Rowland penny
2021-Jan-20 16:46 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
On 20/01/2021 15:59, Andreas Hauffe wrote:>> >> Has the user logged in ? > Yes and no. The user has logged in on the client and tries to access > the NFS-share, but he has not logged in on the server.I take it that you mean the user has logged into a Unix client and is trying to access a share on another Samba server, if so, then the user is getting authenticated on the other Samba server, or to put it another way, the user is logged in on the other server.>> >> The group memberships didn't use to expand from trusted domains, but >> from my understanding, this was supposed to have been fixed from >> 4.9.0, see: >> >> https://bugzilla.samba.org/show_bug.cgi?id=13300 > In case of a smb-share accessed from windows everthing works fine.It is possible the bug wasn't fixed ?
Andreas Hauffe
2021-Jan-20 18:20 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
Am 20.01.21 um 17:46 schrieb Rowland penny via samba:> On 20/01/2021 15:59, Andreas Hauffe wrote: >>> >>> Has the user logged in ? >> Yes and no. The user has logged in on the client and tries to access >> the NFS-share, but he has not logged in on the server. > I take it that you mean the user has logged into a Unix client and is > trying to access a share on another Samba server, if so, then the user > is getting authenticated on the other Samba server, or to put it > another way, the user is logged in on the other server. >>> >>> The group memberships didn't use to expand from trusted domains, but >>> from my understanding, this was supposed to have been fixed from >>> 4.9.0, see: >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=13300 >> In case of a smb-share accessed from windows everthing works fine. > > It is possible the bug wasn't fixed ?Here is the point where I don't know, if it is a samba or an NFS problem or both. I tried "smbclient -k -L //ilrfs1/" from the Linux client and everything works fine. After the call, the fileserver has the correct groups from both domains in samLogon. But it is not working, when using NFSv4. At least this is a workaround. The user have to login on the Linux client and call "smbclient -k -L //ilrfs1/". Then the samLogon entry on the file server is correct and I have to clear the wrong cache on the file server with "date -d tomorrow +%s > /proc/net/rpc/auth.unix.gid/flush". Afterwards the user can access all accessible directories. Regards, Andreas