samba - Dec 2006 - Does Samba/Winbind not follow nested groups in AD?!?

Here's the situation:  We have users who are members of groups and those
groups are sometimes members of a 2nd level of groups.  If a folder has
permissions assigned to a 2nd level group, then the user can not access
the share.  Doing a "getent group | grep user | grep 2nd_level_group"
also returns nothing.  Samba seems to not be recognizing that a user is
a member of a group under another group.

Is there any way to enable Samba, or Winbind, to follow down the group
hierarchy?

James Dinkel

I just simulated your scenario and  I have no problems.

1) User testing member of: group1

2) group1 member of group 2

3) group2 has rights to folderA

4) User testing can successfully open folderA.

5) Removing group2 rights from folderA results in access denied.

James A. Dinkel wrote:
> Here's the situation:  We have users who are members of groups and
those
> groups are sometimes members of a 2nd level of groups.  If a folder has
> permissions assigned to a 2nd level group, then the user can not access
> the share.  Doing a "getent group | grep user | grep
2nd_level_group"
> also returns nothing.  Samba seems to not be recognizing that a user is
> a member of a group under another group.
>
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
>
> James Dinkel
>
>

On 06/12/2006, at 3:46 AM, James A. Dinkel wrote:
> Here's the situation:  We have users who are members of groups and  
> those
> groups are sometimes members of a 2nd level of groups.  If a folder  
> has
> permissions assigned to a 2nd level group, then the user can not  
> access
> the share.  Doing a "getent group | grep user | grep
2nd_level_group"
> also returns nothing.  Samba seems to not be recognizing that a  
> user is
> a member of a group under another group.
>
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
There is an option in smb.conf called "winbind nested groups" ... and
the help text from swat says:

"winbind nested groups (G)

     If set to yes, this parameter activates the support for nested  
groups. Nested groups are also called local groups or aliases. They  
work like their counterparts in Windows: Nested groups are defined  
locally on any machine (they are shared between DC's through their  
SAM) and can contain users and global groups from any trusted SAM. To  
be able to use nested groups, you need to run nss_winbind.

     Please note that per 3.0.3 this is a new feature, so handle with  
care.

     Default: winbind nested groups = no"

So I'm guessing that you want to set winbind nested groups = yes in  
your smb.conf.

--
Matt Skerritt
matt.skerritt@agrav.net

> -----Original Message-----
> From: Matt Skerritt
> 
> There is an option in smb.conf called "winbind nested groups" ...
and
> the help text from swat says:
> 
> "winbind nested groups (G)
> 
>      If set to yes, this parameter activates the support for nested
> groups. Nested groups are also called local groups or aliases. They
> work like their counterparts in Windows: Nested groups are defined
> locally on any machine (they are shared between DC's through their
> SAM) and can contain users and global groups from any trusted SAM. To
> be able to use nested groups, you need to run nss_winbind.
> 
>      Please note that per 3.0.3 this is a new feature, so handle with
> care.
> 
>      Default: winbind nested groups = no"
> 
> So I'm guessing that you want to set winbind nested groups = yes in
> your smb.conf.
> 
> --
> Matt Skerritt
> matt.skerritt@agrav.net
I've put the "winbind nested groups = yes" in the global section
of my
samba.conf.  (Sorry, I did go over the swat help text, I must have
missed this).  I went ahead and rebooted the server and tried it again,
but it's still a no-go.

Aaron, in the smb.conf you showed me, you did not have "winbind nested
groups = yes" ?!?  I don't remember if you've told me, but are you
using
the default Samba 3.0.22 that comes with Ubuntu 6.06?

Could there be something wrong with my Winbind setup?  Something that
has to do with nss_winbind maybe?  Is there any way I can test this from
the Samba server, using wbinfo maybe?

> -----Original Message-----
> From: Aaron Kincer
> 
> James,
> 
> You are correct--I don't have windbind nested groups = yes set in my
> smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> instructions to the letter found in the Ubuntu forums that I've posted
> before with only the changes you've seen in my smb.conf. Here is the
> link to the forum post:
> 
> http://ubuntuforums.org/archive/index.php/t-91510.html
> 
> If you have a machine you can throw together as a test machine, fire
it
> up as a stock install and follow these instructions to the letter (if
> you didn't on your production box) and see if you have any success.
> 
> Here's where the rubber meets the road. If your test machine correctly
> nests permissions, then there is something wrong with your production
> config. If it doesn't, then you have something going on in Active
> Directory.
> 
> One more thing--I'm using POSIX ACLs for permissions. Are you?
> 
Yeah, I'm using POSIX ACLs.  I did not follow that Ubuntu guide; I used
some generic instructions from a couple different places.  The biggest
difference I see at first glance is the krb5.conf (mine is blank, it
gets domain info from DNS) and a lot of the PAM configuration.

