After some more screwing around with leaving and rejoining the ADS domain I was finally able to access a share with "valid users =" set to a domain group I was a member of. The _only_ change I made after this was to add yet another group to the valid users on the share and restart samba...after that I could no longer access the share. I removed the additional group, restarted samba and could still not access the share. I then tried adding my domain username to "valid users=" and it worked fine. So im back in the same boat again, users work, groups don't. Has anyone seen this problem before? Or does anyone have advice for tracking down the root of this problem. I've had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd in debug doesn't seem to indicate any problem. Heres the output of winbindd anyway, with debug level 3 after a failed login attempt from windows: [ 2627]: getgrnam QG+TEST rpc: name_to_sid name=TEST name_to_sid [rpc] TEST for domain QG ads: dn_lookup ads: dn_lookup ads: dn_lookup ads: dn_lookup ads: dn_lookup ads lookup_groupmem for sid=S-1-5-21-842925246-1647877149-1417001333-57015 [ 2627]: getgrnam QG+TEST [ 2627]: getgrnam QG+TEST [ 2629]: request interface version [ 2629]: request location of privileged pipe [ 2629]: domain_info [QG.COM] [ 2629]: getpwnam qg+jzillera rpc: name_to_sid name=jzillera name_to_sid [rpc] jzillera for domain QG ads: query_user ads query_user gave JZILLERA [ 2629]: getgroups QG+jzillera sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for domain QG sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for domain QG sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for domain QG sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for domain QG sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for domain QG [ 2629]: gid to sid 10002 [ 2629]: gid to sid 10003 [ 2629]: gid to sid 10004 [ 2629]: gid to sid 10005 [ 2629]: gid to sid 10006 [ 2629]: gid to sid 10007 [ 2629]: gid to sid 10008 [ 2629]: gid to sid 10009 [ 2629]: gid to sid 10010 [ 2629]: gid to sid 10011 [ 2629]: gid to sid 10012 [ 2629]: gid to sid 10013 [ 2629]: gid to sid 10014 [ 2629]: gid to sid 10015 [ 2629]: gid to sid 10016 [ 2629]: gid to sid 10017 [ 2629]: gid to sid 10018 [ 2629]: gid to sid 10019 [ 2629]: gid to sid 10020 [ 2629]: gid to sid 10021 [ 2629]: gid to sid 10022 [ 2629]: gid to sid 10023 [ 2629]: gid to sid 10024 [ 2629]: gid to sid 10025 [ 2629]: gid to sid 10026 [ 2629]: gid to sid 10027 [ 2629]: gid to sid 10028 [ 2629]: gid to sid 10029 [ 2629]: gid to sid 10030 [ 2629]: gid to sid 10031 [ 2629]: gid to sid 10032 [ 2629]: gid to sid 10033 [ 2629]: getpwnam QG+jzillera [ 2629]: getgrnam QG+TEST That's it. Again, the output of 'getent group' shows my user as being a member of QG+TEST: QG+TEST:x:10000:QG+JZILLERA If you would like anymore info please ask....thanks! -James> -----Original Message----- > From: Ziller, James > Sent: Monday, August 02, 2004 4:08 PM > To: 'samba@lists.samba.org' > Subject: Problems w/ winbind and AD group membership > > Hello friends, > > I am using samba to join a linux box to an active directory domain to > use as a file server. I would like to be able to control access to > shares based on AD domain groups. However, even though winbind seems > to be seeing the groups fine, samba is not granting access to users > who are members of the group. I am able to successfully join the > system to the domain and granting access to shares based on Windows > usernames works fine. > > getent group returns: > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PL > YNCHA > > However an id lookup of my windows username doesn't list me as a group > member of QG+TEST.