samba - Jan 2008 - winbind: group membership issues.

Hi all,
 
I  have a Solaris 10 (update 4) box (x86) that is joined to an active
directory via samba/winbind (3.0.25c version included with Solaris
including latest patches).

The users are working fine however their group membership is not.

Users that should be members of certain groups do not seem to be: in
that if I run 'groups' and check the group member ship for my domain
account I am missing entry of some groups yet I can verify that I should
be a member of the missing groups by running 'getent group
"domain\\group name"' and seeing my domain username entered.

winbind has the following parameters set
    winbind enum users = yes
    winbind enum groups = yes
    winbind nested groups = yes

I am at a loss as to why it picks up some groups and not others.

The name service cache deamon is not running.
 
wbinfo -u, -g, and -t all report correctly

Has anyone come across something similar or know how to solve this
issue?

-- smb.conf --
[global]
        workgroup = NDS-UK
        realm = UK.NDS.COM
        server string = SCG NAS server
        security = ADS
        use kerberos keytab = true
        ;password server = ukdc2.uk.nds.com
        ;passdb backend = tdbsam
        encrypt passwords = true
 
        log file = /var/samba/log/log.%m
        max log size = 50
        load printers = No
        os level = 33
        domain master = No
        wins proxy = Yes
        wins server = 172.20.126.100, 172.18.253.100
        ldap ssl = no
 

	 


# winbind configuration:
 
        ;winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind nested groups = yes
        ;template homedir = /samba/pchome/%D/%U
        template shell = /usr/bin/bash
 
        idmap domains = NDS-UK
        idmap config NDS-UK:default = yes
        idmap config NDS-UK:backend = tdb
        idmap config NDS-UK:range = 10000-20000
 
        idmap alloc backend = tdb
        idmap alloc config:range = 10000-20000
 

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No
 
[TSFiles]
        comment = MPEG-2 transport streams
        path = /zfs/internal/streams
        writeable = true
        ;user = @"NDS-UK\\domain users"
        vfs objects = zfsacl
        nfs4: mode = special
        ;inherit permissions = true
        ; root prexexec = /usr/bin/snapshot_date.sh
/zfs/internal/streams
 
-- end smb.conf --
 
 
-- nsswitch.conf --
passwd:     files winbind
group:      files winbind
 
# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns
 
# Note that IPv4 addresses are searched for in all of the ipnodes
databases
# before searching the hosts databases.
ipnodes:   files dns
 
networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system
will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files
 
auth_attr:  files
prof_attr:  files
project:    files
 
tnrhtp:     files
tnrhdb:     files
-- end nsswitch.conf --

Regards,

James 

	 

*********************************************************************************************************
This e-mail is confidential, the property of NDS Ltd and intended for the
addressee only.  Any dissemination, copying or distribution of this message or
any attachments by anyone other than the intended recipient is strictly
prohibited.  If you have received this message in error, please immediately
notify the postmaster@nds.com and destroy the original message.  Messages sent
to and from NDS may be monitored.  NDS cannot guarantee any message delivery
method is secure or error-free.  Information could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or contain viruses.  We do not
accept responsibility for any errors or omissions in this message and/or
attachment that arise as a result of transmission.  You should carry out your
own virus checks before opening any attachment.  Any views or opinions presented
are solely those of the author and do not necessarily represent those of NDS.

To protect the environment please do not print this e-mail unless necessary.

NDS Limited Registered office: One Heathrow Boulevard, 286 Bath Road, West
Drayton, Middlesex, UB7 0DQ, United Kingdom. A company registered in England and
Wales  Registered no. 3080780   VAT no. GB 603 8808 40-00
**********************************************************************************************************

After a lot of scratching and searching it looks like I may be hitting
Solaris' max 16 groups limit.  Arrgggg.

/James
> -----Original Message-----
> From: samba-bounces+jnord=ndsuk.com@lists.samba.org 
> [mailto:samba-bounces+jnord=ndsuk.com@lists.samba.org] On 
> Behalf Of Nord, James
> Sent: 16 January 2008 10:07
> To: samba@lists.samba.org
> Subject: [Samba] winbind: group membership issues.
> 
> Hi all,
>  
> I  have a Solaris 10 (update 4) box (x86) that is joined to 
> an active directory via samba/winbind (3.0.25c version 
> included with Solaris including latest patches).
> 
> The users are working fine however their group membership is not.
> 
> Users that should be members of certain groups do not seem to 
> be: in that if I run 'groups' and check the group member ship 
> for my domain account I am missing entry of some groups yet I 
> can verify that I should be a member of the missing groups by 
> running 'getent group "domain\\group name"' and seeing my
> domain username entered.
> 
> winbind has the following parameters set
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind nested groups = yes
> 
> I am at a loss as to why it picks up some groups and not others.
> 
> The name service cache deamon is not running.
>  
> wbinfo -u, -g, and -t all report correctly
> 
> Has anyone come across something similar or know how to solve 
> this issue?
> 
> -- smb.conf --
> [global]
>         workgroup = NDS-UK
>         realm = UK.NDS.COM
>         server string = SCG NAS server
>         security = ADS
>         use kerberos keytab = true
>         ;password server = ukdc2.uk.nds.com
>         ;passdb backend = tdbsam
>         encrypt passwords = true
>  
>         log file = /var/samba/log/log.%m
>         max log size = 50
>         load printers = No
>         os level = 33
>         domain master = No
>         wins proxy = Yes
>         wins server = 172.20.126.100, 172.18.253.100
>         ldap ssl = no
>  
> 
> 	 
> 
> 
> # winbind configuration:
>  
>         ;winbind separator = +
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind nested groups = yes
>         ;template homedir = /samba/pchome/%D/%U
>         template shell = /usr/bin/bash
>  
>         idmap domains = NDS-UK
>         idmap config NDS-UK:default = yes
>         idmap config NDS-UK:backend = tdb
>         idmap config NDS-UK:range = 10000-20000
>  
>         idmap alloc backend = tdb
>         idmap alloc config:range = 10000-20000
>  
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
>  
> [TSFiles]
>         comment = MPEG-2 transport streams
>         path = /zfs/internal/streams
>         writeable = true
>         ;user = @"NDS-UK\\domain users"
>         vfs objects = zfsacl
>         nfs4: mode = special
>         ;inherit permissions = true
>         ; root prexexec = /usr/bin/snapshot_date.sh 
> /zfs/internal/streams
>  
> -- end smb.conf --
>  
>  
> -- nsswitch.conf --
> passwd:     files winbind
> group:      files winbind
>  
> # You must also set up the /etc/resolv.conf file for DNS name 
> # server lookup.  See resolv.conf(4).
> hosts:      files dns
>  
> # Note that IPv4 addresses are searched for in all of the 
> ipnodes databases # before searching the hosts databases.
> ipnodes:   files dns
>  
> networks:   files
> protocols:  files
> rpc:        files
> ethers:     files
> netmasks:   files
> bootparams: files
> publickey:  files
> # At present there isn't a 'files' backend for netgroup;  the 
> system will
> #   figure it out pretty quickly, and won't use netgroups at all.
> netgroup:   files
> automount:  files
> aliases:    files
> services:   files
> printers:       user files
>  
> auth_attr:  files
> prof_attr:  files
> project:    files
>  
> tnrhtp:     files
> tnrhdb:     files
> -- end nsswitch.conf --
> 
> Regards,
> 
> James 
*********************************************************************************************************
This e-mail is confidential, the property of NDS Ltd and intended for the
addressee only.  Any dissemination, copying or distribution of this message or
any attachments by anyone other than the intended recipient is strictly
prohibited.  If you have received this message in error, please immediately
notify the postmaster@nds.com and destroy the original message.  Messages sent
to and from NDS may be monitored.  NDS cannot guarantee any message delivery
method is secure or error-free.  Information could be intercepted, corrupted,
lost, destroyed, arrive late or incomplete, or contain viruses.  We do not
accept responsibility for any errors or omissions in this message and/or
attachment that arise as a result of transmission.  You should carry out your
own virus checks before opening any attachment.  Any views or opinions presented
are solely those of the author and do not necessarily represent those of NDS.

To protect the environment please do not print this e-mail unless necessary.

NDS Limited Registered office: One Heathrow Boulevard, 286 Bath Road, West
Drayton, Middlesex, UB7 0DQ, United Kingdom. A company registered in England and
Wales  Registered no. 3080780   VAT no. GB 603 8808 40-00
**********************************************************************************************************