Hello all,
I am having some serious problems getting winbind to recognize secondary group
memberships. I have a samba server version samba-3.0.0-14.3E running on RHES
v.3.
This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not
running.
See below for smb.conf.
cat /proc/version: Linux version 2.4.21-9.ELsmp
(bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat
Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004
I have joined the domain with: net rpc join -U administrator -r PDC
I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows
all the domain users and wbinfo -g shows all the domain groups. ls -l shows the
correct domain user/group ownerships. Users can access shares owned by them or
their PRIMARY domain group. But when they try to access a share owned by a
secondary group that they belong to, it is access denied. The only way I can
get a secondary group to resolve is by putting a local unix group in /etc/group
and giving it the same GID as the corresponding domain group, then adding the
users to the local unix group.
I have a RedHat 9 box with the same configuration that works the way it's
supposed to - ie - honoring secondary group memberships from the domain(of
course it is samba version samba-2.2.7a-8.9.0).
This is a very critical situation for us. Any help/suggestions would be greatly
appreciated.
Below is a snip from the samba log file(shows 3 supplementary groups even though
this user belongs to about 20 groups).
[2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 10504
Primary group is 10013 and contains 3 supplementary groups
Group[ 0]: 10013
Group[ 1]: 10013
Group[ 2]: 10029
#Begin smb.conf
passdb backend = smbpasswd
#winbind configuration------>
winbind separator = +
winbind use default domain = yes
template shell = /bin/false
template homedir = /netarray/shares/home/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
#end winbind configuration----->
security = domain
password server = PDC BDC
password level = 8
username level = 8
[Shared]
available = yes
browseable = yes
comment =
path = /netarray/shares/Shared
public = no
writable = yes
valid users = @"Domain Users" @"Domain Admins"
@"Global ITS" @d_users @d_admins @g_its
invalid users = internet1 internet2 hrtest
Hello,
I have a similar problem with a RH9 using the kernel 2.4.20-20.9.1 with ACL
patchs. I have updated some source (/include/linux/limits.h and
/include/asm/param.h) to increase the maximum number of groups value before
compiling this kernel.
My samba is the 3.0.1-2 (compiled with "--with-winbind
--with-acl-support")
when the windows domain users try to access (just the "net use") the
samba
share everything is OK ... In the Acl of this share whe have some linux
equivalent to the classical windows permissions "Everyone read" ...
But ... whe a specific user try to create/update/delete a file in this share
he receive the "Access Denied" message !
However this user in included in a Domain Global Group and this group is
also included in the Acl !
Do you have solve your first problem ? If yes could you send me your
solution ?
Any help for my problem would be greatly appreciated.
Best regards.
Christian PIGNOL
* (+33) 473 67 62 96
* (+33) 473 67 61 29
* christian_pignol@merck.com
-----Original Message-----
From: samba-bounces+christian_pignol=merck.com@lists.samba.org
[mailto:samba-bounces+christian_pignol=merck.com@lists.samba.org] On Behalf
Of asim_is@comcast.net
Sent: mercredi 21 janvier 2004 02:40
To: samba@lists.samba.org
Subject: [Samba] Samba winbind secondary group problem
Hello all,
I am having some serious problems getting winbind to recognize secondary
group memberships. I have a samba server version samba-3.0.0-14.3E running
on RHES v.3.
This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not
running.
See below for smb.conf.
cat /proc/version: Linux version 2.4.21-9.ELsmp
(bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat
Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004
I have joined the domain with: net rpc join -U administrator -r PDC
I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u
shows all the domain users and wbinfo -g shows all the domain groups. ls -l
shows the correct domain user/group ownerships. Users can access shares
owned by them or their PRIMARY domain group. But when they try to access a
share owned by a secondary group that they belong to, it is access denied.
The only way I can get a secondary group to resolve is by putting a local
unix group in /etc/group and giving it the same GID as the corresponding
domain group, then adding the users to the local unix group.
I have a RedHat 9 box with the same configuration that works the way it's
supposed to - ie - honoring secondary group memberships from the domain(of
course it is samba version samba-2.2.7a-8.9.0).
This is a very critical situation for us. Any help/suggestions would be
greatly appreciated.
Below is a snip from the samba log file(shows 3 supplementary groups even
though this user belongs to about 20 groups).
