Hello friends,
I am using samba to join a linux box to an active directory domain to
use as a file server. I would like to be able to control access to
shares based on AD domain groups. However, even though winbind seems to
be seeing the groups fine, samba is not granting access to users who are
members of the group. I am able to successfully join the system to the
domain and granting access to shares based on Windows usernames works
fine.
getent group returns:
QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLYN
CHA
However an id lookup of my windows username doesn't list me as a group
member of QG+TEST.(shouldn't it?)
[root@smbsrv root]# id qg+jzillera
uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) groups=10000(QG+Domain
Users)
System Details:
Redhat 9
samba-3.0.5-2
krb5-libs-1.2.7-10
krb5-devel-1.2.7-10
krb5-workstation-1.2.7-10
pam_krb5-1.60-1
[root@smbsrv root]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@smbsrv root]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[test]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = QG
realm = QG.COM
server string = Samba Server
security = ADS
obey pam restrictions = Yes
password server = wadc2
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
printcap name = /etc/printcap
local master = No
domain master = No
dns proxy = No
wins support = Yes
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind separator = + (tried with # and \ as well)
winbind use default domain = Yes (tried with No)
[test]
comment = testing
path = /mnt/qdsfsl01/resources/testing
valid users = @QG+TEST
write list = @QG+TEST
Winbind logs show nothing that indicates any error, even when run with
debug level 3. Ive been beating myself over the head with this problem
for months...any help or suggestions would be greatly appreciated.
Thanks!
James Ziller
Systems Administrator
Quad/Graphics - Q/DS
West Allis, Wisconsin
james.ziller@qg.com
What does your nsswitch.conf file look like? Also, there's the issue of your krb libraries. I believe it's been stated that you need to be using MIT krb >= 1.3. Ziller, James wrote:>Hello friends, > >I am using samba to join a linux box to an active directory domain to >use as a file server. I would like to be able to control access to >shares based on AD domain groups. However, even though winbind seems to >be seeing the groups fine, samba is not granting access to users who are >members of the group. I am able to successfully join the system to the >domain and granting access to shares based on Windows usernames works >fine. > >getent group returns: >QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLYN >CHA > >However an id lookup of my windows username doesn't list me as a group >member of QG+TEST.(shouldn't it?) > >[root@smbsrv root]# id qg+jzillera >uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) groups=10000(QG+Domain >Users) > >System Details: >Redhat 9 >samba-3.0.5-2 >krb5-libs-1.2.7-10 >krb5-devel-1.2.7-10 >krb5-workstation-1.2.7-10 >pam_krb5-1.60-1 > >[root@smbsrv root]# wbinfo -t >checking the trust secret via RPC calls succeeded > >[root@smbsrv root]# testparm >Load smb config files from /etc/samba/smb.conf >Processing section "[test]" >Loaded services file OK. >Server role: ROLE_DOMAIN_MEMBER >Press enter to see a dump of your service definitions > ># Global parameters >[global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > >[test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > >Winbind logs show nothing that indicates any error, even when run with >debug level 3. Ive been beating myself over the head with this problem >for months...any help or suggestions would be greatly appreciated. > >Thanks! > >James Ziller >Systems Administrator > >Quad/Graphics - Q/DS >West Allis, Wisconsin >james.ziller@qg.com > > >-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Thanks for the reply. I installed MIT kerberos 1.3.1 andand rejoined the domain. Still cant access the share based on domain groups. My nsswitch.conf file looks like : passwd: files winbind ldap shadow: files ldap group: files winbind ldap I have also tried swapping around the order. -James -----Original Message----- From: Paul Gienger [mailto:pgienger@ae-solutions.com] Sent: Monday, August 02, 2004 4:13 PM To: Ziller, James Cc: samba@lists.samba.org Subject: Re: [Samba] Problems w/ winbind and AD group membership What does your nsswitch.conf file look like? Also, there's