yes
browseable = yes
comment = path = /netarray/shares/Shared
public = no
writable = yes
valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its
invalid users = internet1 internet2 hrtest

pgp00000.pgp
Description: PGP signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba