I have the following configuration:
Solaris 9 (patch 112960-10 applied)
Samba 3.0.8 (configure --with-ads --with-pam --with-winbind)
MIT Kerberos 1.3.5 (configure --enable-dns --enable-dns-for-kdc
--enable-dns-for-realm --without-tcl)
I am using Samba to share files to our Windows users via a Samba share,
security = ads. All the shares work just fine.
Here is the relevant section of my smb.conf file:
[global]
workgroup = FFFC
realm = FFFC.COM
server string = Fileshare
security = ads
password server = *
log level = 2
log file = /var/log/samba/%m.log
min protocol = NT1
time server = Yes
change notify timeout = 300
deadtime = 7
socket options = TCP_NODELAY SO_RCVBUF=8192 IPTOS_LOWDELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
os level = 99
domain master = No
ldap ssl = no
idmap uid = 50000-59999
idmap gid = 50000-59999
winbind separator = +
winbind cache time = 10
winbind nested groups = Yes
hide unreadable = Yes
delete veto files = Yes
inherit acls = Yes
inherit permissions = Yes
wins server = 10.1.240.90 10.1.240.91
use spnego = Yes
[exlist$]
comment = Test share
path = /export/smbfiles/exlist
create mask = 0777
directory mask = 0777
security mask = 0777
force group = root
force user = root
writeable = Yes
read only = No
valid users = FFFC+Citrix_Base
write list = FFFC+Citrix_Base
veto files =
/*.?pg/*.avi/favicon.ico/robots.txt/.htaccess/*.wm*/.rhosts/*.rm/*.mp?/*.asf
/*.wav/*.?peg/*.midi/*.aif*/*.au/*.as?/*.wpl/
hide files = /Thumbs.db/.*/
dos filetimes = Yes
The problem that I am having is that some groups can not be accessed by a
`getent group` command.
I can see the group with wbinfo:
$ wbinfo -g | grep FFFC+Citrix_Base
FFFC+Citrix_Base
$ wbinfo -n FFFC+Citrix_Base
S-1-5-21-393102617-441343358-1233803906-9715 Domain Group (2)
$ wbinfo -Y S-1-5-21-393102617-441343358-1233803906-9715
50308
$ wbinfo -G 50308
S-1-5-21-393102617-441343358-1233803906-9715
As you can clearly see, FFFC+Citric_Base is a valid Active Directory group.
But when I use `getent`, I get different numbers of groups:
$ wbinfo -g | wc -l
327
$ getent group | awk -F: '{print $1}'|wc -l
315
Also, when I try to view the group with a `getent` command, winbindd seems
to hang.
$ getent group FFFC+Citrix_Base
I left it for three hours and it still did not return the group.
The group FFFC+Citrix_Base contains a lot of users (more than 500 for sure,
possibly more than 1000).
This is preventing me from using FFFC+Citrix_Base as a way to control access
to this share.
Does anyone have any insight or better yet, a solution to this problem?
I see that 3.0.9 has just been released. I may try that but looking at the
release notes, it does not appear that this problem is addressed by 3.0.9.
Thank you in advance.
Mark.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
