Hello all, I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf. cat /proc/version: Linux version 2.4.21-9.ELsmp (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 I have joined the domain with: net rpc join -U administrator -r PDC I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). This is a very critical situation for us. Any help/suggestions would be greatly appreciated. Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10504 Primary group is 10013 and contains 3 supplementary groups Group[ 0]: 10013 Group[ 1]: 10013 Group[ 2]: 10029 #Begin smb.conf passdb backend = smbpasswd #winbind configuration------> winbind separator = + winbind use default domain = yes template shell = /bin/false template homedir = /netarray/shares/home/%U idmap uid = 10000-20000 idmap gid = 10000-20000 #end winbind configuration-----> security = domain password server = PDC BDC password level = 8 username level = 8 [Shared] available = yes browseable = yes comment = path = /netarray/shares/Shared public = no writable = yes valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its invalid users = internet1 internet2 hrtest
Hello, I have a similar problem with a RH9 using the kernel 2.4.20-20.9.1 with ACL patchs. I have updated some source (/include/linux/limits.h and /include/asm/param.h) to increase the maximum number of groups value before compiling this kernel. My samba is the 3.0.1-2 (compiled with "--with-winbind --with-acl-support") when the windows domain users try to access (just the "net use") the samba share everything is OK ... In the Acl of this share whe have some linux equivalent to the classical windows permissions "Everyone read" ... But ... whe a specific user try to create/update/delete a file in this share he receive the "Access Denied" message ! However this user in included in a Domain Global Group and this group is also included in the Acl ! Do you have solve your first problem ? If yes could you send me your solution ? Any help for my problem would be greatly appreciated. Best regards. Christian PIGNOL * (+33) 473 67 62 96 * (+33) 473 67 61 29 * christian_pignol@merck.com -----Original Message----- From: samba-bounces+christian_pignol=merck.com@lists.samba.org [mailto:samba-bounces+christian_pignol=merck.com@lists.samba.org] On Behalf Of asim_is@comcast.net Sent: mercredi 21 janvier 2004 02:40 To: samba@lists.samba.org Subject: [Samba] Samba winbind secondary group problem Hello all, I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. See below for smb.conf. cat /proc/version: Linux version 2.4.21-9.ELsmp (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 I have joined the domain with: net rpc join -U administrator -r PDC I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). This is a very critical situation for us. Any help/suggestions would be greatly appreciated. Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10504 Primary group is 10013 and contains 3 supplementary groups Group[ 0]: 10013 Group[ 1]: 10013 Group[ 2]: 10029 #Begin smb.conf passdb backend = smbpasswd #winbind configuration------> winbind separator = + winbind use default domain = yes template shell = /bin/false template homedir = /netarray/shares/home/%U idmap uid = 10000-20000 idmap gid = 10000-20000 #end winbind configuration-----> security = domain password server = PDC BDC password level = 8 username level = 8 [Shared] available = yes browseable = yes comment = path = /netarray/shares/Shared public = no writable = yes valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its invalid users = internet1 internet2 hrtest -- To unsubscribe from this list go to the following URL and read the instructions: lists.samba.org/mailman/listinfo/samba ------------------------------------------------------------------------------ Notice: This e-mail message, together with any attachments, contains information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New Jersey, USA 08889), and/or its affiliates (which may be known outside the United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan as Banyu) that may be confidential, proprietary copyrighted and/or legally privileged. It is intended solely for the use of the individual or entity named on this message. If you are not the intended recipient, and have received this message in error, please notify us immediately by reply e-mail and then delete it from your system. ------------------------------------------------------------------------------
This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set winbind use default domain = no in the smb.conf. Mike asim_is@comcast.net wrote:> Hello all, > > I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. > See below for smb.conf. > > cat /proc/version: Linux version 2.4.21-9.ELsmp (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > I have joined the domain with: net rpc join -U administrator -r PDC > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. > > I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). > > This is a very critical situation for us. Any help/suggestions would be greatly appreciated. > > Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > UNIX token of user 10504 > Primary group is 10013 and contains 3 supplementary groups > Group[ 0]: 10013 > Group[ 1]: 10013 > Group[ 2]: 10029 > > #Begin smb.conf > passdb backend = smbpasswd > #winbind configuration------> > winbind separator = + > winbind use default domain = yes > template shell = /bin/false > template homedir = /netarray/shares/home/%U > idmap uid = 10000-20000 > idmap gid = 10000-20000 > #end winbind configuration-----> > security = domain > password server = PDC BDC > password level = 8 > username level = 8 > > [Shared] > available = yes > browseable = yes > comment = > path = /netarray/shares/Shared > public = no > writable = yes > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its > invalid users = internet1 internet2 hrtest > > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : lists.samba.org/archive/samba/attachments/20040123/6f12b29e/attachment.bin
> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf.This did in fact solve the group resolution problem on samba-3.0.0-14.3E. I have not tried 3.0.1 yet but will this week and will post the results. Thanks very much Mike!> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf. > > Mike > > asim_is@comcast.net wrote: > > Hello all, > > > > I am having some serious problems getting winbind to recognize secondary group > memberships. I have a samba server version samba-3.0.0-14.3E running on RHES > v.3. > > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not > running. > > See below for smb.conf. > > > > cat /proc/version: Linux version 2.4.21-9.ELsmp > (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat > Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > > > I have joined the domain with: net rpc join -U administrator -r PDC > > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows > all the domain users and wbinfo -g shows all the domain groups. ls -l shows the > correct domain user/group ownerships. Users can access shares owned by them or > their PRIMARY domain group. But when they try to access a share owned by a > secondary group that they belong to, it is access denied. The only way I can > get a secondary group to resolve is by putting a local unix group in /etc/group > and giving it the same GID as the corresponding domain group, then adding the > users to the local unix group. > > > > I have a RedHat 9 box with the same configuration that works the way it's > supposed to - ie - honoring secondary group memberships from the domain(of > course it is samba version samba-2.2.7a-8.9.0). > > > > This is a very critical situation for us. Any help/suggestions would be > greatly appreciated. > > > > Below is a snip from the samba log file(shows 3 supplementary groups even > though this user belongs to about 20 groups). > > > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > > UNIX token of user 10504 > > Primary group is 10013 and contains 3 supplementary groups > > Group[ 0]: 10013 > > Group[ 1]: 10013 > > Group[ 2]: 10029 > > > > #Begin smb.conf > > passdb backend = smbpasswd > > #winbind configuration------> > > winbind separator = + > > winbind use default domain = yes > > template shell = /bin/false > > template homedir = /netarray/shares/home/%U > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > #end winbind configuration-----> > > security = domain > > password server = PDC BDC > > password level = 8 > > username level = 8 > > > > [Shared] > > available = yes > > browseable = yes > > comment = > > path = /netarray/shares/Shared > > public = no > > writable = yes > > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users > @d_admins @g_its > > invalid users = internet1 internet2 hrtest > > > > > > > >
This did fix my problem in samba-3.0.0-14.3E. Thanks Mike!!> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf. > > Mike > > asim_is@comcast.net wrote: > > Hello all, > > > > I am having some serious problems getting winbind to recognize secondary group > memberships. I have a samba server version samba-3.0.0-14.3E running on RHES > v.3. > > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not > running. > > See below for smb.conf. > > > > cat /proc/version: Linux version 2.4.21-9.ELsmp > (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat > Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > > > I have joined the domain with: net rpc join -U administrator -r PDC > > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows > all the domain users and wbinfo -g shows all the domain groups. ls -l shows the > correct domain user/group ownerships. Users can access shares owned by them or > their PRIMARY domain group. But when they try to access a share owned by a > secondary group that they belong to, it is access denied. The only way I can > get a secondary group to resolve is by putting a local unix group in /etc/group > and giving it the same GID as the corresponding domain group, then adding the > users to the local unix group. > > > > I have a RedHat 9 box with the same configuration that works the way it's > supposed to - ie - honoring secondary group memberships from the domain(of > course it is samba version samba-2.2.7a-8.9.0). > > > > This is a very critical situation for us. Any help/suggestions would be > greatly appreciated. > > > > Below is a snip from the samba log file(shows 3 supplementary groups even > though this user belongs to about 20 groups). > > > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > > UNIX token of user 10504 > > Primary group is 10013 and contains 3 supplementary groups > > Group[ 0]: 10013 > > Group[ 1]: 10013 > > Group[ 2]: 10029 > > > > #Begin smb.conf > > passdb backend = smbpasswd > > #winbind configuration------> > > winbind separator = + > > winbind use default domain = yes > > template shell = /bin/false > > template homedir = /netarray/shares/home/%U > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > #end winbind configuration-----> > > security = domain > > password server = PDC BDC > > password level = 8 > > username level = 8 > > > > [Shared] > > available = yes > > browseable = yes > > comment = > > path = /netarray/shares/Shared > > public = no > > writable = yes > > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users > @d_admins @g_its > > invalid users = internet1 internet2 hrtest > > > > > > > >