RE: Winbind doesnt enumerate more than one group from an AD domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 29 Oct 2002, James Braid wrote: I had the same problem aswell.. I found it was due to the fact the groups weren't 'Global' groups only 'Local' groups... Apparently they need to be Global or Universal to be shown by Winbind. I have tried using Global and Universal groups on the AD server and neither type seems to work. Local groups don't show up in wbinfo at all, and Global/Universal groups don't get enumerated by wbinfo -r $user, EXCEPT for the Domain Users group. Domain local groups is my bug. On my plate to fix next week. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9wcXyIR7qMdg1EfYRAs9BAJ9pfbpr3WhrmWsJJ3EpFxzAHY75zwCgqYIr O+8EpZIV+72DVVycv3dC1S4= =lLWb -END PGP SIGNATURE-
Re: Winbind doesnt enumerate more than one group from an AD domain
Yeh it's not local group as in local machine domain groups, it's local as in AD groups.. There are 3 types. Local, Global and Universal.. The most basic type of group suitable for networking is the global group, used to control access to resources that exist anywhere on the network. The primary limitation to global groups is that they can only contain members from a single domain. You'd use a global group for users within a single domain that need access to a common group of files or directories. Domain local groups are essentially the opposite of global groups. Where a global group is limited to having members from a single domain, a domain local group can have members from every domain in your network. However, unlike global groups, domain local groups can only be applied to resources within a single domain, hence the name domain local group. Universal groups, as the name implies, can contain members from any domain on the network and can control access to resources existing in any of the network's domains. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/ad/windows2000/maintain/adusers.asp Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :. - Original Message - From: Simo Sorce [EMAIL PROTECTED] To: Jean Francois Micouleau [EMAIL PROTECTED] Cc: Gerald (Jerry) Carter [EMAIL PROTECTED]; Gareth Davies [EMAIL PROTECTED]; James Braid [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Friday, October 25, 2002 7:26 PM Subject: Re: Winbind doesnt enumerate more than one group from an AD domain
RE: Winbind doesnt enumerate more than one group from an AD domain
I had the same problem aswell.. I found it was due to the fact the groups weren't 'Global' groups only 'Local' groups... Apparently they need to be Global or Universal to be shown by Winbind. I have tried using Global and Universal groups on the AD server and neither type seems to work. Local groups don't show up in wbinfo at all, and Global/Universal groups don't get enumerated by wbinfo -r $user, EXCEPT for the Domain Users group. Any ideas? Cheers, James
Re: Winbind doesnt enumerate more than one group from an AD domain
On Fri, Oct 25, 2002 at 11:09:11PM +0200, Simo Sorce wrote: Domain local groups existed under Windows NT 4.0. They were just available among DC's of the domain. See my other post in response to JF. To my knowledge (derived from some doc on msdn) they are a different thing. local groups (same as NT) does exist in w2k and are different from domain local groups. I'm sorry I'm not able anymore to find the article on msdn :-( Here's the article I found that explains the scoping rules for domain local groups: http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q259392; Tim.
RE: Winbind doesnt enumerate more than one group from an AD domain
Sorry about this, but this email address seems to be a bit dodgy. Please reply to [EMAIL PROTECTED] Thanks, James
Re: Winbind doesnt enumerate more than one group from an AD domain
- Original Message - From: James Braid [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 25, 2002 1:45 PM Subject: Winbind doesnt enumerate more than one group from an AD domain Hi all, I have been having some problems with winbind not seeing all the groups that users on my AD domain are in. Upon further investigation, it seems that winbind only enumerates one group. Doing a 'wbinfo -r $AD_USER' only shows one group (even if the AD user belongs to many groups, doesnt matter what type of AD groups they are either), but if I do a 'wbinfo -r $NT4_USER', winbind will show all the groups that the NT4 user is in, where $NT4_USER is a user on the NT4 domain and $AD_USER is a user on the AD domain. The odd thing is, the users show up in the groups fine if I do 'getent group' for example. I am running Debian unstable with Samba 2.999+3.0.alpha20-3. Why am I posting here? I logged a bug, but I was advised to post here for stuff to do with Samba 3.0... Any pointers or suggestions on how to debug this further and or fix it would be greatly appreciated. Let me know if more details are needed. Thanks, James I had the same problem aswell.. I found it was due to the fact the groups weren't 'Global' groups only 'Local' groups... Apparently they need to be Global or Universal to be shown by Winbind. I haven't tried 3 yet though so I'm not really sure. HTH Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :.
