This one is probably going off into the esoteric side of things, but
Samba/winbind doesn't seem to be working quite as expected in one
particular area -- domain local groups having members from other
trusted domains. I've searched extensively (google and
elsewhere...), and have found little/no mention of this particular
problem: domain local group members from other trusted domains are
not showing up in group lists as enumerated via winbind. Yet group
members from the same domain as the domain local group are
enumerated/listed properly.
In a rather complex ADS arrangement (described below), I have several
RHEL4 systems with Samba/Winbind installed and
configured. Everything appears to be working properly thus far:
users groups from the default domain are properly enumerated and
resource permissions are mapping correctly. Users and groups from
2-way trusted domains are also enumerated. (This was evaluated with
wbinfo -u|g getent passwd|group.)
The domain structure relationships are a bit hairy though, and need
to be spelled out:
Three independent ADS domains in separate forests:A,B,C
A B have an established 2-way trust.
A has a 1-way trust: trusting C
There is also a single NT4 domain: Z
A Z have an established 2-way trust.
For simplicity, we will only deal with A B here. The RHEL4
systems are member servers in domain A. This is tested under Samba
versions 3.0.10-1.4E2 3.0.21b-3.
I can see groups from domain B just fine in the output, and their
membership of users from domain B -- these should be the
global|universal groups from domain B.
Also, both A\g-wiz and B\j-bogus show up properly in output from:
wbinfo -u
getent passwd
The PROBLEM:
There are domain local groups defined in A that have members from
these other domains. (E.g. domain local group A\dl_grp is defined
on the Win2K3 DCs as consisting of two users: A\g-wiz and B\j-bogus.)
On the linux systems, the command:
getent group
shows a group membership for A\dl_grp of only one user:
A\g-wiz.
Now, when I run the command:
net rpc group members dl_grp -S A -U:A\\admin%passwd
I receive the full and proper list of users:
A\g-wiz
B\j-bogus
Furthermore, testing user account group membership:
net ads user info g-wiz -S A -U:admin%passwd
yields the single response:
dl_grp
net ads user info A\\g-wiz -S A -U:admin%passwd
yields an empty list.
net ads user info B\\j-bogus -S A -U:admin%passwd
yields an empty list.
Now, to get more interesting:
net rpc user info g-wiz -S A -U:admin%passwd
yields the more complete response:
dl_grp
Domain Users
**NOTE the difference between ads rpc methods...**
As above with ads, both of the following commands:
net rpc user info A\\g-wiz -S A -U:admin%passwd
net rpc user info B\\j-bogus -S A -U:admin%passwd
... still yield an empty list.
When I test group membership from a Windows-based member server, we
get the proper list of both A\g-wiz B\j-bogus.
I have tested these scenarios under both versions of Samba mentioned
above, as well as with the option winbind use default domain both
yes no. I've tested independently with the winbind separator
set to \\ and to /. Results were identical under all variations tested.
My suspicion is that winbind is somehow limiting its enumeration of
group membership to users from the same domain to which the group
belongs.I believe this to be incorrect behavior, given that a
windows server reports the full list, and that at least one command
on the linux system can properly obtain the full list from the W2K3
DCs. (That said, I remain open to the thought that it might be a
misconfiguration on my part - despite the apparent normal operation
of all other aspects on the linux/samba system.)
I am more than willing to work in- or out-of-band to try to narrow
down the problem/answer questions/test patches/etc.
smb.conf (testparm output) follows:
[global]
workgroup = ACES
realm = COLLEGE.ACESNET.UIUC.EDU
netbios name = X-ACES-LBE-2
server string = %L (Samba v%v)
security = ADS
password server = college.acesnet.uiuc.edu
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = host lmhosts wins bcast
deadtime = 15
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
wins server = 128.###.#.#0, 128.###.#.#1
idmap uid = 1-1
idmap gid = 1-1
template homedir = /home/gaol
winbind separator = \
winbind
