Mark Cooke
2009-Jun-25 18:06 UTC
[Samba] samba 3.0.33 / AD / winbind / no users returned from nested groups
Hi all,
I've not found a search that addressed this problem I'm seeing with
3.0.33
(Centos 5.3 3.0.33-3.7.el5), and before I go further down the diagnostic
process, I thought I'd check if what I am doing is supposed to work.
I have an install of Centos 5.3 connected to active directory, using winbind
& idmap_rid (it is only serving files via samba).
[global]
workgroup = ADF
server string = Physics File Server 3
netbios name = PHYNAS3
interfaces = lo, eth0
bind interfaces only = yes
security = ads
realm = ADF.BHAM.AC.UK
passdb backend = tdbsam
local master = no
wins support = no
dns proxy = yes
load printers = no
cups options = raw
encrypt passwords = yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind separator = +
winbind use default domain = yes
winbind cache time = 1800
winbind offline logon = yes
template shell = /bin/bash
;template primary group = "Domain users"
idmap uid = 5000-1000000
idmap gid = 5000-1000000
idmap backend = idmap_rid:ADF=5000-1000000
log level = 1 acls:3 winbind:10
# cat /etc/pam.d/samba
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth sufficient pam_winbind.so use_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account sufficient pam_winbind.so use_first_pass
account required pam_permit.so
password required pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok md5
shadow
password sufficient pam_winbind.so use_first_pass
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session required pam_winbind.so use_first_pass
wbinfo -u / getent passwd / wbinfo -g work as expected.
'getent group' returns a list of groups, and users that are members of
that
immediate group.
In a group-of-groups situation, no users are returned.
Example:
gTop contains 3 subgroups gList1, gList2 and gList3. gList1, gList2 and
gList3 contain users.
# getent group gTop
gTop:*:123456:
# wbinfo -t
checking the trust secret via RPC calls succeeded
The log implies that winbind is finding the 3 groups as members, but isn't
doing a recursive evaluation:
[2009/06/25 18:03:28, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(475)
[12492]: getgrnam gTop
<snip>
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(369)
looked up 3 names
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(389)
processing name gList1
[2009/06/25 18:03:28, 3] nsswitch/winbindd_group.c:fill_grent_mem(398)
name gList1 isn't a domain user (Domain Group)
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(389)
processing name gList2
[2009/06/25 18:03:28, 3] nsswitch/winbindd_group.c:fill_grent_mem(398)
name gList2 isn't a domain user (Domain Group)
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(389)
processing name gList3
[2009/06/25 18:03:28, 3] nsswitch/winbindd_group.c:fill_grent_mem(398)
name gList3 isn't a domain user (Domain Group)
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(443)
num_mem = 0, len = 0, mem = NULL
[2009/06/25 18:03:28, 10] nsswitch/winbindd_group.c:fill_grent_mem(450)
fill_grent_mem returning 1
Can anyone confirm this is supposed to work, and if so, what version of
Samba is being used ?
Note: the directory contains 80K user objects so is very slow. I'd
initially tried this with winbind enum users/groups set to 'no', but
nested
groups=yes, but the behaviour is the same as above. I set everything back
to 'yes', and restarted smb/winbind for testing.
Cheers,
Mark
Reasonably Related Threads
Wisdom of the Ancients