I'll try another machine with that Ubuntu guide and see what happens.

James Dinkel

> 
> http://ubuntuforums.org/archive/index.php/t-91510.html
>
That guide also does not say anything about adding acl and user_xattr to
the mount options of the partition containing the share.

Right. That guide gets you in the door. The additional acl and extended 
dos attributes stuff is separate.

James A. Dinkel wrote:
>> http://ubuntuforums.org/archive/index.php/t-91510.html
>>
>>     
>
> That guide also does not say anything about adding acl and user_xattr to
> the mount options of the partition containing the share.
>
>

Well, I think I'm giving up.  I've tried following that guide.  I've
tried replacing my smb.conf to look just like yours.  I've tried a bunch
of other things that I though might do something.

For the life of me, I can not get nested groups to work on this server.

James Dinkel
> -----Original Message-----
> From: Aaron Kincer
> 
> James,
> 
> You are correct--I don't have windbind nested groups = yes set in my
> smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> instructions to the letter found in the Ubuntu forums that I've posted
> before with only the changes you've seen in my smb.conf. Here is the
> link to the forum post:
> 
> http://ubuntuforums.org/archive/index.php/t-91510.html
> 
> If you have a machine you can throw together as a test machine, fire
it
> up as a stock install and follow these instructions to the letter (if
> you didn't on your production box) and see if you have any success.
> 
> Here's where the rubber meets the road. If your test machine correctly
> nests permissions, then there is something wrong with your production
> config. If it doesn't, then you have something going on in Active
> Directory.
> 
> One more thing--I'm using POSIX ACLs for permissions. Are you?
> 
> James A. Dinkel wrote:
> >> -----Original Message-----
> >> From: Matt Skerritt
> >>
> >> There is an option in smb.conf called "winbind nested
groups" ...
and
> >> the help text from swat says:
> >>
> >> "winbind nested groups (G)
> >>
> >>      If set to yes, this parameter activates the support for
nested
> >> groups. Nested groups are also called local groups or aliases.
They
> >> work like their counterparts in Windows: Nested groups are defined
> >> locally on any machine (they are shared between DC's through
their
> >> SAM) and can contain users and global groups from any trusted SAM.
To
> >> be able to use nested groups, you need to run nss_winbind.
> >>
> >>      Please note that per 3.0.3 this is a new feature, so handle
with
> >> care.
> >>
> >>      Default: winbind nested groups = no"
> >>
> >> So I'm guessing that you want to set winbind nested groups =
yes in
> >> your smb.conf.
> >>
> >> --
> >> Matt Skerritt
> >> matt.skerritt@agrav.net
> >>
> >
> > I've put the "winbind nested groups = yes" in the global
section of
my
> > samba.conf.  (Sorry, I did go over the swat help text, I must have
> > missed this).  I went ahead and rebooted the server and tried it
again,
> > but it's still a no-go.
> >
> > Aaron, in the smb.conf you showed me, you did not have "winbind
nested
> > groups = yes" ?!?  I don't remember if you've told me,
but are you
using
> > the default Samba 3.0.22 that comes with Ubuntu 6.06?
> >
> > Could there be something wrong with my Winbind setup?  Something
that
> > has to do with nss_winbind maybe?  Is there any way I can test this
from
> > the Samba server, using wbinfo maybe?
> >
> >

Native mode, global groups.

Try the test server with a stock installation and adding ACLs and 
extended DOS attributes. If you do not have success with that, I can 
only conclude there is corruption in your AD forest. That isn't unheard 
of by the way.

If you upgraded from mixed mode to native mode, I'd wager a good chance 
that your corruption started there.