(shouldn't it?) > > [root@smbsrv root]# id qg+jzillera > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > groups=10000(QG+Domain Users) > > System Details: > Redhat 9 > samba-3.0.5-2 > krb5-libs-1.2.7-10 > krb5-devel-1.2.7-10 > krb5-workstation-1.2.7-10 > pam_krb5-1.60-1 > > [root@smbsrv root]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [root@smbsrv root]# testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[test]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > > [test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > > Winbind logs show nothing that indicates any error, even when run with > debug level 3. Ive been beating myself over the head with this > problem for months...any help or suggestions would be greatly > appreciated. > > Thanks! > > James Ziller > Systems Administrator > > Quad/Graphics - Q/DS > West Allis, Wisconsin > james.ziller@qg.com >
Hi, you max out the 32 group limit of your UNIX (02-33), and the group you want is over 33. Check how many Windows groups you are in. Charles On Wed, 4 Aug 2004 07:46:22 -0500 "Ziller, James" <James.Ziller@qg.com> wrote:> After some more screwing around with leaving and rejoining the ADS > domain I was finally able to access a share with "valid users =" set > to a domain group I was a member of. The _only_ change I made after > this was to add yet another group to the valid users on the share and > restart samba...after that I could no longer access the share. I > removed the additional group, restarted samba and could still not > access the share. I then tried adding my domain username to "valid > users=" and it worked fine. So im back in the same boat again, users > work, groups don't. Has anyone seen this problem before? Or does > anyone have advice for tracking down the root of this problem. I've > had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded > kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd > in debug doesn't seem to indicate any problem. Heres the output of > winbindd anyway, with debug level 3 after a failed login attempt from > windows: > > [ 2627]: getgrnam QG+TEST > rpc: name_to_sid name=TEST > name_to_sid [rpc] TEST for domain QG > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads lookup_groupmem for > sid=S-1-5-21-842925246-1647877149-1417001333-57015 > [ 2627]: getgrnam QG+TEST > [ 2627]: getgrnam QG+TEST > [ 2629]: request interface version > [ 2629]: request location of privileged pipe > [ 2629]: domain_info [QG.COM] > [ 2629]: getpwnam qg+jzillera > rpc: name_to_sid name=jzillera > name_to_sid [rpc] jzillera for domain QG > ads: query_user > ads query_user gave JZILLERA > [ 2629]: getgroups QG+jzillera > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for > domain QG > [ 2629]: gid to sid 10002 > [ 2629]: gid to sid 10003 > [ 2629]: gid to sid 10004 > [ 2629]: gid to sid 10005 > [ 2629]: gid to sid 10006 > [ 2629]: gid to sid 10007 > [ 2629]: gid to sid 10008 > [ 2629]: gid to sid 10009 > [ 2629]: gid to sid 10010 > [ 2629]: gid to sid 10011 > [ 2629]: gid to sid 10012 > [ 2629]: gid to sid 10013 > [ 2629]: gid to sid 10014 > [ 2629]: gid to sid 10015 > [ 2629]: gid to sid 10016 > [ 2629]: gid to sid 10017 > [ 2629]: gid to sid 10018 > [ 2629]: gid to sid 10019 > [ 2629]: gid to sid 10020 > [ 2629]: gid to sid 10021 > [ 2629]: gid to sid 10022 > [ 2629]: gid to sid 10023 > [ 2629]: gid to sid 10024 > [ 2629]: gid to sid 10025 > [ 2629]: gid to sid 10026 > [ 2629]: gid to sid 10027 > [ 2629]: gid to sid 10028 > [ 2629]: gid to sid 10029 > [ 2629]: gid to sid 10030 > [ 2629]: gid to sid 10031 > [ 2629]: gid to sid 10032 > [ 2629]: gid to sid 10033 > [ 2629]: getpwnam QG+jzillera > [ 2629]: getgrnam QG+TEST > > That's it. > > Again, the output of 'getent group' shows my user as being a member of > QG+TEST: > > QG+TEST:x:10000:QG+JZILLERA > > If you would like anymore info please ask....thanks! > > -James > > > -----Original Message----- > > From: Ziller, James > > Sent: Monday, August 02, 2004 4:08 PM > > To: 'samba@lists.samba.org' > > Subject: Problems w/ winbind and AD group membership > > > > Hello friends, > > > > I am using samba to join a linux box to an active directory domain > > to use as a file server. I would like to be able to control access > > to shares based on AD domain groups. However, even though winbind > > seems to be seeing the groups fine, samba is not granting access to > > users who are members of the group. I am able to successfully join > > the system to the domain and granting access to shares based on > > Windows usernames works fine. > > > > getent group returns: > > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG > > +PL YNCHA > > > > However an id lookup of my windows username doesn't list me as a > > group member of QG+TEST.