Rowland penny
2021-Jan-20 13:13 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
On 20/01/2021 12:58, Andreas Hauffe via samba wrote:> Hi, > > I'm having a question, but do not know if it is a real samba issue. I > just want to ask if there is a hint. > > When using wbinfo -K dom\\username first and then wbinfo --user-groups > on the fileserver, the correct groups from dom and subdom are listed. > It seems to me, that the user credentials to get the groups from the > other domain are not transferred to the file server by NFS. > > Is there a way to get this working? >Can you give us a bit more info: What OS are you using on the 'fileserver' ? What version of Samba ? What is smb.conf ? Rowland
Andreas Hauffe
2021-Jan-20 14:17 UTC
[Samba] Group membership not resolved on file server (winbind+kerberos+nfs4)
Hi,
of course.
clients:
? OS: OpenSUSE Leap 15.1 & 15.2
? Samba version: 4.11.14
file server:
? OS: Debian 10 (Buster)
? Samba version: 4.13.3 (build after
https://wiki.samba.org/index.php/Build_Samba_from_Source)
? Subdomain: ilrw.ing.dom.tu-dresden.de
? Domain: dom.tu-dresden.de
smb.conf (server):
------
# Global parameters
[global]
??????? bind interfaces only = Yes
??????? dedicated keytab file = /etc/krb5.keytab
??????? interfaces = lo enp1s0f0
??????? kerberos method = secrets and keytab
??????? realm = ILRW.ING.DOM.TU-DRESDEN.DE
??????? security = ADS
??????? server min protocol = SMB3_00
??????? template homedir = /home/users/linux/%U
??????? template shell = /bin/bash
??????? winbind refresh tickets = Yes
??????? winbind separator = +
??????? workgroup = ILRW
??????? idmap config * : range = 2000-2999
??????? idmap config ilrw : backend = rid
??????? idmap config ilrw : range = 3000-9999 # UID aus RID f?r POOL
??????? idmap config dom : backend = rid
??????? idmap config dom : range = 10000-9999999 # UID aus RID f?r DOM
??????? idmap config * : backend = tdb
------
krb5.conf (server + clients)
------
[libdefaults]
??? default_realm = ILRW.ING.DOM.TU-DRESDEN.DE
??? dns_lookup_realm = true
??? dns_lookup_realm = false
??? dns_lookup_kdc = true
??? ticket_lifetime = 24h
??? renew_lifetime = 7d
??? forwardable = true
??? proxiable = true
[realms]
??? ILRW.ING.DOM.TU-DRESDEN.DE = {
??????? auth_to_local =
RULE:[1:$0@$1](ILRW\.ING\.DOM\.TU-DRESDEN\.DE at
.*)s/\.ING\.DOM\.TU-DRESDEN\.DE@/+/
??????? auth_to_local =
RULE:[1:$0@$1](DOM\.TU-DRESDEN\.DE at .*)s/\.TU-DRESDEN\.DE@/+/
??????? auth_to_local = DEFAULT
??? }
------
Andreas
**
Am 20.01.21 um 14:13 schrieb Rowland penny via samba:> On 20/01/2021 12:58, Andreas Hauffe via samba wrote:
>> Hi,
>>
>> I'm having a question, but do not know if it is a real samba issue.
I
>> just want to ask if there is a hint.
>>
>> When using wbinfo -K dom\\username first and then wbinfo
>> --user-groups on the fileserver, the correct groups from dom and
>> subdom are listed. It seems to me, that the user credentials to get
>> the groups from the other domain are not transferred to the file
>> server by NFS.
>>
>> Is there a way to get this working?
>>
>
> Can you give us a bit more info:
>
> What OS are you using on the 'fileserver' ?
>
> What version of Samba ?
>
> What is smb.conf ?
>
> Rowland
>
>
>