James A. Dinkel wrote:
>
> The tdb thing didn?t work. Are you running your Win 2000 domain in 
> mixed-mode or native-mode? (ours is native mode, so I?m wondering if 
> that is a problem for samba). Also what is the scope on your groups, 
> we have ?global? for the scope on all our groups.
>
> **James Dinkel**
>
> Network Engineer
>
> Butler County of Kansas
>
> //There are 10 types of people in the world: those who understand 
> binary, and those who don't.//
>
> ------------------------------------------------------------------------
>
> *From:* Aaron Kincer [mailto:kincera@gmail.com]
> *Sent:* Thursday, December 07, 2006 5:43 PM
> *To:* James A. Dinkel
> *Cc:* samba@lists.samba.org
> *Subject:* Re: [Samba] Does Samba/Winbind not follow nested groups in 
> AD?!?
>
> I had some problems with authentication on a Red Hat server due to 
> corrupted .tdb files in /var/cache/samba and fixed it by deleting 
> them. You could give it a shot by stopping Samba and Winbind, backing 
> up those files to be safe, delete them and restart Samba and WInbind.
>
> If that doesn't work, I suspect there is a problem with your AD 
> forest. All the pieces should be there for you.
>
> On 12/7/06, *James A. Dinkel* < jdinkel@bucoks.com 
> <mailto:jdinkel@bucoks.com>> wrote:
>
> Well, I think I'm giving up. I've tried following that guide.
I've
> tried replacing my smb.conf to look just like yours. I've tried a bunch
> of other things that I though might do something.
>
> For the life of me, I can not get nested groups to work on this server.
>
> James Dinkel
>
> > -----Original Message-----
> > From: Aaron Kincer
> >
> > James,
> >
> > You are correct--I don't have windbind nested groups = yes set in
my
> > smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> > instructions to the letter found in the Ubuntu forums that I've
posted
> > before with only the changes you've seen in my smb.conf. Here is
the
> > link to the forum post:
> >
> > http://ubuntuforums.org/archive/index.php/t-91510.html
> >
> > If you have a machine you can throw together as a test machine, fire
> it
> > up as a stock install and follow these instructions to the letter (if
> > you didn't on your production box) and see if you have any
success.
> >
> > Here's where the rubber meets the road. If your test machine
correctly
> > nests permissions, then there is something wrong with your production
> > config. If it doesn't, then you have something going on in Active
> > Directory.
> >
> > One more thing--I'm using POSIX ACLs for permissions. Are you?
> >
> > James A. Dinkel wrote:
> > >> -----Original Message-----
> > >> From: Matt Skerritt
> > >>
> > >> There is an option in smb.conf called "winbind nested
groups" ...
> and
> > >> the help text from swat says:
> > >>
> > >> "winbind nested groups (G)
> > >>
> > >> If set to yes, this parameter activates the support for
nested
> > >> groups. Nested groups are also called local groups or
aliases. They
> > >> work like their counterparts in Windows: Nested groups are
defined
> > >> locally on any machine (they are shared between DC's
through their
> > >> SAM) and can contain users and global groups from any trusted
SAM.
> To
> > >> be able to use nested groups, you need to run nss_winbind.
> > >>
> > >> Please note that per 3.0.3 this is a new feature, so handle
> with
> > >> care.
> > >>
> > >> Default: winbind nested groups = no"
> > >>
> > >> So I'm guessing that you want to set winbind nested
groups = yes in
> > >> your smb.conf.
> > >>
> > >> --
> > >> Matt Skerritt
> > >> matt.skerritt@agrav.net
<mailto:matt.skerritt@agrav.net>
> > >>
> > >
> > > I've put the "winbind nested groups = yes" in the
global section of
> my
> > > samba.conf. (Sorry, I did go over the swat help text, I must have
> > > missed this). I went ahead and rebooted the server and tried it
> again,
> > > but it's still a no-go.
> > >
> > > Aaron, in the smb.conf you showed me, you did not have
"winbind
> nested
> > > groups = yes" ?!? I don't remember if you've told
me, but are you
> using
> > > the default Samba 3.0.22 that comes with Ubuntu 6.06?
> > >
> > > Could there be something wrong with my Winbind setup? Something
> that
> > > has to do with nss_winbind maybe? Is there any way I can test
this
> from
> > > the Samba server, using wbinfo maybe?
> > >
> > >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>

Just a little update.  I've found out about the 'id' command and the
'wbinfo -r' command.  Both of those commands do NOT return any domain
groups that are parents over domain groups for the user.

I don't know if this gives any ideas or means anything to anybody.

James Dinkel

Updating to 3.0.23c fixed it!!  I didn't even change my config.  I just
uninstalled the Ubuntu packages with "apt-get remove samba-common samba
winbind", added Samba.com's Debian Sarge repository and did
"apt-get
update && apt-get install samba samba-common winbind" and it
installed
the newer packages from the Sarge repo.

This fixed my nested domain groups problem, hopefully it didn't
introduce any new ones.  I've only done this on my test server.  After a
little more QA I'll do this on my semi-production server.

James Dinkel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

James A. Dinkel wrote:
> Here's the situation:  We have users who are members of groups and
those
> groups are sometimes members of a 2nd level of groups.  If a folder has
> permissions assigned to a 2nd level group, then the user can not access
> the share.  Doing a "getent group | grep user | grep
2nd_level_group"
> also returns nothing.  Samba seems to not be recognizing that a user is
> a member of a group under another group.
> 
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
We (centeris) have a patch that will be merged upstream shortly.
Either myself or Danilo (it's his code) need to break it out
and submit it for review on samba-technical.  Look for this in 3.0.24.





cheers, jerry
====================================================================Samba       
------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFgEP7IR7qMdg1EfYRAoZQAJ93alsqd2U/sMaXujwTg7+RiqPiGgCePHud
OKepxuL0R4PEr5/TJLEsEuo=vFjw
-----END PGP SIGNATURE-----