samba - Mar 2010 - nss_winbind.so delivers first group only on Solaris 10

Hello,


I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD
running on 2003/2008 R2 servers.
After some compile trouble I finally managed to get the whole thing running
including winbind in nsswitch.conf
for users and groups and PAM for authentication.

The problem is that winbind only reports the primary group of an AD user.
'wbinfo -r aduser' only reports  the GID of
the primary group the user is in. When I do a 'su aduser' and then
'id -a' I also get just the primary group information.
But the user is a member of several AD groups. 

I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine
with 3.0.37 and 3.2.15.

Can anybody help ?

My setup:
Solaris 10 10/09  X86 - latest patches installed.
 
I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler
from SunStudio 12
(Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I
tried to compile
samba 3.4.6 with the following configure options / ENV variables set:

$ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads
--with-pam --with-acl-support \
--with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap
--with-shared-modules=idmap_ad --disable-cups

CC=cc
LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib
-R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib
CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include
-I/usr/include

The build was successful but joining the domain failed with various errors. I
kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW.
With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine
now. Except the the fact thet I get no secondary group
information from AD.

My smb.conf:

[global]
        workgroup = XXXXXX
        realm = XXXXXX.YYYYYY.ZZ
        security = ADS
        map to guest = Bad User
        lanman auth = Yes
        client NTLMv2 auth = Yes
        kerberos method = system keytab
        log level = 3
        log file = /var/samba/log/%m
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        load printers = No
        domain master = No
        wins server = wins04.xxxxxx.yyyyyy.zz
        idmap uid = 600-100000
        idmap gid = 600-100000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap config XXXXXX : range = 10000-19000
        idmap config XXXXXX : backend = ad

Hello,


sometimes it's so easy ...

Having a look at the GIDs in their numeric form I saw that using the following
line in smb.conf

---
idmap config XXXXXX : range = 10000-19000
---

excluded all my groups I'm interested in. So I changed my smb.conf to

---
idmap config XXXXXX : range = 1000-19000
---

and I feel fine.

best regards,
Markus


-----Urspr?ngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im Auftrag von Preller, Markus
Gesendet: Montag, 8. M?rz 2010 12:54
An: samba at lists.samba.org
Betreff: [Samba] nss_winbind.so delivers first group only on Solaris 10

Hello,


I'm trying to integrate some of our Solaris 10 10/09 hosts into Microsoft AD
running on 2003/2008 R2 servers.
After some compile trouble I finally managed to get the whole thing running
including winbind in nsswitch.conf
for users and groups and PAM for authentication.

The problem is that winbind only reports the primary group of an AD user.
'wbinfo -r aduser' only reports  the GID of
the primary group the user is in. When I do a 'su aduser' and then
'id -a' I also get just the primary group information.
But the user is a member of several AD groups. 

I run into this problem with samba 3.3.11, 3.4.4 and 3.4.6 but it works fine
with 3.0.37 and 3.2.15.

Can anybody help ?

My setup:
Solaris 10 10/09  X86 - latest patches installed.
 
I compiled kerberos 1.6.3 and openldap 2.4.21 on my own using the c-compiler
from SunStudio 12
(Sun C 5.10 SunOS_i386 Patch 142363-03 2009/12/03) - no problems so far. Then I
tried to compile
samba 3.4.6 with the following configure options / ENV variables set:

$ ./configure --prefix=/opt/uker/samba --enable-shared-libs --with-ads
--with-pam --with-acl-support \
--with-winbind --with-krb5=/opt/uker/krb5 --with-ldap=/opt/uker/ldap
--with-shared-modules=idmap_ad --disable-cups

CC=cc
LDFLAGS=-L/opt/uker/krb5/lib -L/opt/uker/ldap/lib -L/usr/sfw/lib -L/usr/lib
-R/opt/uker/krb5/lib:/opt/uker/ldap/lib:/usr/sfw/lib:/usr/lib:/opt/uker/samba/lib
CPPFLAGS=-I/opt/uker/krb5/include -I/opt/uker/ldap/include -I/usr/sfw/include
-I/usr/include

The build was successful but joining the domain failed with various errors. I
kicked the Sun c-compiler and turned to gcc 4.3.3 from CSW.
With only the CC=gcc changed I build samba 3.4.6 again and all seemed to be fine
now. Except the the fact thet I get no secondary group
information from AD.

My smb.conf:

[global]
        workgroup = XXXXXX
        realm = XXXXXX.YYYYYY.ZZ
        security = ADS
        map to guest = Bad User
        lanman auth = Yes
        client NTLMv2 auth = Yes
        kerberos method = system keytab
        log level = 3
        log file = /var/samba/log/%m
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        load printers = No
        domain master = No
        wins server = wins04.xxxxxx.yyyyyy.zz
        idmap uid = 600-100000
        idmap gid = 600-100000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        winbind refresh tickets = Yes
        idmap config XXXXXX : range = 10000-19000
        idmap config XXXXXX : backend = ad

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba