Thanks for the reply. I installed MIT kerberos 1.3.1 andand rejoined the domain. Still cant access the share based on domain groups. My nsswitch.conf file looks like :
passwd: files winbind ldap shadow: files ldap group: files winbind ldap I have also tried swapping around the order. -James -----Original Message----- From: Paul Gienger [mailto:[EMAIL PROTECTED] Sent: Monday, August 02, 2004 4:13 PM To: Ziller, James Cc: [EMAIL PROTECTED] Subject: Re: [Samba] Problems w/ winbind and AD group membership What does your nsswitch.conf file look like? Also, there's the issue of your krb libraries. I believe it's been stated that you need to be using MIT krb >= 1.3. Ziller, James wrote: >Hello friends, > >I am using samba to join a linux box to an active directory domain to >use as a file server. I would like to be able to control access to >shares based on AD domain groups. However, even though winbind seems >to be seeing the groups fine, samba is not granting access to users who >are members of the group. I am able to successfully join the system to >the domain and granting access to shares based on Windows usernames >works fine. > >getent group returns: >QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLY >QG+N >CHA > >However an id lookup of my windows username doesn't list me as a group >member of QG+TEST.(shouldn't it?) > >[EMAIL PROTECTED] root]# id qg+jzillera >uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) >groups=10000(QG+Domain >Users) > >System Details: >Redhat 9 >samba-3.0.5-2 >krb5-libs-1.2.7-10 >krb5-devel-1.2.7-10 >krb5-workstation-1.2.7-10 >pam_krb5-1.60-1 > >[EMAIL PROTECTED] root]# wbinfo -t >checking the trust secret via RPC calls succeeded > >[EMAIL PROTECTED] root]# testparm >Load smb config files from /etc/samba/smb.conf >Processing section "[test]" >Loaded services file OK. >Server role: ROLE_DOMAIN_MEMBER >Press enter to see a dump of your service definitions > ># Global parameters >[global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > >[test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > >Winbind logs show nothing that indicates any error, even when run with >debug level 3. Ive been beating myself over the head with this problem >for months...any help or suggestions would be greatly appreciated. > >Thanks! > >James Ziller >Systems Administrator > >Quad/Graphics - Q/DS >West Allis, Wisconsin >[EMAIL PROTECTED] > > > -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