the issue of your krb libraries. I believe it's been stated that you need to be using MIT krb >= 1.3. Ziller, James wrote:>Hello friends, > >I am using samba to join a linux box to an active directory domain to >use as a file server. I would like to be able to control access to >shares based on AD domain groups. However, even though winbind seems >to be seeing the groups fine, samba is not granting access to users who>are members of the group. I am able to successfully join the system to >the domain and granting access to shares based on Windows usernames >works fine. > >getent group returns: >QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+PLY >QG+N >CHA > >However an id lookup of my windows username doesn't list me as a group >member of QG+TEST.(shouldn't it?) > >[root@smbsrv root]# id qg+jzillera >uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) >groups=10000(QG+Domain >Users) > >System Details: >Redhat 9 >samba-3.0.5-2 >krb5-libs-1.2.7-10 >krb5-devel-1.2.7-10 >krb5-workstation-1.2.7-10 >pam_krb5-1.60-1 > >[root@smbsrv root]# wbinfo -t >checking the trust secret via RPC calls succeeded > >[root@smbsrv root]# testparm >Load smb config files from /etc/samba/smb.conf >Processing section "[test]" >Loaded services file OK. >Server role: ROLE_DOMAIN_MEMBER >Press enter to see a dump of your service definitions > ># Global parameters >[global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > >[test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > >Winbind logs show nothing that indicates any error, even when run with >debug level 3. Ive been beating myself over the head with this problem>for months...any help or suggestions would be greatly appreciated. > >Thanks! > >James Ziller >Systems Administrator > >Quad/Graphics - Q/DS >West Allis, Wisconsin >james.ziller@qg.com > > >-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Are you able to access the shares when you add your windows username to "valid users =" in smb.conf? That part works fine for me, its only when I use groups in "valid users =" that it doesn't work. Ive gone through the docs dozens of times already rechecking everything and cannot get this to work. Btw, Im using redhat 9. I've also tried "security domain" but have the same problem. -James -----Original Message----- From: Mat Allgood [mailto:mallgood@gmail.com] Sent: Tuesday, August 03, 2004 10:09 AM To: Ziller, James Subject: Re: [Samba] Problems w/ winbind and AD group membership>From what I can scrape together, you really need to be using MIT libkrb >= 1.3.3. I'm working on the same thing and am running into the sameproblem. Access Denied on access to the shares. What distro are you using? I'm using debian stable and unfortunatly there is no libkrb 1.3.3, so I will have to compile from scratch. In the mean time the way I'm working around it is to set security = domain. I know this isn't perfect but it does get me access till I can get a few minutes to compile up libkrb 1.3.3. On Tue, 3 Aug 2004 08:49:35 -0500, Ziller, James <james.ziller@qg.com> wrote:> Thanks for the reply. I installed MIT kerberos 1.3.1 andand rejoined > the domain. Still cant access the share based on domain groups. My > nsswitch.conf file looks like : > > passwd: files winbind ldap > shadow: files ldap > group: files winbind ldap > > I have also tried swapping around the order. > > -James
Hi, I have the same problem when a user is member of more than 16 windows groups, the list returned by winbind is greater than the max of 16 in Solaris (can be brought to 32 when you accept to break NFS9 (or 32 in linux IIRC). If the group you check is in the first 16, it works. In the place I made this setup, users are members of 30-80 windows groups. I know it's dumb, but I can't fix it. I ended up using "preexec" and "preexec close" and check for group membership using LDAP. Ugly, isn't it ? Charles On Mon, 2 Aug 2004 16:08:28 -0500 "Ziller, James" <James.Ziller@qg.com> wrote:> Hello friends, > > I am using samba to join a linux box to an active directory domain to > use as a file server. I would like to be able to control access to > shares based on AD domain groups. However, even though winbind seems > to be seeing the groups fine, samba is not granting access to users > who are members of the group. I am able to successfully join the > system to the domain and granting access to shares based on Windows > usernames works fine. > > getent group returns: > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+P > LYN CHA > > However an id lookup of my windows username doesn't list me as a group > member of QG+TEST.