(shouldn't it?) > > > > [root@smbsrv root]# id qg+jzillera > > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > > groups=10000(QG+Domain Users) > > > > System Details: > > Redhat 9 > > samba-3.0.5-2 > > krb5-libs-1.2.7-10 > > krb5-devel-1.2.7-10 > > krb5-workstation-1.2.7-10 > > pam_krb5-1.60-1 > > > > [root@smbsrv root]# wbinfo -t > > checking the trust secret via RPC calls succeeded > > > > [root@smbsrv root]# testparm > > Load smb config files from /etc/samba/smb.conf > > Processing section "[test]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > workgroup = QG > > realm = QG.COM > > server string = Samba Server > > security = ADS > > obey pam restrictions = Yes > > password server = wadc2 > > log file = /var/log/samba/log.%m > > max log size = 50 > > load printers = No > > printcap name = /etc/printcap > > local master = No > > domain master = No > > dns proxy = No > > wins support = Yes > > idmap uid = 10000-30000 > > idmap gid = 10000-30000 > > winbind separator = + (tried with # and \ as well) > > winbind use default domain = Yes (tried with No) > > > > [test] > > comment = testing > > path = /mnt/qdsfsl01/resources/testing > > valid users = @QG+TEST > > write list = @QG+TEST > > > > Winbind logs show nothing that indicates any error, even when run > > with debug level 3. Ive been beating myself over the head with this > > problem for months...any help or suggestions would be greatly > > appreciated. > > > > Thanks! > > > > James Ziller > > Systems Administrator > > > > Quad/Graphics - Q/DS > > West Allis, Wisconsin > > james.ziller@qg.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Charles Bueche <charles@bueche.ch> sand, snow, wave, wind and net -surfer
Im only in 6 windows groups...:/ -----Original Message----- From: Charles Bueche [mailto:charles@bueche.ch] Sent: Wednesday, August 04, 2004 2:11 PM To: Ziller, James Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind being flakey Hi, you max out the 32 group limit of your UNIX (02-33), and the group you want is over 33. Check how many Windows groups you are in. Charles On Wed, 4 Aug 2004 07:46:22 -0500 "Ziller, James" <James.Ziller@qg.com> wrote:> After some more screwing around with leaving and rejoining the ADS > domain I was finally able to access a share with "valid users =" set > to a domain group I was a member of. The _only_ change I made after > this was to add yet another group to the valid users on the share and > restart samba...after that I could no longer access the share. I > removed the additional group, restarted samba and could still not > access the share. I then tried adding my domain username to "valid > users=" and it worked fine. So im back in the same boat again, users > work, groups don't. Has anyone seen this problem before? Or does > anyone have advice for tracking down the root of this problem. I've > had this problem with samba 3.0.4 and samba 3.0.5, recently upgraded > kerberos from 1.2.7 to 1.3.3 but see no difference. Running winbindd > in debug doesn't seem to indicate any problem. Heres the output of > winbindd anyway, with debug level 3 after a failed login attempt from > windows: > > [ 2627]: getgrnam QG+TEST > rpc: name_to_sid name=TEST > name_to_sid [rpc] TEST for domain QG > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads: dn_lookup > ads lookup_groupmem for > sid=S-1-5-21-842925246-1647877149-1417001333-57015 > [ 2627]: getgrnam QG+TEST > [ 2627]: getgrnam QG+TEST > [ 2629]: request interface version > [ 2629]: request location of privileged pipe > [ 2629]: domain_info [QG.COM] > [ 2629]: getpwnam qg+jzillera > rpc: name_to_sid name=jzillera > name_to_sid [rpc] jzillera for domain QG > ads: query_user > ads query_user gave JZILLERA > [ 2629]: getgroups QG+jzillera > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for > domain QG sid_to_name [rpc] > S-1-5-21-842925246-1647877149-1417001333-53735 for domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for > domain QG > sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for > domain QG > [ 2629]: gid to sid 10002 > [ 2629]: gid to sid 10003 > [ 2629]: gid to sid 10004 > [ 2629]: gid to sid 10005 > [ 2629]: gid to sid 10006 > [ 2629]: gid to sid 10007 > [ 2629]: gid to sid 10008 > [ 2629]: gid to sid 10009 > [ 2629]: gid to sid 10010 > [ 2629]: gid to sid 10011 > [ 2629]: gid to sid 10012 > [ 2629]: gid to sid 10013 > [ 2629]: gid to sid 10014 > [ 2629]: gid to sid 10015 > [ 2629]: gid to sid 10016 > [ 2629]: gid to sid 10017 > [ 2629]: gid to sid 10018 > [ 2629]: gid to sid 10019 > [ 2629]: gid to sid 10020 > [ 2629]: gid to sid 10021 > [ 2629]: gid to sid 10022 > [ 2629]: gid to sid 10023 > [ 2629]: gid to sid 10024 > [ 2629]: gid to sid 10025 > [ 2629]: gid to sid 10026 > [ 2629]: gid to sid 10027 > [ 2629]: gid to sid 10028 > [ 2629]: gid to sid 10029 > [ 2629]: gid to sid 10030 > [ 2629]: gid to sid 10031 > [ 2629]: gid to sid 10032 > [ 2629]: gid to sid 10033 > [ 2629]: getpwnam QG+jzillera > [ 2629]: getgrnam QG+TEST > > That's it. > > Again, the output of 'getent group' shows my user as being a member of > QG+TEST: > > QG+TEST:x:10000:QG+JZILLERA > > If you would like anymore info please ask....thanks! > > -James > > > -----Original Message----- > > From: Ziller, James > > Sent: Monday, August 02, 2004 4:08 PM > > To: 'samba@lists.samba.org' > > Subject: Problems w/ winbind and AD group membership > > > > Hello friends, > > > > I am using samba to join a linux box to an active directory domain > > to use as a file server. I would like to be able to control access > > to shares based on AD domain groups. However, even though winbind > > seems to be seeing the groups fine, samba is not granting access to > > users who are members of the group. I am able to successfully join > > the system to the domain and granting access to shares based on > > Windows usernames works fine. > > > > getent group returns: > > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG > > +PL YNCHA > > > > However an id lookup of my windows username doesn't list me as a > > group member of QG+TEST.(shouldn't it?) > > > > [root@smbsrv root]# id qg+jzillera > > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > > groups=10000(QG+Domain Users) > > > > System Details: > > Redhat 9 > > samba-3.0.5-2 > > krb5-libs-1.2.7-10 > > krb5-devel-1.2.7-10 > > krb5-workstation-1.2.7-10 > > pam_krb5-1.60-1 > > > > [root@smbsrv root]# wbinfo -t > > checking the trust secret via RPC calls succeeded > > > > [root@smbsrv root]# testparm > > Load smb config files from /etc/samba/smb.conf > > Processing section "[test]" > > Loaded services file OK. > > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > > > # Global parameters > > [global] > > workgroup = QG > > realm = QG.COM > > server string = Samba Server > > security = ADS > > obey pam restrictions = Yes > > password server = wadc2 > > log file = /var/log/samba/log.%m > > max log size = 50 > > load printers = No > > printcap name = /etc/printcap > > local master = No > > domain master = No > > dns proxy = No > > wins support = Yes > > idmap uid = 10000-30000 > > idmap gid = 10000-30000 > > winbind separator = + (tried with # and \ as well) > > winbind use default domain = Yes (tried with No) > > > > [test] > > comment = testing > > path = /mnt/qdsfsl01/resources/testing > > valid users = @QG+TEST > > write list = @QG+TEST > > > > Winbind logs show nothing that indicates any error, even when run > > with debug level 3. Ive been beating myself over the head with this> > problem for months...any help or suggestions would be greatly > > appreciated. > > > > Thanks! > > > > James Ziller > > Systems Administrator > > > > Quad/Graphics - Q/DS > > West Allis, Wisconsin > > james.ziller@qg.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Charles Bueche <charles@bueche.ch> sand, snow, wave, wind and net -surfer
