Hi Guys, First, thanks for all the hard work! You all rock.
I am running Samba 3.0.20a on RHEL 3 u5 x86, my configuration is working perfectly except for cvs commits for 3 users. We are using ADS, pam_winbind, and pam_require to authenticate CVS users against AD. Our CVS directories are mod 2775, and the group ownership of all dirs is the AD group "DEN-CVS-Users". Every valid user is a member of this group. But a few users, while they are able to authenticate, and checkout, cannot commit files to the depot. Their group membership is hosed up somehow. Everything is working perfectly except for these few troublemakers. The users can log into CVS, so their group membership is seen by winbind and passed to pam_require, but when it comes writing to a file with AD group ownership they are denied. It works for the rest of us though, so we're baffled. The files are all mod 664. This isn't a CVS issue, as I can login to our CVS server as an affected AD user and replicate the problem. For me, I can write to the depot just fine. My questions: 1. Is there a limit to the number of groups a user may be a member of ( The most so far is 48 groups ) that would cause winbind problems? 2. Are the any special characters within an AD group name that would break winbind? 3. Besides a user's SID, and group membership, what could be different between users ? This is our setup: smb.conf: [global] # workgroup = NT-Domain-Name or Workgroup-Name netbios name = CVS-DR workgroup = DEN realm = DEN.FOO.COM security = ADS password server = den-dc1.den.foo.com winbind use default domain = no winbind nested groups = yes winbind enum users = yes winbind enum groups = yes allow trusted domains = yes log level = 3 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash template homedir = /cvsroot winbind cache time = 3600 winbind separator = - ---------- RHEL 3 u5 pam config ----------- /etc/pam.d/cvs: #%PAM-1.0 auth required pam_env.so auth sufficient pam_unix.so likeauth nullok auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_require.so @DEN-CVS-Admins @DEN-CVS-Users @NY-CVS-Users @NY-CVS-Admins cvs account required pam_unix.so broken_shadow account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password sufficient pam_winbind.so use_authtok password sufficient pam_unix.so nullok use_authtok md5 shadow password required pam_deny.so session required pam_unix.so As always, any suggestions would be much appreciated. Thanks, Andrew Scrivner ------------------------------------------------------------------------------ This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies. OppenheimerFunds may, at its sole discretion, monitor, review, retain and/or disclose the content of all email communications. ============================================================================== -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba