samba - Sep 2011 - winbind: problems with group names

Hi,

I am running a 3.6.0 server as a member of a Samba4 domain controller
and am noticing some behaviour that I do not understand (the domain is
FB5, the domain member servers's name is tango)

It took me some time to get winbind showing domain users and groups
but finally with backend idmap_rid it is _nearly_ working.
`getent passwd' and `gentent group' list domain users and groups:

...
FB5+dg:*:1624:1013:dg:/home/FB5/dg:/bin/sh

...
FB5+allowed rodc password replication group:x:1071:
FB5+enterprise read-only domain controllers:x:998:
FB5+denied rodc password replication group:x:1072:FB5+krbtgt
FB5+read-only domain controllers:x:1021:
FB5+group policy creator owners:x:1020:FB5+administrator
FB5+ras and ias servers:x:1053:
FB5+domain controllers:x:1016:
FB5+enterprise admins:x:1019:FB5+administrator
FB5+domain computers:x:1015:
FB5+cert publishers:x:1017:
FB5+dnsupdateproxy:x:1603:
FB5+domain admins:x:1012:FB5+administrator
FB5+domain guests:x:1014:
FB5+schema admins:x:1018:FB5+administrator
FB5+domain users:x:1013:
FB5+dnsadmins:x:1602:

But when I use other programs that should display user and group names,
the group names are TANGO+none instead of FB5+something:

$ id FB5+dg
uid=1624(FB5+dg) gid=1013(TANGO+none) groups=1013(TANGO+none)

# ls -la /home/FB5/dg/
total 8
drwx------ 2 FB5+dg TANGO+none 4096 Sep 15 10:46 .
drwxr-xr-x 5 root   root       4096 Sep 15 11:28 ..

I tried to remove group_mapping.tdb and winbindd_cache.tdb but that
did not help.  From what I see if I run winbindd with -d (and from the
above output), it seems as if it tries to do a group mapping in the
domain TANGO (the name of the member server) which obviously fails but I
have no idea what I probably have misconfigured.

Thanks,

Dirk

Dirk Gouders <gouders at et.bocholt.fh-gelsenkirchen.de> writes:
> Hi,
>
> I am running a 3.6.0 server as a member of a Samba4 domain controller
> and am noticing some behaviour that I do not understand (the domain is
> FB5, the domain member servers's name is tango)
>
> It took me some time to get winbind showing domain users and groups
> but finally with backend idmap_rid it is _nearly_ working.
> `getent passwd' and `gentent group' list domain users and groups:
>
> ...
> FB5+dg:*:1624:1013:dg:/home/FB5/dg:/bin/sh
>
> ...
> FB5+allowed rodc password replication group:x:1071:
> FB5+enterprise read-only domain controllers:x:998:
> FB5+denied rodc password replication group:x:1072:FB5+krbtgt
> FB5+read-only domain controllers:x:1021:
> FB5+group policy creator owners:x:1020:FB5+administrator
> FB5+ras and ias servers:x:1053:
> FB5+domain controllers:x:1016:
> FB5+enterprise admins:x:1019:FB5+administrator
> FB5+domain computers:x:1015:
> FB5+cert publishers:x:1017:
> FB5+dnsupdateproxy:x:1603:
> FB5+domain admins:x:1012:FB5+administrator
> FB5+domain guests:x:1014:
> FB5+schema admins:x:1018:FB5+administrator
> FB5+domain users:x:1013:
> FB5+dnsadmins:x:1602:
>
> But when I use other programs that should display user and group names,
> the group names are TANGO+none instead of FB5+something:
>
> $ id FB5+dg
> uid=1624(FB5+dg) gid=1013(TANGO+none) groups=1013(TANGO+none)
>
> # ls -la /home/FB5/dg/
> total 8
> drwx------ 2 FB5+dg TANGO+none 4096 Sep 15 10:46 .
> drwxr-xr-x 5 root   root       4096 Sep 15 11:28 ..
>
> I tried to remove group_mapping.tdb and winbindd_cache.tdb but that
> did not help.  From what I see if I run winbindd with -d (and from the
> above output), it seems as if it tries to do a group mapping in the
> domain TANGO (the name of the member server) which obviously fails but I
> have no idea what I probably have misconfigured.
I solved this problem myself: I did a fresh start of samba-3.6.0
(removed every tdb and dat files), rejoined the domain and now the group
names are shown correctly.

Dirk