Hi again, I tested again, and I found that winbind return Windows groups up to the OS limit (16 by default in Solaris 9). The group I wanted to check against was mapped as 22nd in the list, so the check failed.
One solution would be to rise the limit to 32 on Solaris (using "set ngroups_max = 32" in /etc/system), but that would only shift the problem until someone has 33 groups. This is a very basic problem : one would assume winbind is needed for large organizations. My customer is large (55'000 users), so people are usually in a lot of groups (I have found 30-60 is not unusual, one had 84 memberships). So we have a dead-lock : you should use winbind when you don't want to manage large user lists, but can't due to group limitations. And no, recompiling Solaris (or Linux) with a larger limit is not an option. I'm now investigating another solution (calling it a kludge would be more appropriate) : - set "preexec check_ldap $u %S" on the share - pass user and group as parameter - check valid group membership using LDAP to AD - return <true|false> so "preexec close" deny|allow access If it works, I will post check_ldap here. I plan to use Perl and Net::LDAP for this job. Charles On Mon, 7 Jun 2004 20:26:18 +0200 Charles Bueche <[EMAIL PROTECTED]> wrote: > Hi Steve, > > strange... so it just fallback to Win groups if it doesn't find local > groups ? > > I ahve studied the source, mainly lib/username.c and friends. I have > seen that it try to look up the name without the domain prefix, which > fail (same effect as in wbinfo). > > I'm now away from this customer site, I will have to wait tomorrow to > test again. I will report my results. > > Am I right to assume that I don't need pam for this ? My goal is to > use AD for Samba, but local passwd/groups for the logins. > > Charles > > On Mon, 07 Jun 2004 15:47:40 +0100 > Spaceboy <[EMAIL PROTECTED]> wrote: > > > Charles, > > I've just done this here on Solaris 8. > > > > I have found slightly odd behaviour in that wbinfo -u and wbinfo -g > > only return the actual usernames and groups rather than > > "DOMAIN+Username" and "DOMAIN+Groupname". > > > > So in my smb.conf file I needed:- > > valid users = @Groupname > > > > without the DOMAIN+ part. > > > > And yes I've set winbind seperator = + as well. > > > > Just a thought. > > Steve > > > > Charles Bueche wrote: > > > > >Hi, > > > > > >I have Samba 3.0.4 on Solaris 9, recent patches applied. Samba is > > >integrated in domain (security = domain). I have compiled and > > >configured winbind, but not pam and no ldap. Ncsd is stopped. > > > > > >Winbind works OK, I can connect to share and users get mapped > > >on-the-fly to UNIX uids and gids in the ranges specified in > > >smb.conf. My config is included below with some tweaks to protect > > >the innocent. > > > > > >--- > > > > > >My goal : I want to create a share and restrict its access based on > > >the membership of a Windows group. > > > > > >I have successfuly used : > > > > > > valid users = DOM+user1 DOM+user2 DOM+user3 > > > > > >but when I try : > > > > > > valid users = @DOM+wingroup > > > > > >or : > > > > > > valid users = +DOM+wingroup > > > > > >It refuses me access to the share, even if I'm member of the > > >Windows group. > > > > > >What do I do wrong ? How should I write the groupnames ? Help > > >wanted... > > > > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > -- > Charles Bueche <[EMAIL PROTECTED]> > sand, snow, wave, wind and net -surfer > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- Charles Bueche <[EMAIL PROTECTED]> sand, snow, wave, wind and net -surfer -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