Hi, I think it's UNIX history, I guess the 16 users limit of NFS is probably because it is coded in 4 bits somewhere, but this is just a guess, I haven't looked at the source. My tests were done on Solaris, where the limit can be rised to 32, but still not enough, as some users are members of 80-100 groups. I haven't investigated more, no time for now. Just waiting that someone else scratch their own itch :-) Charles On Sun, 08 Aug 2004 00:19:36 -0400 Jim Ross <jktross@umd.umich.edu> wrote:> > Hey Charles, do you have any ideas where the 32 group limit comes > from? > I thought I had this pegged to NGROUPS_MAX being 32, but I seem to > run into the same issue of Fedora Core too, where NGROUPS_MAX is over > 64k. I'm at a loss on it, but have plenty of users in more than 32 > groups. I haven't seen anyone in the list mention it but you did, so > I thought you might have an idea on this. > > Thanks, > Jim Ross > > > > Charles Bueche wrote: > > > Hi, > > > > you max out the 32 group limit of your UNIX (02-33), and the group > > you want is over 33. Check how many Windows groups you are in. > > > > Charles > > > > On Wed, 4 Aug 2004 07:46:22 -0500 > > "Ziller, James" <James.Ziller@qg.com> wrote: > > > > > >>After some more screwing around with leaving and rejoining the ADS > >>domain I was finally able to access a share with "valid users =" set > >>to a domain group I was a member of. The _only_ change I made after > >>this was to add yet another group to the valid users on the share > >and>restart samba...after that I could no longer access the share. > >I>removed the additional group, restarted samba and could still not > >>access the share. I then tried adding my domain username to "valid > >>users=" and it worked fine. So im back in the same boat again, > >users>work, groups don't. Has anyone seen this problem before? Or > >does>anyone have advice for tracking down the root of this problem. > >I've>had this problem with samba 3.0.4 and samba 3.0.5, recently > >upgraded>kerberos from 1.2.7 to 1.3.3 but see no difference. Running > >winbindd>in debug doesn't seem to indicate any problem. Heres the > >output of>winbindd anyway, with debug level 3 after a failed login > >attempt from>windows: > >> > >>[ 2627]: getgrnam QG+TEST > >>rpc: name_to_sid name=TEST > >>name_to_sid [rpc] TEST for domain QG > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads: dn_lookup > >>ads lookup_groupmem for > >>sid=S-1-5-21-842925246-1647877149-1417001333-57015 > >>[ 2627]: getgrnam QG+TEST > >>[ 2627]: getgrnam QG+TEST > >>[ 2629]: request interface version > >>[ 2629]: request location of privileged pipe > >>[ 2629]: domain_info [QG.COM] > >>[ 2629]: getpwnam qg+jzillera > >>rpc: name_to_sid name=jzillera > >>name_to_sid [rpc] jzillera for domain QG > >>ads: query_user > >>ads query_user gave JZILLERA > >>[ 2629]: getgroups QG+jzillera > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29979 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-53735 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-29156 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-55130 for > >>domain QG > >>sid_to_name [rpc] S-1-5-21-842925246-1647877149-1417001333-20629 for > >>domain QG > >>[ 2629]: gid to sid 10002 > >>[ 2629]: gid to sid 10003 > >>[ 2629]: gid to sid 10004 > >>[ 2629]: gid to sid 10005 > >>[ 2629]: gid to sid 10006 > >>[ 2629]: gid to sid 10007 > >>[ 2629]: gid to sid 10008 > >>[ 2629]: gid to sid 