Re: Winbind doesnt enumerate more than one group from an AD domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 25 Oct 2002, Gareth Davies wrote: Apparently they need to be Global or Universal to be shown by Winbind. Local groups are supported by winbindd using rpc. The LDAP backends for winbindd needs this support added (it's a no-op function right now). I'll have to work on it some more. cheers, jerry - Hewlett-Packard - http://www.hp.com SAMBA Team-- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2SAMS Teach Yourself Samba in 24 Hours 2ed I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9uVmQIR7qMdg1EfYRApiEAJ0fDW9sk0arQ1w5wg5mfn/3Rc1U7gCeKBtZ WowaVuKMYEj+9rUigKT+tQQ= =S3dt -END PGP SIGNATURE-
Re: Winbind doesnt enumerate more than one group from an AD domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 25 Oct 2002, Jean Francois Micouleau wrote: you mean local groups within the S-1-5-32 sid sub tree or the local domain groups under the PDC SID ? If that's the first case, winbind shouldn't even read them, they have no meaning outside the machine they are defined. In a Windows 2000 native mode domain, domain local groups are available for use by any domain member. These are the ones I thought we were referring to. Did I misread the original post? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9uaFEIR7qMdg1EfYRAtmPAJ91xGFcPi/Qz31HGzK9JT+q8CX8hACg2NJw qVHzgBDu31wmqobbuoZMUEo= =L1fV -END PGP SIGNATURE-
Re: Winbind doesnt enumerate more than one group from an AD domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25 Oct 2002, Simo Sorce wrote: JF is totally right winbind should never ask for PDCs local group. But there is a third option, MS has defined an obscure (to me) new type of group in w2k, the global local group do you mean this one jerry? Domain local groups existed under Windows NT 4.0. They were just available among DC's of the domain. See my other post in response to JF. cheers, jerry - Hewlett-Packard - http://www.hp.com SAMBA Team-- http://www.samba.org GnuPG Key http://www.plainjoe.org/gpg_public.asc ISBN 0-672-32269-2SAMS Teach Yourself Samba in 24 Hours 2ed I never saved anything for the swim back. Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9uaGkIR7qMdg1EfYRAkhvAKCOgi13lDpJQ5G9pRWmt4MElOOkpACeMab+ waFKMnVGDJsQBj/seu0OuB8= =SzRU -END PGP SIGNATURE-
Re: Winbind doesnt enumerate more than one group from an AD domain
On Fri, 25 Oct 2002, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 25 Oct 2002, Jean Francois Micouleau wrote: you mean local groups within the S-1-5-32 sid sub tree or the local domain groups under the PDC SID ? If that's the first case, winbind shouldn't even read them, they have no meaning outside the machine they are defined. In a Windows 2000 native mode domain, domain local groups are available for use by any domain member. These are the ones I thought we were referring to. Did I misread the original post? ok then it's still a problem of vocabulary :) Can we settle on a definitive wording ? local groups, domain groups, domain local groups, universal groups. J.F.
Re: Winbind doesnt enumerate more than one group from an AD domain
On Fri, 2002-10-25 at 21:55, Gerald (Jerry) Carter wrote: Domain local groups existed under Windows NT 4.0. They were just available among DC's of the domain. See my other post in response to JF. To my knowledge (derived from some doc on msdn) they are a different thing. local groups (same as NT) does exist in w2k and are different from domain local groups. I'm sorry I'm not able anymore to find the article on msdn :-( Simo. -- Simo Sorce - [EMAIL PROTECTED] Xsec s.r.l. via Durando 10 Ed. G - 20158 - Milano tel. +39 02 2399 7130 - fax: +39 02 700 442 399 signature.asc Description: This is a digitally signed message part
Re: Winbind doesnt enumerate more than one group from an AD domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 25 Oct 2002, Jean Francois Micouleau wrote: ok then it's still a problem of vocabulary :) Can we settle on a definitive wording ? local groups, domain groups, domain local groups, universal groups. Fine by me :-) cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9uboIIR7qMdg1EfYRAvaRAJoC5pFrW1qVq+Y5JRpl1zaW9AiubQCfQpVz cit8mIQX/UXMr9LENnVbapo= =U1J8 -END PGP SIGNATURE-