Hello all, There is a FreeBSD 8.1 system with Samba 3.5.6. It is a member of Active Directory domain (domain controllers are WinSrv2008R2 and WinSrv2008). wbinfo correctly provides user and group lists, as well as group membership information. It is possible to use domain user and group names in commands like chown and chgrp. However, the id command displays only the primary group for domain users. Furthermore, domain users are not able to access any files owned by their non-primary domain groups. For example, running $ id petert results in the following output: uid=10000(petert) gid=10009(domain users) groups=10009(domain users) There is also an error message " failed: NT_STATUS_NO_MORE_ENTRIES" in the log.winbind file: [2010/11/27 19:47:43.856773, 6] winbindd/winbindd.c:768(new_connection) accepted socket 29 [2010/11/27 19:47:43.856837, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam petert [2010/11/27 19:47:43.856966, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 28, client exited [2010/11/27 19:47:43.859876, 3] winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send) [69874]: getgrent [2010/11/27 19:47:43.859904, 5] winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv) getgrent failed: NT_STATUS_NO_MORE_ENTRIES [2010/11/27 19:47:43.860164, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872512, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872770, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 29, client exited Please let me know how can this be fixed? With best regards, P. Trifonov
Does "getent group" show the "Windows" groups? -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Peter Trifonov Sent: Saturday, November 27, 2010 11:58 AM To: samba at lists.samba.org Subject: [Samba] Missing secondary groups Hello all, There is a FreeBSD 8.1 system with Samba 3.5.6. It is a member of Active Directory domain (domain controllers are WinSrv2008R2 and WinSrv2008). wbinfo correctly provides user and group lists, as well as group membership information. It is possible to use domain user and group names in commands like chown and chgrp. However, the id command displays only the primary group for domain users. Furthermore, domain users are not able to access any files owned by their non-primary domain groups. For example, running $ id petert results in the following output: uid=10000(petert) gid=10009(domain users) groups=10009(domain users) There is also an error message " failed: NT_STATUS_NO_MORE_ENTRIES" in the log.winbind file: [2010/11/27 19:47:43.856773, 6] winbindd/winbindd.c:768(new_connection) accepted socket 29 [2010/11/27 19:47:43.856837, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam petert [2010/11/27 19:47:43.856966, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 28, client exited [2010/11/27 19:47:43.859876, 3] winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send) [69874]: getgrent [2010/11/27 19:47:43.859904, 5] winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv) getgrent failed: NT_STATUS_NO_MORE_ENTRIES [2010/11/27 19:47:43.860164, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872512, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872770, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 29, client exited Please let me know how can this be fixed? With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi,> Does "getent group" show the "Windows" groups?No, it does not.> > However, the id command displays only the primary group for domain > > users. > > Furthermore, domain users are not able to access any files owned bytheir> > non-primary domain groups. > > > > For example, running > > $ id petert > > results in the following output: > > uid=10000(petert) gid=10009(domain users) groups=10009(domain users)With best regards, P. Trifonov
My configuration has Samba domain controllers, not Windows domain
controllers, so my setup may not be applicable to you.
However, in order for unix to use windows groups I believe it needs to
use "getent group" to pull the information from winbind. First of
all,
you need to make sure that winbind itself is showing users and/or groups
from the Windows server
"wbinfo -u"
"wbinfo -g"
Then you need to make sure that /etc/nsswitch.conf has been updated for
winbind e.g
passwd: files ldap winbind
group: files ldap winbind
nsswitch.conf is used by things like getent and id.
If you are using pam_smb (I have not) the above information may not be
relative.
On 11/29/2010 01:27 AM, Peter Trifonov wrote:> Hi,
>
>
>> Does "getent group" show the "Windows" groups?
>>
> No, it does not.
>
>
>
>>> However, the id command displays only the primary group for domain
>>> users.
>>> Furthermore, domain users are not able to access any files owned
by
>>>
> their
>
>> > non-primary domain groups.
>>
>>> For example, running
>>> $ id petert
>>> results in the following output:
>>> uid=10000(petert) gid=10009(domain users) groups=10009(domain
users)
>>>
> With best regards,
> P. Trifonov
>
Hi,> "getent group" to pull the information from winbind. First of all, youneed> to make sure that winbind itself is showing users and/or groups from the > Windows server > > "wbinfo -u" > "wbinfo -g"wbinfo does provide the correct information.> Then you need to make sure that /etc/nsswitch.conf has been updated forMy nsswitch.conf looks as follows: group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I have another FreeBSD server running Samba 3.4.5, which works correctly. With best regards, P. Trifonov
Hi, Peter! Just a wild guess - could it be the result of moving lockdir in Samba3.5 port from /var/db/samba34 back to /var/db/samba ? Can you check, that, by renaming appropriate directory? Regards, Timur. On Tue, Nov 30, 2010 at 12:54 PM, Peter Trifonov <petert at dcn.ftk.spbstu.ru> wrote:> Hi, > >> idmapping does not work perfectly for me. ? idmap_ad backend means it >> should use active directory info to determine the unix uid and gid. ?It > may >> bypass the issues with local tdb files. > In ?my case Samba is able to allocate UID and GID itself. > However, it seems not to be able to communicate it to the OS properly. > > I have the following: > > 1. "getent passwd " ?and ?"getent group" ?show only local users and groups. > 2. ?getent recognizes ?domain users and groups, if their names or IDs are > given explicitly. For example: > heap# getent group "domain users" > domain users:x:10009 > heap# getent group 10012 > wifi:x:10012 > heap# getent passwd petert > petert:*:10000:10009:Peter V. > Trifonov:/home/DOMAIN/petert:/usr/local/bin/bash > > It can be seen that UID and GID were allocated properly. However, all > non-primary groups are lost: > 3. > heap# wbinfo -r petert > 10009 > 10010 > 10011 > 10012 > 10013 > .... > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: ?https://lists.samba.org/mailman/options/samba >
Hi Timur,> Just a wild guess - could it be the result of moving lockdir in > Samba3.5 port from /var/db/samba34 back to /var/db/samba ? Can you > check, that, by renaming appropriate directory?I have created a symlink /var/db/samba34 pointing to /var/db/samba, but it still does not work. With best regards, P. Trifonov
Hi Timur,> Just a wild guess - could it be the result of moving lockdir in > Samba3.5 port from /var/db/samba34 back to /var/db/samba ? Can you > check, that, by renaming appropriate directory?I have installed Samba 3.4.9, and it started working immediately. So it seems that nss_winbind FreeBSD interface is broken somehow in version 3.5.6. With best regards, P. Trifonov