Andreas Hauffe
2021-Jan-20 12:58 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
Hi, I'm having a question, but do not know if it is a real samba issue. I just want to ask if there is a hint. We have a windows domain (dom.example.de) and a subdomain of this domain (subdom.dom.example.de). Allmost all accounts are from dom.example.de and the fileserver and all clients live in subdom.dom.example.de. Some groups are defined in dom.example.de and others as domain local groups in subdom.dom.example.de. The fileserver export smb-Shares and kerberized NFSv4-shares to the clients, depending in the OS (Windows/Linux). When an user with an account from dom or subdom logged on a Linux client, wbinfo --user-groups is showing all groups (from dom and subdom). This also works for windows clients. When trying to get the groups for an account on the file server (wbinfo --user-groups), only the groups of account domain are listed (dom -> dom groups, subdom -> subdom groups). This seems to be correct, since the user credentials (account tokens) are missing. My problem is, that the file server, which is a simple domain member, is never able to get the correct groups from subdom for an dom account. When logging on a Linuxclient, the client shows all groups, but the file server refuses access to directories of the NFSv4 shares, since the file server itself is not able to get the full list of all groups. On the windows/smb side this is working. When a users is using a windows client at first, winbind gets the correct groups that are cached in samLogon and /proc/net/rpc/auth.unix.gid/content . Then the user is able to access also the NFSv4 shares. But, if the user only uses Linux, is not working. When using wbinfo -K dom\\username first and then wbinfo --user-groups on the fileserver, the correct groups from dom and subdom are listed. It seems to me, that the user credentials to get the groups from the other domain are not transferred to the file server by NFS. Is there a way to get this working? Regards, Andreas
Rowland penny
2021-Jan-20 13:13 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
On 20/01/2021 12:58, Andreas Hauffe via samba wrote:> Hi, > > I'm having a question, but do not know if it is a real samba issue. I > just want to ask if there is a hint. > > When using wbinfo -K dom\\username first and then wbinfo --user-groups > on the fileserver, the correct groups from dom and subdom are listed. > It seems to me, that the user credentials to get the groups from the > other domain are not transferred to the file server by NFS. > > Is there a way to get this working? >Can you give us a bit more info: What OS are you using on the 'fileserver' ? What version of Samba ? What is smb.conf ? Rowland