ww m-pubsyssamba
2004-Mar-11 13:17 UTC
[Samba] AD user not honouring local group membership
hello list, Without going into details I cannot currently use winbind for AD group data with Samba 3.0.x running on Solaris. I Would like to use winbindd for reading user accounts from AD and then have those AD accounts as members of local (LDAP eventually) groups. I have taken a test user "UserAW6" which is visible to Solaris via winbind and added them to a group "PrnAdm" in /etc/group. I have mapped the UNIX group to a Windows group with "net groupmap" and then permissioned a directory to the NTGroup from a Windows client system. From the UNIX command line I can "su" to UserAW6 and can access the folder as expected, but from my Windows client I cannot access the directory because I get "access is denied" error! My /etc/nsswitch.conf has the following entries for passwd and group passwd files,winbind group files The following winbind related settings are in my smb.conf winbind separator = + winbind cache time = 300 winbind use default domain = Yes template shell = /bin/sh template homedir = /tmp idmap uid = 10000-600000 idmap gid = 10000-600000 winbind enum groups = no winbind enum users = yes allow trusted domains = no Why does Samba ignore my AD account's membership of a local UNIX group? Is what I'm attempting possible/supported within Samba, any suggestions? I'm running Samba 3.0.2a on Solaris 8. thanks in advance, Andy.
Gerald (Jerry) Carter
2004-Mar-11 14:46 UTC
[Samba] AD user not honouring local group membership
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ww m-pubsyssamba wrote: | hello list, | | | Without going into details I cannot currently use winbind | for AD group data with Samba 3.0.x running on Solaris. | | I Would like to use winbindd for reading user accounts | from AD and then have those AD accounts as members | of local (LDAP eventually) groups. This isn't supported currently since smbd takes some shortcuts to get user groups when using winbindd. You only alternative is to replicate the user and group accounts into /etc/passwd and /etc/group and manage them like standard UNIX accounts. It would not be impossible to support mixing winbind users and /etc/groups. But it is non-trivial and any solution would require a fair amount of testing to ensure that it did not introduce regressions from soem of the other necessary behavior. cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUHuuIR7qMdg1EfYRApW+AJ0eGGnhX8g6SzbG3FEYXGZZUhp45gCdHm0U QLN/14JOyobPQgjTr5IyrUE=oihK -----END PGP SIGNATURE-----