I tried searching through the archives, but was unable to find anything about this. Everything regarding windbind and AD membership is working perfectly with one exception. Here's an example of what I'm experiencing: A group called "department_users" contains two groups "department_faculty" and "department_staff". These two groups, "department_faculty" and "department_staff" contain users. 'getent group department_faculty' returns: department_faculty:x:9315:user1,user2,user3 'getent group department_staff' returns: department_staff:x:9316:user4,user5,user6 'getent group department_users' returns: department_users:x:9317: which contains no users instead of user1 through user6. Is this nesting, recursion, whatever the correct term for it is, supported by samba? I'm greatly over simplifying the situation I have here with this example. I'm in an educational environment with over 50000 groups, most of which are automatically populated based on course registration. The answer to the above should let me know if what I want to do is possible. Thanks in advance, Charles
Charles J Gruener wrote:> I tried searching through the archives, but was unable to find anything > about this. > > Everything regarding windbind and AD membership is working perfectly with > one exception. Here's an example of what I'm experiencing: > > A group called "department_users" contains two groups "department_faculty" > and "department_staff". These two groups, "department_faculty" and > "department_staff" contain users. > > 'getent group department_faculty' returns: > department_faculty:x:9315:user1,user2,user3 > > 'getent group department_staff' returns: > department_staff:x:9316:user4,user5,user6 > > 'getent group department_users' returns: > department_users:x:9317:Eek, we had been planning deploying AD-integration, but desperately need the "groups of groups" feature to work as expected. Please keep the group (here) informed when/if you learn anything. -- Rex
Gerald (Jerry) Carter
2006-Nov-10 18:17 UTC
[Samba] Winbind and AD groups containing groups
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Charles J Gruener wrote:> I tried searching through the archives, but was unable to find anything > about this. > > Everything regarding windbind and AD membership is working perfectly with > one exception. Here's an example of what I'm experiencing: > > A group called "department_users" contains two groups "department_faculty" > and "department_staff". These two groups, "department_faculty" and > "department_staff" contain users. > > 'getent group department_faculty' returns: > > department_faculty:x:9315:user1,user2,user3 > > 'getent group department_staff' returns: > > department_staff:x:9316:user4,user5,user6 > > 'getent group department_users' returns: > > department_users:x:9317:Charles, This is a known issue at the moment. If we did a limited amount of nested group expansion (one level for example, would that be ok)? cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFVMICIR7qMdg1EfYRAsFGAKDLTynblQQQjV+lsMFRAcjpozmhFACfbWM0 azL5MdjsFPazSqvl5LaXu94=PgP7 -----END PGP SIGNATURE-----
>Michael Schurter wrote: >> On Fri, 2006-11-10 at 12:34 -0600, Rex Dieter wrote: >>> Gerald (Jerry) Carter wrote: >>>> Charles, This is a known issue at the moment. If we did >>>> a limited amount of nested group expansion (one level for >>>> example, would that be ok)? >>> For our deployment usecase, we'd need an absolute minimum of 3 levels of >>> expansion, depending on the definition of level. For us we have: >> >> Could the level of recursion be a configuration parameter and just >> default to 0? That would seem ideal as it would keep backwards >> compatibility and offer the greatest level of control. > >Possibility. Myself and another dev here at Centeris >are looking into this.I know that in my case, I'd need a large level of recursion, say about 5 or 7 groups deep. What I don't understand is that "wbinfo -r username" correctly returns all the groups the user belongs to. Couldn't this information somehow be used to solve this issue? Charles