10009 > >>[ 2629]: gid to sid 10010 > >>[ 2629]: gid to sid 10011 > >>[ 2629]: gid to sid 10012 > >>[ 2629]: gid to sid 10013 > >>[ 2629]: gid to sid 10014 > >>[ 2629]: gid to sid 10015 > >>[ 2629]: gid to sid 10016 > >>[ 2629]: gid to sid 10017 > >>[ 2629]: gid to sid 10018 > >>[ 2629]: gid to sid 10019 > >>[ 2629]: gid to sid 10020 > >>[ 2629]: gid to sid 10021 > >>[ 2629]: gid to sid 10022 > >>[ 2629]: gid to sid 10023 > >>[ 2629]: gid to sid 10024 > >>[ 2629]: gid to sid 10025 > >>[ 2629]: gid to sid 10026 > >>[ 2629]: gid to sid 10027 > >>[ 2629]: gid to sid 10028 > >>[ 2629]: gid to sid 10029 > >>[ 2629]: gid to sid 10030 > >>[ 2629]: gid to sid 10031 > >>[ 2629]: gid to sid 10032 > >>[ 2629]: gid to sid 10033 > >>[ 2629]: getpwnam QG+jzillera > >>[ 2629]: getgrnam QG+TEST > >> > >>That's it. > >> > >>Again, the output of 'getent group' shows my user as being a member > >of>QG+TEST: > >> > >>QG+TEST:x:10000:QG+JZILLERA > >> > >> If you would like anymore info please ask....thanks! > >> > >> -James > >> > >> > >>> -----Original Message----- > >>>From: Ziller, James > >>>Sent: Monday, August 02, 2004 4:08 PM > >>>To: 'samba@lists.samba.org' > >>>Subject: Problems w/ winbind and AD group membership > >>> > >>>Hello friends, > >>> > >>>I am using samba to join a linux box to an active directory domain > >>>to use as a file server. I would like to be able to control access > >>>to shares based on AD domain groups. However, even though winbind > >>>seems to be seeing the groups fine, samba is not granting access to > >>>users who are members of the group. I am able to successfully join > >>>the system to the domain and granting access to shares based on > >>>Windows usernames works fine. > >>> > >>>getent group returns: > >>>QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG > >>>+PL YNCHA > >>> > >>>However an id lookup of my windows username doesn't list me as a > >>>group member of QG+TEST.(shouldn't it?) > >>> > >>>[root@smbsrv root]# id qg+jzillera > >>>uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > >>>groups=10000(QG+Domain Users) > >>> > >>>System Details: > >>>Redhat 9 > >>>samba-3.0.5-2 > >>>krb5-libs-1.2.7-10 > >>>krb5-devel-1.2.7-10 > >>>krb5-workstation-1.2.7-10 > >>>pam_krb5-1.60-1 > >>> > >>>[root@smbsrv root]# wbinfo -t > >>>checking the trust secret via RPC calls succeeded > >>> > >>>[root@smbsrv root]# testparm > >>>Load smb config files from /etc/samba/smb.conf > >>>Processing section "[test]" > >>>Loaded services file OK. > >>>Server role: ROLE_DOMAIN_MEMBER > >>>Press enter to see a dump of your service definitions > >>> > >>># Global parameters > >>>[global] > >>> workgroup = QG > >>> realm = QG.COM > >>> server string = Samba Server > >>> security = ADS > >>> obey pam restrictions = Yes > >>> password server = wadc2 > >>> log file = /var/log/samba/log.%m > >>> max log size = 50 > >>> load printers = No > >>> printcap name = /etc/printcap > >>> local master = No > >>> domain master = No > >>> dns proxy = No > >>> wins support = Yes > >>> idmap uid = 10000-30000 > >>> idmap gid = 10000-30000 > >>> winbind separator = + (tried with # and \ as well) > >>> winbind use default domain = Yes (tried with No) > >>> > >>>[test] > >>> comment = testing > >>> path = /mnt/qdsfsl01/resources/testing > >>> valid users = @QG+TEST > >>> write list = @QG+TEST > >>> > >>>Winbind logs show nothing that indicates any error, even when run > >>>with debug level 3. Ive been beating myself over the head with > >this>>problem for months...any help or suggestions would be greatly > >>>appreciated. > >>> > >>>Thanks! > >>> > >>>James Ziller > >>>Systems Administrator > >>> > >>>Quad/Graphics - Q/DS > >>>West Allis, Wisconsin > >>>james.ziller@qg.com > >>> > >> > >>-- > >>To unsubscribe from this list go to the following URL and read the > >>instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > >-- Charles Bueche <charles@bueche.ch> sand, snow, wave, wind and net -surfer