[2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 10504
Primary group is 10013 and contains 3 supplementary groups
Group[ 0]: 10013
Group[ 1]: 10013
Group[ 2]: 10029
#Begin smb.conf
passdb backend = smbpasswd
#winbind configuration------>
winbind separator = +
winbind use default domain = yes
template shell = /bin/false
template homedir = /netarray/shares/home/%U
idmap uid = 10000-20000
idmap gid = 10000-20000
#end winbind configuration----->
security = domain
password server = PDC BDC
password level = 8
username level = 8
[Shared]
available = yes
browseable = yes
comment =
path = /netarray/shares/Shared
public = no
writable = yes
valid users = @"Domain Users" @"Domain Admins"
@"Global ITS" @d_users
@d_admins @g_its
invalid users = internet1 internet2 hrtest
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
------------------------------------------------------------------------------
Notice: This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station, New
Jersey, USA 08889), and/or its affiliates (which may be known outside the
United States as Merck Frosst, Merck Sharp & Dohme or MSD and in Japan as
Banyu) that may be confidential, proprietary copyrighted and/or legally
privileged. It is intended solely for the use of the individual or entity
named on this message. If you are not the intended recipient, and have
received this message in error, please notify us immediately by reply e-mail
and then delete it from your system.
------------------------------------------------------------------------------
This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is to set winbind use default domain = no in the smb.conf. Mike asim_is@comcast.net wrote:> Hello all, > > I am having some serious problems getting winbind to recognize secondary group memberships. I have a samba server version samba-3.0.0-14.3E running on RHES v.3. > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not running. > See below for smb.conf. > > cat /proc/version: Linux version 2.4.21-9.ELsmp (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > I have joined the domain with: net rpc join -U administrator -r PDC > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows all the domain users and wbinfo -g shows all the domain groups. ls -l shows the correct domain user/group ownerships. Users can access shares owned by them or their PRIMARY domain group. But when they try to access a share owned by a secondary group that they belong to, it is access denied. The only way I can get a secondary group to resolve is by putting a local unix group in /etc/group and giving it the same GID as the corresponding domain group, then adding the users to the local unix group. > > I have a RedHat 9 box with the same configuration that works the way it's supposed to - ie - honoring secondary group memberships from the domain(of course it is samba version samba-2.2.7a-8.9.0). > > This is a very critical situation for us. Any help/suggestions would be greatly appreciated. > > Below is a snip from the samba log file(shows 3 supplementary groups even though this user belongs to about 20 groups). > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > UNIX token of user 10504 > Primary group is 10013 and contains 3 supplementary groups > Group[ 0]: 10013 > Group[ 1]: 10013 > Group[ 2]: 10029 > > #Begin smb.conf > passdb backend = smbpasswd > #winbind configuration------> > winbind separator = + > winbind use default domain = yes > template shell = /bin/false > template homedir = /netarray/shares/home/%U > idmap uid = 10000-20000 > idmap gid = 10000-20000 > #end winbind configuration-----> > security = domain > password server = PDC BDC > password level = 8 > username level = 8 > > [Shared] > available = yes > browseable = yes > comment = > path = /netarray/shares/Shared > public = no > writable = yes > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users @d_admins @g_its > invalid users = internet1 internet2 hrtest > > > >-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 256 bytes Desc: not available Url : http://lists.samba.org/archive/samba/attachments/20040123/6f12b29e/attachment.bin
> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf.This did in fact solve the group resolution problem on samba-3.0.0-14.3E. I have not tried 3.0.1 yet but will this week and will post the results. Thanks very much Mike!> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf. > > Mike > > asim_is@comcast.net wrote: > > Hello all, > > > > I am having some serious problems getting winbind to recognize secondary group > memberships. I have a samba server version samba-3.0.0-14.3E running on RHES > v.3. > > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not > running. > > See below for smb.conf. > > > > cat /proc/version: Linux version 2.4.21-9.ELsmp > (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat > Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > > > I have joined the domain with: net rpc join -U administrator -r PDC > > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows > all the domain users and wbinfo -g shows all the domain groups. ls -l shows the > correct domain user/group ownerships. Users can access shares owned by them or > their PRIMARY domain group. But when they try to access a share owned by a > secondary group that they belong to, it is access denied. The only way I can > get a secondary group to resolve is by putting a local unix group in /etc/group > and giving it the same GID as the corresponding domain group, then adding the > users to the local unix group. > > > > I have a RedHat 9 box with the same configuration that works the way it's > supposed to - ie - honoring secondary group memberships from the domain(of > course it is samba version samba-2.2.7a-8.9.0). > > > > This is a very critical situation for us. Any help/suggestions would be > greatly appreciated. > > > > Below is a snip from the samba log file(shows 3 supplementary groups even > though this user belongs to about 20 groups). > > > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > > UNIX token of user 10504 > > Primary group is 10013 and contains 3 supplementary groups > > Group[ 0]: 10013 > > Group[ 1]: 10013 > > Group[ 2]: 10029 > > > > #Begin smb.conf > > passdb backend = smbpasswd > > #winbind configuration------> > > winbind separator = + > > winbind use default domain = yes > > template shell = /bin/false > > template homedir = /netarray/shares/home/%U > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > #end winbind configuration-----> > > security = domain > > password server = PDC BDC > > password level = 8 > > username level = 8 > > > > [Shared] > > available = yes > > browseable = yes > > comment = > > path = /netarray/shares/Shared > > public = no > > writable = yes > > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users > @d_admins @g_its > > invalid users = internet1 internet2 hrtest > > > > > > > >
This did fix my problem in samba-3.0.0-14.3E. Thanks Mike!!> This problem went away for me in Samba 3.0.1. A workaround in 3.0.0 is > to set > > winbind use default domain = no > > in the smb.conf. > > Mike > > asim_is@comcast.net wrote: > > Hello all, > > > > I am having some serious problems getting winbind to recognize secondary group > memberships. I have a samba server version samba-3.0.0-14.3E running on RHES > v.3. > > This is running on a 2x Xeon 2.4 Ghz IBM Server with 2G Ram. nscd is not > running. > > See below for smb.conf. > > > > cat /proc/version: Linux version 2.4.21-9.ELsmp > (bhcompile@stripples.devel.redhat.com) (gcc version 3.2.3 20030502 (Red Hat > Linux 3.2.3-26)) #1 SMP Thu Jan 8 17:08:56 EST 2004 > > > > I have joined the domain with: net rpc join -U administrator -r PDC > > I successfully joined the domain. passdb backend = smbpasswd. wbinfo -u shows > all the domain users and wbinfo -g shows all the domain groups. ls -l shows the > correct domain user/group ownerships. Users can access shares owned by them or > their PRIMARY domain group. But when they try to access a share owned by a > secondary group that they belong to, it is access denied. The only way I can > get a secondary group to resolve is by putting a local unix group in /etc/group > and giving it the same GID as the corresponding domain group, then adding the > users to the local unix group. > > > > I have a RedHat 9 box with the same configuration that works the way it's > supposed to - ie - honoring secondary group memberships from the domain(of > course it is samba version samba-2.2.7a-8.9.0). > > > > This is a very critical situation for us. Any help/suggestions would be > greatly appreciated. > > > > Below is a snip from the samba log file(shows 3 supplementary groups even > though this user belongs to about 20 groups). > > > > [2004/01/20 19:17:44, 5] auth/auth_util.c:debug_unix_user_token(505) > > UNIX token of user 10504 > > Primary group is 10013 and contains 3 supplementary groups > > Group[ 0]: 10013 > > Group[ 1]: 10013 > > Group[ 2]: 10029 > > > > #Begin smb.conf > > passdb backend = smbpasswd > > #winbind configuration------> > > winbind separator = + > > winbind use default domain = yes > > template shell = /bin/false > > template homedir = /netarray/shares/home/%U > > idmap uid = 10000-20000 > > idmap gid = 10000-20000 > > #end winbind configuration-----> > > security = domain > > password server = PDC BDC > > password level = 8 > > username level = 8 > > > > [Shared] > > available = yes > > browseable = yes > > comment = > > path = /netarray/shares/Shared > > public = no > > writable = yes > > valid users = @"Domain Users" @"Domain Admins" @"Global ITS" @d_users > @d_admins @g_its > > invalid users = internet1 internet2 hrtest > > > > > > > >