Roger Prefontaine
2007-Feb-13 20:52 UTC
[Samba] Winbind missing secondary groups depending on case & distro
I've been at this on and off for a month, testing, searching, so please bear with me :) I think it's finally time to ask for help before I rip my hair out. winbind is refusing to report a user's secondary groups depending on whether I request it in mixed case, in lower case, and with the domain name. Samba is also refusing to see the user's secondary groups. The username is mixed case on the NT4 PDC server (i.e. "David") I've built Ubuntu 6.06LTS, and 7.04 servers with 3.0.22, and 3.0.24 respectively. Both these machines exhibit this problem. I've also built a CentOS 4.4 with 3.0.23d & 3.0.24, and it works *fine*, the problem is only on the Ubuntu machines. Considering they both run 3.0.24, this seems kind of bizarre. On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id David" only list the primary group, and "id david" lists all groups. All of these combinations produce all groups on the CentOS server. The NT4 PDC, and the Samba domain member servers have all been built from scratch from bare-bones installs for the sole purpose of figuring this all out (so the solution can be rolled into a production Ubuntu 6.06LTS server & NT4 PDC). They all run identical smb.conf and similar nsswitch.conf files. wbinfo -u and -g list the correct users and groups, and getent passwd & group also list local and PDC users and groups as expected. A link to a level 10 log of log.winbindd is here ==> http://www.petrolia.com/files/log.winbindd.txt It is a clean log that only contains startup, and a request (id David) on the Ubuntu 7.04 server. The Ubuntu machine also does not list any BUILTIN groups like the CentOS machine. The [global] section of smb.conf on all machines is: [global] workgroup = TOILETWARS server string = Samba Server security = DOMAIN log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw What on earth could be the difference between these platforms that is causing this? Roger
Chris Smith
2007-Feb-13 23:32 UTC
[Samba] Winbind missing secondary groups depending on case & distro
On Tuesday 13 February 2007, Roger Prefontaine wrote:> On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id > David" only list the primary group, and "id david" lists all groups. ?All > of these combinations produce all groups on the CentOS server.> winbind use default domain = YesMay not be much help but out of curiosity I tried the same test on a Samba server that is also a member of an NT4 domain. It is running 3.0.24 plus the 6 Vista patches on a Gentoo server. I don't use the "winbind use default domain = Yes" in smb.conf, but I did test that way as well. Also I didn't change the default seperator. With the "normal" setup (winbind use default domain = No): -------------------------------------- id DOMAINNAME\\username - shows all groups id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only primary groups id username - returns "No such user" -------------------------------------- If I set "winbind use default domain = Yes" then: -------------------------------------- id DOMAINNAME\\username - only primary groups id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only primary groups id username - shows all groups -------------------------------------- Chris
Chris Smith
2007-Feb-13 23:32 UTC
[Samba] Winbind missing secondary groups depending on case & distro
On Tuesday 13 February 2007, Roger Prefontaine wrote:> On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id > David" only list the primary group, and "id david" lists all groups. ?All > of these combinations produce all groups on the CentOS server.> winbind use default domain = YesMay not be much help but out of curiosity I tried the same test on a Samba server that is also a member of an NT4 domain. It is running 3.0.24 plus the 6 Vista patches on a Gentoo server. I don't use the "winbind use default domain = Yes" in smb.conf, but I did test that way as well. Also I didn't change the default seperator. With the "normal" setup (winbind use default domain = No): -------------------------------------- id DOMAINNAME\\username - shows all groups id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only primary group id username - returns "No such user" id USERNAME (or any permutation with a cap in the username) - returns "No such user" -------------------------------------- If I set "winbind use default domain = Yes" then: -------------------------------------- id DOMAINNAME\\username - only primary group id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only primary group id username - shows all groups id USERNAME (or any permutation with a cap in the username) - only primary group -------------------------------------- Chris EDITED to add the other cases (id USERNAME).
Chris Smith
2007-Feb-13 23:40 UTC
[Samba] Winbind missing secondary groups depending on case & distro
Possibly just a quirk with the "id" utility. The version I tested with: ---------------------------------------- $ id --version id (GNU coreutils) 6.7 Copyright (C) 2006 Free Software Foundation, Inc. This is free software. You may redistribute copies of it under the terms of the GNU General Public License <http://www.gnu.org/licenses/gpl.html>. There is NO WARRANTY, to the extent permitted by law. Written by Arnold Robbins and David MacKenzie. ---------------------------------------- Chris
yvan
2007-Feb-14 14:17 UTC
[Samba] Winbind missing secondary groups depending on case & distro
Please note that the result of the "id" command (or the "groups" command as well) is different if it is run by root or by the user. As root : # id david : gives only the primary groups membership As regular user : david@localhost$ id : gives the full membership of all "groups in groups" managed by winbind and A.D. at least under Debian (Etch + Sarge). But it seems that winbind on some occasions doesn't use the right credentials to resolve nested groups. I have to tweak security in Active Directory to gi ve additionnal "Read Permission" rights in Active Directory in order to make it work, otherwise I only get primary groups. Or it may be our active directory that is broken. Yvan Broccard Chris Smith a ?crit :> On Tuesday 13 February 2007, Roger Prefontaine wrote: > >> On the Ubuntu server, "id DOMAINNAME+David", "id DOMAINNAME+david", and "id >> David" only list the primary group, and "id david" lists all groups. All >> of these combinations produce all groups on the CentOS server. >> > > >> winbind use default domain = Yes >> > > May not be much help but out of curiosity I tried the same test on a Samba > server that is also a member of an NT4 domain. It is running 3.0.24 plus the > 6 Vista patches on a Gentoo server. > > I don't use the "winbind use default domain = Yes" in smb.conf, but I did test > that way as well. Also I didn't change the default seperator. > > With the "normal" setup (winbind use default domain = No): > -------------------------------------- > id DOMAINNAME\\username - shows all groups > > id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only > primary group > > id username - returns "No such user" > > id USERNAME (or any permutation with a cap in the username) - returns "No such > user" > -------------------------------------- > > If I set "winbind use default domain = Yes" then: > -------------------------------------- > id DOMAINNAME\\username - only primary group > > id DOMAINNAME\\USERNAME (or any permutation with a cap in the username) - only > primary group > > id username - shows all groups > > id USERNAME (or any permutation with a cap in the username) - only primary > group > -------------------------------------- > > Chris > > EDITED to add the other cases (id USERNAME). >
Roger Prefontaine
2007-Feb-14 16:03 UTC
[Samba] Winbind missing secondary groups depending on case &distro
Yes, id looks like a red herring. The id in CentOS 4.4/RHEL is version 5.2.1 and works. The id in Ubuntu 7.04 is version 5.97 and does not work. I literally moved the id binary from the CentOS machine to the Ubuntu machine and it behaved properly. Which means that my problems with Samba on my 6.06 LTS machine are just a coincidence and I need to return to it and re-troubleshoot my problem. Roger> Possibly just a quirk with the "id" utility.> The version I tested with: > ---------------------------------------- > $ id --version > id (GNU coreutils) 6.7