Is the "winbind nested groups" functionality not currently working in
Samba 3.0.23d? The readme files seem to indicate it should be (since
3.0.3), but then this message by Jerry to the list...
http://groups.google.com/group/linux.samba/msg/5ecc575f70af3c8c
...seems to indicate that there's some patch waiting for 3.0.24.
Unfortunately he's not specific as to what it solves.
I've actually tried it with the 3.0.10 that comes with RHEL4, 3.0.23d
straight from Samba.org, and 3.0.22 from Ubuntu on three different
servers. I have no trouble getting winbind talking to AD on any of
them, but all of them absolutely refuse to resolve membership of
anything nested in a local group.
My smb.conf is as follows:
[global]
workgroup = DOM1
realm = DOM1.DOMAIN.COM
security = ADS
password server = 192.168.1.37 192.168.1.33
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = no
allow trusted domains = yes
The goal is to create a local group on DOM1 that contains a global
group of users from DOM1 as well as a global group from trusted
domain DOM2. I'd like to assign rights to the local group, and
therefore allow anyone in either of the global groups access.
Am I just missing something?
--
Joshua Penix http://www.binarytribe.com
Binary Tribe Linux Integration Services & Network Consulting
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joshua Penix wrote:> Is the "winbind nested groups" functionality not currently working in > Samba 3.0.23d? The readme files seem to indicate it should be (since > 3.0.3), but then this message by Jerry to the list... > > http://groups.google.com/group/linux.samba/msg/5ecc575f70af3c8c > > ...seems to indicate that there's some patch waiting for 3.0.24. > Unfortunately he's not specific as to what it solves....> The goal is to create a local group on DOM1 that contains a global group > of users from DOM1 as well as a global group from trusted domain DOM2. > I'd like to assign rights to the local group, and therefore allow anyone > in either of the global groups access.The nest group functionality is for a local BUILTIN\Administrators or MACHINE\localgrp type of group. The patch in question I was referring to was to expand local group membership in getgrnam(). These are different things. Not sure which one you are looking for if either. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFr4oTIR7qMdg1EfYRAkCpAJ9K/aK50/pFchNxgui0EBUjvTJtkACfaM7j iUgkWPkgrUW9zesX8JQ2uAo=vv+9 -----END PGP SIGNATURE-----