Ivo Karabojkov
2012-Mar-24 20:46 UTC
[Samba] winbindd not providing supplementary groups with server 2003 AD
I have Windows server 2003 AD controller and Samba 3 (3.5.11 or 3.6.3)
member server running on FreeBSD 8.2/9.0. I don't use MS Services for
Unix and my setup relies on Winbindd for idmapping. I can see all users
/ groups with wbinfo -g, wbinfo -u, getent group, getent passwd. I can
see all user's group with id <username>.
I had to solve more complicated tasks including ACLs and granting rights
to AD groups. I was surprised that only primary groups for users were
honored but supplementary not. I tested with share on filesystem without
ACL to exclude error in ACLs - same problem. Using debuglevel 10 I saw
that somehow appears incorrect list of supplementary groups. wbinfo -r
username returns ONLY primary group of the user.
smbserver:/var/log/samba# id AD-DOMAIN_user13
uid=10014(AD-DOMAIN_user13) gid=10013(AD-DOMAIN_domain users)
groups=10013(AD-DOMAIN_domain users),10022(AD-DOMAIN_accounting)
(this is correct, the user is member of these two groups only)
getent groups shows (all IDMapped groups from AD):
AD-DOMAIN_helpservicesgroup:x:10002:AD-DOMAIN_support_388
AD-DOMAIN_telnetclients:x:10003
AD-DOMAIN_wins users:x:10004
AD-DOMAIN_dhcp users:x:10005
AD-DOMAIN_dhcp administrators:x:10006
AD-DOMAIN_domain computers:x:10007
AD-DOMAIN_domain controllers:x:10008
AD-DOMAIN_schema
admins:x:10009:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator
AD-DOMAIN_enterprise
admins:x:10010:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator
AD-DOMAIN_cert publishers:x:10011
AD-DOMAIN_domain
admins:x:10012:AD-DOMAIN_atan,AD-DOMAIN_job_acc,AD-DOMAIN_administrator
AD-DOMAIN_domain
users:x:10013:AD-DOMAIN_marti,AD-DOMAIN_interbase,AD-DOMAIN_iii,AD-DOMAIN_plll,AD-DOMAIN_lid,AD-DOMAIN_ita
AD-DOMAIN_domain guests:x:10014
AD-DOMAIN_group policy creator
owners:x:10015:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator
AD-DOMAIN_ras and ias servers:x:10016
AD-DOMAIN_dnsadmins:x:10017
AD-DOMAIN_dnsupdateproxy:x:10018
AD-DOMAIN_management:x:10019:AD-DOMAIN_iva,AD-DOMAIN_marti
AD-DOMAIN_manufacture:x:10020:AD-DOMAIN_poli,AD-DOMAIN_kanc,AD-DOMAIN_delc,AD-DOMAIN_kol,AD-DOMAIN_pash,AD-DOMAIN_nik
AD-DOMAIN_offices:x:10021:AD-DOMAIN_nesh,AD-DOMAIN_stef,AD-DOMAIN_jon,AD-DOMAIN_dimi
AD-DOMAIN_accounting:x:10022:AD-DOMAIN_user01,AD-DOMAIN_pet,AD-DOMAIN_user13,AD-DOMAIN_georg,AD-DOMAIN_acct1
AD-DOMAIN_stock_management:x:10023:AD-DOMAIN_stef,AD-DOMAIN_pash,AD-DOMAIN_nik
AD-DOMAIN_trz:x:10024:AD-DOMAIN_ivan,AD-DOMAIN_georg
AD-DOMAIN_backup:x:10025
AD-DOMAIN_test2:x:10026
As I try to access shared folder with the following permissions:
(UIDs/GIDs)
drwxrwx--- 2 10012 10022 512 Mar 23 18:14 accshart
(user and group names)
drwxrwx--- 2 AD-DOMAIN_user01 AD-DOMAIN_accounting 512 Mar 23
18:14 accshart
with debuglevel 10 I see the following strange messages:
[2012/03/23 18:58:16.606992, 5]
../libcli/security/security_token.c:63(security_token_debug)
Security token SIDs (10):
SID[ 0]: S-1-5-21-1579055750-3724707312-788426950-1136
SID[ 1]: S-1-5-21-1579055750-3724707312-788426950-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-22-1-10014
SID[ 6]: S-1-22-2-10013
SID[ 7]: S-1-22-2-10000
SID[ 8]: S-1-22-2-10001
SID[ 9]: S-1-22-2-10027
Privileges (0x 0):
Rights (0x 0):
[2012/03/23 18:58:16.607095, 5]
auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 10014
Primary group is 10013 and contains 4 supplementary groups
Group[ 0]: 10013
Group[ 1]: 10000
Group[ 2]: 10001
Group[ 3]: 10027
[2012/03/23 18:58:16.607157, 5] smbd/uid.c:317(change_to_user_internal)
Impersonated user: uid=(0,10014), gid=(0,10013)
[2012/03/23 18:58:16.607176, 4] smbd/vfs.c:780(vfs_ChDir)
vfs_ChDir to /usr/accshart
[2012/03/23 18:58:16.607202, 4] smbd/vfs.c:780(vfs_ChDir)
vfs_ChDir to /usr/accshart
[2012/03/23 18:58:16.607223, 3] smbd/service.c:190(set_current_service)
chdir (/usr/accshart) failed, reason: Permission denied
[2012/03/23 18:58:16.607270, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/process.c(1558) cmd=50 (SMBtrans2)
NT_STATUS_ACCESS_DENIED
As you can see only the primary group [0] is correct, supplementary
groups [1],[2],[3] are not existing.
wbinfo -r AD-DOMAIN_user13 returns only primary GID:
10013
This is equal with both available versions of Samba via FreeBSD ports:
3.5.11 and 3.6.3.
Here is my Samba config:
[global]
workgroup = AD-DOMAIN
realm = AD-DOMAIN.LOCAL
server string = Samba Server
interfaces = localhost, nfe0
bind interfaces only = Yes
security = ADS
map untrusted to domain = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 500
template homedir = /var/spool/vacation/AD-DOMAIN
template shell = /sbin/nologin
winbind separator = _
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
winbind refresh tickets = Yes
idmap config AD-DOMAIN : range = 10000-2000000
idmap config AD-DOMAIN : backend = tdb
hosts allow = 192.168.1., 10.1.55., 127.0.0.1
map acl inherit = Yes
case sensitive = No
veto files = /*.eml/*.nws/*.{*}/
veto oplock files =
/*.doc/*.xls/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/
[pub]
comment = Public
path = /var/samba/pub
write list = "@SIBI-BG_Domain Admins"
[bak]
comment = Backup Storage
path = /var/samba/bak
valid users = "@AD-DOMAIN_Domain Admins", @AD-DOMAIN_backup
read only = No
[account-sh]
comment = Account dept. Shared
path = /usr/accshart
read only = No
inherit permissions = Yes
Thanks in advance for your help!
With regards,
Ivo
Possibly Parallel Threads
Wisdom of the Ancients
