Re: [Samba] Problem using local groups when winbind is running
Adam Nielsen wrote: Even after getting all such errors cleared though, I still can't access the shares which are using the 'valid users = @localgroup' configuration. I've tried changing that to 'valid users = +localgroup' which should only check NSS but that also fails. Since you're on a domain you might have to specify that the groups are local, e.g. @MACHINENAME\localgroup, as it might default to your domain if one is not given explicitly. I'm not sure how this works when winbind isn't running, but it should be okay. I couldn't get that configuration syntax to work with or without winbindd. I did do some more digging. This seems to be a symptom, not a cause but perhaps it helps identify the source of the problem. When it works, ie, without winbind, this produces reasonable output listing my correct unix UID and group membership: [2009/09/28 12:09:32, 5] auth/token_util.c:debug_nt_user_token(470) NT user token of user S-1-22-1-1000 contains 12 SIDs SID[ 0]: S-1-22-1-1000 SID[ 1]: S-1-22-2-96 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-2-20 SID[ 6]: S-1-22-2-24 SID[ 7]: S-1-22-2-25 SID[ 8]: S-1-22-2-29 SID[ 9]: S-1-22-2-44 SID[ 10]: S-1-22-2-46 SID[ 11]: S-1-22-2- SE_PRIV 0x0 0x0 0x0 0x0 [2009/09/28 12:09:32, 5] auth/token_util.c:debug_unix_user_token(490) UNIX token of user 1000 Primary group is 96 and contains 8 supplementary groups Group[ 0]: 96 Group[ 1]: 20 Group[ 2]: 24 Group[ 3]: 25 Group[ 4]: 29 Group[ 5]: 44 Group[ 6]: 46 Group[ 7]: [2009/09/28 12:09:32, 5] smbd/uid.c:change_to_user(272) change_to_user uid=(0,1000) gid=(0,96) But when it fails, I get the much more suspicious output for similar debug calls. I haven't dug into when the user_token stuff is initialized, but clearly it isn't happening properly when winbind is running in my case. [2009/09/28 12:19:32, 5] auth/token_util.c:debug_nt_user_token(464) NT user token: (NULL) [2009/09/28 12:19:32, 5] auth/token_util.c:debug_unix_user_token(490) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2009/09/28 12:19:32, 5] smbd/uid.c:change_to_root_user(287) change_to_root_user: now uid=(0,0) gid=(0,0) Out of curiousity, I added 'root' to 'testgroup' in /etc/group but that didn't help. It doesn't find the supplementary group for root. -David Cheers, Adam. -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem using local groups when winbind is running
On Sep 24, 2009, at 4:34 PM, Adam Nielsen adam.niel...@uq.edu.au wrote: My problem comes when I install the 'winbind' package in order to get access to ntlm_auth. Once winbindd is running, my local group authentication no longer works. What does your /etc/nsswitch.conf say? Mine says: passwd: compat winbind shadow: compat group: compat winbind I just list compat. I have no reference to winbind in my nsswitch.conf. -David Mitchell And local groups can be interchanged with AD groups. We don't have any AD users or groups in /etc/passwd or /etc/group though. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem using local groups when winbind is running
Greetings, I'm running Samba on a Debian stable server and have run into a problem I can't seem to get past. It's version 3.2.5. The basic setup is that it authenticates users via 'security = ads' and controls access to individual shares using local groups via 'valid users = @localgroup'. All of the users have accounts in /etc/password and are added to the groups in /etc/group. This has been working great for years. My problem comes when I install the 'winbind' package in order to get access to ntlm_auth. Once winbindd is running, my local group authentication no longer works. I've tried just about every backend provided via 'idmap backend tdb', or 'idmap backend nss', etc. Depending on the configuration, I sometimes get various winbind errors such as [2009/09/23 15:06:11, 2] auth/token_util.c:create_local_nt_token(385) WARNING: Failed to create BUILTIN\Administrators group! Can Winbind allocate gids? Even after getting all such errors cleared though, I still can't access the shares which are using the 'valid users = @localgroup' configuration. I've tried changing that to 'valid users = +localgroup' which should only check NSS but that also fails. Using the idbind nss backend doesn't help either. I'm kind of at a loss as to what to try next. Basically, I want things to work the same whether winbind is running or not. Thanks in advance, -David Mitchell -- - | David Mitchell (mitch...@ucar.edu) Network Engineer IV | | Tel: (303) 497-1845 National Center for | | FAX: (303) 497-1818 Atmospheric Research | - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