(shouldn't it?) > > [root@smbsrv root]# id qg+jzillera > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > groups=10000(QG+Domain Users) > > System Details: > Redhat 9 > samba-3.0.5-2 > krb5-libs-1.2.7-10 > krb5-devel-1.2.7-10 > krb5-workstation-1.2.7-10 > pam_krb5-1.60-1 > > [root@smbsrv root]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [root@smbsrv root]# testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[test]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > > [test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > > Winbind logs show nothing that indicates any error, even when run with > debug level 3. Ive been beating myself over the head with this > problem for months...any help or suggestions would be greatly > appreciated. > > Thanks! > > James Ziller > Systems Administrator > > Quad/Graphics - Q/DS > West Allis, Wisconsin > james.ziller@qg.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Charles Bueche <charles@bueche.ch> sand, snow, wave, wind and net -surfer
I just checked...my user is only a member of 6 groups...so this doesn't appear to be my problem. I have also tried using the group "Domain Users" with no luck. -james -----Original Message----- From: Charles Bueche [mailto:charles@bueche.ch] Sent: Wednesday, August 04, 2004 7:57 AM To: Ziller, James Cc: samba@lists.samba.org Subject: Re: [Samba] Problems w/ winbind and AD group membership Hi, I have the same problem when a user is member of more than 16 windows groups, the list returned by winbind is greater than the max of 16 in Solaris (can be brought to 32 when you accept to break NFS9 (or 32 in linux IIRC). If the group you check is in the first 16, it works. In the place I made this setup, users are members of 30-80 windows groups. I know it's dumb, but I can't fix it. I ended up using "preexec" and "preexec close" and check for group membership using LDAP. Ugly, isn't it ? Charles On Mon, 2 Aug 2004 16:08:28 -0500 "Ziller, James" <James.Ziller@qg.com> wrote:> Hello friends, > > I am using samba to join a linux box to an active directory domain to > use as a file server. I would like to be able to control access to > shares based on AD domain groups. However, even though winbind seems > to be seeing the groups fine, samba is not granting access to users > who are members of the group. I am able to successfully join the > system to the domain and granting access to shares based on Windows > usernames works fine. > > getent group returns: > QG+TEST:x:10029:QG+JZILLERA,QG+HPCHEUNGA,QG+FOLIVERA,QG+DDAWSONA,QG+P > LYN CHA > > However an id lookup of my windows username doesn't list me as a group> member of QG+TEST.(shouldn't it?) > > [root@smbsrv root]# id qg+jzillera > uid=10002(QG+JZILLERA) gid=10000(QG+Domain Users) > groups=10000(QG+Domain Users) > > System Details: > Redhat 9 > samba-3.0.5-2 > krb5-libs-1.2.7-10 > krb5-devel-1.2.7-10 > krb5-workstation-1.2.7-10 > pam_krb5-1.60-1 > > [root@smbsrv root]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [root@smbsrv root]# testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[test]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > # Global parameters > [global] > workgroup = QG > realm = QG.COM > server string = Samba Server > security = ADS > obey pam restrictions = Yes > password server = wadc2 > log file = /var/log/samba/log.%m > max log size = 50 > load printers = No > printcap name = /etc/printcap > local master = No > domain master = No > dns proxy = No > wins support = Yes > idmap uid = 10000-30000 > idmap gid = 10000-30000 > winbind separator = + (tried with # and \ as well) > winbind use default domain = Yes (tried with No) > > [test] > comment = testing > path = /mnt/qdsfsl01/resources/testing > valid users = @QG+TEST > write list = @QG+TEST > > Winbind logs show nothing that indicates any error, even when run with> debug level 3. Ive been beating myself over the head with this > problem for months...any help or suggestions would be greatly > appreciated. > > Thanks! > > James Ziller > Systems Administrator > > Quad/Graphics - Q/DS > West Allis, Wisconsin > james.ziller@qg.com > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Charles Bueche <charles@bueche.ch> sand, snow, wave, wind and net -surfer