Jonathan C. Detert
2006-Feb-08 20:45 UTC
[Samba] winbind can see some groups but not others
Hello, I followed the steps at http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 for adding a v3.0.21a samba and winbindd server to a MsAD domain and configuring nsswitch.conf to find passwd and group info from winbind. This seems to have worked out fine, except that I can't 'see' or 'recognize' certain groups via getent or via wbinfo -g. E.g. I can see the 'ccsd-staff' group via getent and wbinfo -g, but i don't see the 'ccsd-dept-www' group via either. Within the MsAD domain of concern, those two groups are basically the same, except the one that getent finds is in ou=people,dc=msoe,dc=edu and the one that it doesn't find is in ou=unixgroups,dc=msoe,dc=edu This makes me think there's an ldap basedn problem, but then, there's no ldap config needed or used by winbind, as far as i can tell. Anyone know what's wrong or have an idea of how to debug? Thanks -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
Jonathan C. Detert
2006-Feb-10 21:02 UTC
[Samba] Re: winbind can see some groups but not others
* detertj <detertj> [060208 14:45]:> Hello, > > I followed the steps at > http://www.enterprisenetworkingplanet.com/netos/article.php/3487081 > for adding a v3.0.21a samba and winbindd server to a MsAD domain and > configuring nsswitch.conf to find passwd and group info from winbind. > > This seems to have worked out fine, except that I can't 'see' or > 'recognize' certain groups via getent or via wbinfo -g. > > E.g. I can see the 'ccsd-staff' group via getent and wbinfo -g, but i > don't see the 'ccsd-dept-www' group via either.-- snip --> Anyone know what's wrong or have an idea of how to debug? ThanksI just stumbled on the explanation and solution: 'wbinfo -g' and 'getent group' use the samaccountname attribute of the group object, but for my 'missing' groups, the samaccountname attrib value was not the same as the 'cn' and 'name' attribs value. Once I set the samAccountName value to be the same as the cn, the 'missing' groups were no longer missing from 'wbinfo -g' or 'getent group'. The 'missing' groups had been created by me via a script using ldap. At the time i created them, i didn't know that i needed to also set the 'samaccountname' attribute, so it was getting automagically set with a seemingly arbitrary value. The MsAD-U&G app never give any indication that the 2 weren't in synch. -- Happy Landings, Jon Detert IT Systems Administrator, Milwaukee School of Engineering 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
Apparently Analagous Threads
- problem using 'winbind nss info =' statement
- winbind nss info = sfu is not so much working
- win2k domain-less client failing to authenticate when securit y=domain
- winbind: group name doesn't map to a SID, but gid does
- winbind can get uid and gid from sfu, but not homedir or loginshell