Sven Schwedas
2014-May-28 10:12 UTC
[Samba] winbindd 4.1.7 resolves group memberships for all but primary group
We're using a bunch of AD groups ? all users/groups are created and managed with ADUC. Domain Users is the primary group for all users, plus a few for our departments (and Domain Admins). All groups have their posixGroup attributes filled out. wbinfo --group-info and getent group show the correct membership for all groups except Domain Users. smb.conf: http://pastebin.com/ymrXZJ5u Already tried with winbind nss info = sfu, no improvement. LDAP excerpt (members pruned) for Domain Users: http://pastebin.com/3ysX0S7C LDAP excerpt for Domain Admins: http://pastebin.com/vYTu70dV The only difference I can see is the member field. ADUC apparently doesn't explicitly set it for the primary group (and doesn't allow me to set it manually), it only sets memberUid and msSFU30PosixMember (which are both ignored by winbindd). Is there some way I can make winbindd use the correct field, or is there a configuration problem somewhere else? -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140528/6c9a233f/attachment.pgp>
Sven Schwedas
2014-Jun-03 13:11 UTC
[Samba] winbindd 4.1.7 resolves group memberships for all but primary group
I don't know where exactly the problem was, even with debug 5 I was only able to see that idmap failed? somewhere (STATUS_SOME_UNMAPPED). "Solved" by adding gids/uids to every single AD group and user. On 2014-05-28 12:12, Sven Schwedas wrote:> We're using a bunch of AD groups ? all users/groups are created and > managed with ADUC. Domain Users is the primary group for all users, plus > a few for our departments (and Domain Admins). All groups have their > posixGroup attributes filled out. > > wbinfo --group-info and getent group show the correct membership for all > groups except Domain Users. > > smb.conf: http://pastebin.com/ymrXZJ5u > Already tried with winbind nss info = sfu, no improvement. > > LDAP excerpt (members pruned) for Domain Users: > http://pastebin.com/3ysX0S7C > > LDAP excerpt for Domain Admins: > http://pastebin.com/vYTu70dV > > The only difference I can see is the member field. ADUC apparently > doesn't explicitly set it for the primary group (and doesn't allow me to > set it manually), it only sets memberUid and msSFU30PosixMember (which > are both ignored by winbindd). Is there some way I can make winbindd use > the correct field, or is there a configuration problem somewhere else? > > >-- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 665 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20140603/c338fef7/attachment.pgp>