Everyone,
With many thank to Jerry, my cross domain authentication is now
working. This leads to a new problem. I cannot get samba to
authenticate a remote domain user in a Universal group to authenticate
properly.
Here are the details:
USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
S-1-5-21-606747145-879983540-1177238915-173280 User (1)
USTR-LINUX-1:~ # wbinfo
--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
S-1-5-21-606747145-879983540-1177238915-513
.
.
.
S-1-5-21-606747145-879983540-1177238915-79634
S-1-5-21-606747145-879983540-1177238915-79966
S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!**
S-1-5-21-725345543-2052111302-527237240-177738
S-1-5-21-725345543-2052111302-527237240-349185
S-1-5-21-725345543-2052111302-527237240-307510
S-1-5-21-725345543-2052111302-527237240-177742
S-1-5-21-606747145-879983540-1177238915-90389
S-1-5-21-606747145-879983540-1177238915-72164
S-1-5-21-606747145-879983540-1177238915-91149
S-1-5-21-606747145-879983540-1177238915-70785
S-1-5-21-606747145-879983540-1177238915-91412
However, when I try to set up a test web page to
require group "NA\USTR-LINUX-1-REDHAT-READ"
And then attempt to access the page, I get the following error:
error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
group(s).
Does anyone else have something like this working? What am I doing
wrong?
Thanks,
Ron
Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user. (I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:>Everyone, > With many thank to Jerry, my cross domain authentication is now >working. This leads to a new problem. I cannot get samba to >authenticate a remote domain user in a Universal group to authenticate >properly. > Here are the details: > >USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ >S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) > >USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 >S-1-5-21-606747145-879983540-1177238915-173280 User (1) > >USTR-LINUX-1:~ # wbinfo >--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 >S-1-5-21-606747145-879983540-1177238915-513 >. >. >. >S-1-5-21-606747145-879983540-1177238915-79634 >S-1-5-21-606747145-879983540-1177238915-79966 >S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** >S-1-5-21-725345543-2052111302-527237240-177738 >S-1-5-21-725345543-2052111302-527237240-349185 >S-1-5-21-725345543-2052111302-527237240-307510 >S-1-5-21-725345543-2052111302-527237240-177742 >S-1-5-21-606747145-879983540-1177238915-90389 >S-1-5-21-606747145-879983540-1177238915-72164 >S-1-5-21-606747145-879983540-1177238915-91149 >S-1-5-21-606747145-879983540-1177238915-70785 >S-1-5-21-606747145-879983540-1177238915-91412 > >However, when I try to set up a test web page to > require group "NA\USTR-LINUX-1-REDHAT-READ" > >And then attempt to access the page, I get the following error: >error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required >group(s). > >Does anyone else have something like this working? What am I doing >wrong? > >Thanks, >Ron > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/sambaDon Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759
This is exactly what I am seeing. I think this should be reopened as a bug. I could easily provide all of the diagnostics since I have it set up like this right now. The strange thing is, I can get it to work with Domain Global groups, but not Universal groups which shows the SID properly. Domain Local doesn't work at all unless the user is in the same domain as the group. How do we get this escalated? -----Original Message----- From: Don Meyer [mailto:dlmeyer@uiuc.edu] Sent: Thursday, March 02, 2006 6:06 PM To: Trimble, Ronald D; samba@lists.samba.org Subject: Re: [Samba] Problem with Universal Groups Check your winbind group memberships -- I'm willing to bet that your winbind will only show group membership for users in the same domain as the group. We are seeing the same mis-behavior here. Group members from other domains are simply not being enumerated by winbind as a group member (getent group), even though the other-domain user itself is properly listed (getent passwd). I tried to report this as a bug, but it was closed/reopened as a feature request. Discussion was left that I had to prove that the other-domain user can successfully connect to a resource with permissions mapped directly to that other-domain user, but fails to connect to the same resource when permissions are mapped to a domain local group in the local server's domain that contains the other-domain user. (I have yet to create this test-case because of unrelated time-constraints...) Cheers, -D At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:>Everyone, > With many thank to Jerry, my cross domain authentication isnow>working. This leads to a new problem. I cannot get samba to >authenticate a remote domain user in a Universal group to authenticate >properly. > Here are the details: > >USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ >S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2) > >USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1 >S-1-5-21-606747145-879983540-1177238915-173280 User (1) > >USTR-LINUX-1:~ # wbinfo >--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280 >S-1-5-21-606747145-879983540-1177238915-513 >. >. >. >S-1-5-21-606747145-879983540-1177238915-79634 >S-1-5-21-606747145-879983540-1177238915-79966 >S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!** >S-1-5-21-725345543-2052111302-527237240-177738 >S-1-5-21-725345543-2052111302-527237240-349185 >S-1-5-21-725345543-2052111302-527237240-307510 >S-1-5-21-725345543-2052111302-527237240-177742 >S-1-5-21-606747145-879983540-1177238915-90389 >S-1-5-21-606747145-879983540-1177238915-72164 >S-1-5-21-606747145-879983540-1177238915-91149 >S-1-5-21-606747145-879983540-1177238915-70785 >S-1-5-21-606747145-879983540-1177238915-91412 > >However, when I try to set up a test web page to > require group "NA\USTR-LINUX-1-REDHAT-READ" > >And then attempt to access the page, I get the following error: >error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required >group(s). > >Does anyone else have something like this working? What am I doing >wrong? > >Thanks, >Ron > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/sambaDon Meyer <dlmeyer@uiuc.edu> Network Manager, ACES Academic Computing Facility Technical System Manager, ACES TeleNet System UIUC College of ACES, Information Technology and Communication Services "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty or safety." -- Benjamin Franklin, 1759