Fabian Hugelshofer
2011-Dec-07 15:22 UTC
[Samba] wbinfo -r not listing domain local groups
Hi, Between Samba 3.4.15 and 3.5.11 there was a change in how 'wbinfo -r' gathers the groups of which a given user is member of. Assume there is a Windows 2003 domain called DOMA. This domain has a child domain DOMB. On DOMA there is a security group G-DL-DOMA which has domain local scope. On DOMB there is a security group G-U-DOMB which has universal scope. Group G-U-DOMB is member of group G-DL-DOMA. Due to the domain local scope of G-DL-DOMA, this membership is only known to DOMA. Group G-U-DOMB has a user john from DOMB as member. DOMA G-DL-DOMA | DOMB G-U-DOMB | DOMB john A Linux system that is running winbind is joined into DOMA. On this system "wbinfo -r DOMB+john" is run to get the Unix GIDs of the groups in which the user from DOMB is member of. With Samba 3.4.15 (and 3.3.13) the GID of group G-DL-DOMA is shown, with Samba 3.5.11 (and 3.5.12) it is missing. This probably has to do with which DC the Samba host is asking about membership of group G-U-DOMB. A DC from DOMB does not know that this group is member of G-DL-DOMA because the latter is from another domain and has domain local scope. Only a DC in DOMA will know that the group from DOMB is member of the domain local group of DOMA. Does the behaviour of Samba 3.5 have to be considered a bug? Does anyone know what caused this change of behaviour? Was this intentional? Are there any plans to change the behaviour back to how it was in Samba 3.3 and 3.4? Regards, Fabian smb.conf from host running 'wbinfo -r': [global] netbios name = PHI server string = phi workgroup = DOMA realm = doma.com security = ads winbind separator = + winbind cache time = 1800 winbind offline logon = true winbind use default domain = yes name resolve order = host wins encrypt passwords = yes template shell = /bin/false template homedir = /home/%D/%U syslog only = yes log file = /dev/null idmap uid = 10000-999999 idmap gid = 10000-999999 idmap cache time = 3600
Maybe Matching Threads
- samba4 domain member and multiple domains
- How to provide local auth and remote domain access.
- How to stop winbind client connecting to trusted DC
- winbind does not list users from trusted domain
- Samba trusted domains and access control lists problem (cannot delete or rename)