Montenegro, Michael H (Michael)
2008-Aug-12 16:47 UTC
[Samba] ldap secondary/auxillary groups not available
I have a samba 3.0.20 installation that authenticates users using ntlm to a MS DC. The samba installation was correctly able authenticate users and map them to their unix uids and gids without an issue. The solaris box that samba was running on was also using NIS for its naming services. I have recently migrated this machine that was using NIS for its naming services to LDAP which is running on a separate server and running SUN DSEE 6.2 ldap software. I did not modify any lines in the smb.conf and all is working fine except that only the uid and primary gid are available to the samba server. Users can no longer rely on their secondary unix assigned groups to access any shares that are restricted to secondary groups via their unix group permissions. I expected the samba software to be able to identify all of a user's groups since the groups command accurately returns the correct listing of groups for a user. I would like to maintain my authentication using ntlm to my MS DC but have samba correctly identify all the groups a user belongs to. Is there a sample smb.conf available for this? I saw the post http://lists.samba.org/archive/samba/2004-January/078106.html It advised to make sure the nsswtich.conf uses ldap for groups and I made sure mine is correct: /etc/nsswitch.conf: ... group: files ldap ... Thanks, Michael
Montenegro, Michael H (Michael)
2008-Aug-13 19:47 UTC
[Samba] RE: ldap secondary/auxillary groups not available
I believe there is a bug report on this issue. https://bugzilla.samba.org/show_bug.cgi?id=395 ________________________________ From: Montenegro, Michael H (Michael) Sent: Tuesday, August 12, 2008 11:30 AM To: 'samba@lists.samba.org' Subject: ldap secondary/auxillary groups not available I have a samba 3.0.20 installation that authenticates users using ntlm to a MS DC. The samba installation was correctly able authenticate users and map them to their unix uids and gids without an issue. The solaris box that samba was running on was also using NIS for its naming services. I have recently migrated this machine that was using NIS for its naming services to LDAP which is running on a separate server and running SUN DSEE 6.2 ldap software. I did not modify any lines in the smb.conf and all is working fine except that only the uid and primary gid are available to the samba server. Users can no longer rely on their secondary unix assigned groups to access any shares that are restricted to secondary groups via their unix group permissions. I expected the samba software to be able to identify all of a user's groups since the groups command accurately returns the correct listing of groups for a user. I would like to maintain my authentication using ntlm to my MS DC but have samba correctly identify all the groups a user belongs to. Is there a sample smb.conf available for this? I saw the post http://lists.samba.org/archive/samba/2004-January/078106.html It advised to make sure the nsswtich.conf uses ldap for groups and I made sure mine is correct: /etc/nsswitch.conf: ... group: files ldap ... Thanks, Michael