[Samba] Winbind Expand Groups option not fully funtional
in [Samba]
|
Prev: [Samba] Bug in Samba version in debian lenny (3.2.5) -> Users can not rename or delete files
Next: PDC directory permission fail
From: Charles Johnson on 4 Jan 2010 17:40 I am trying to authenticate samba 3.3 running on Centos 5 to Windows 2003 R2 Active Directory. 95% of my setup is working. The only thing that doesn't work are expanded groups. Whenever a group is a member of another group the permissions in samba/nss/winbind are not communicated correctly to the windows client but seem to work on the linux end of things. Here's my scenario. (All hostnames are internal) AD Groups and Members ----------------- testgroup9 members: cjohnson,erodriguez,testuser11,testuser9 testgroup10 members: testgroup9 Getent group responds correctly populating the testgroup9 members into testgroup10 testgroup9:x:111265:cjohnson,erodriguez,testuser11,testuser9 testgroup10:x:111266:cjohnson,erodriguez,testuser11,testuser9 From the shell i can.... su testuser11 cd /storage/CME/test No problem. But when I try to access the same directory in windows I get these entries in my logs.... /var/log/samba/log.smbd ------------------ [2010/01/04 16:08:25, 1] smbd/sesssetup.c:reply_spnego_kerberos(350) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! log.winbindd reports no errors so it seems that the SIU/UID mapping seems to be working correctly. I know this because the minute I give access to this share to testgroup9 the windows users can immediately access the folder. ie. setfacl -m g:testgroup9:r-x /storage/CME/test Testshare on Samba FS ----------------- getfacl testshare # file: storage/CME/test # owner: root # group: Domain Users user::rwx group::rwx group:testgroup10:r-x mask::rwx other::--- I've poured through documentation for weeks including these articles among others: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2598913 http://www.samba.org/samba/history/samba-3.3.0.html man smb.conf Here are my final questions. Has anyone got the "winbind expand groups" option to funtion properly with Windows clients? Am I using the proper idmap settings? Would setting up an LDAP backend with the editposix option help anything? Is there something I need to do on the Windows server side? (I have installed Unix Extentions but not sure how to assign UID/GID's) It seems that everything is working how it's supposed to 'cept I'm probably missing something very simple. Anyone with any kind of help would be appreciated. SMB.CONF --------------- [global] workgroup = CME security = ads passdb backend = tdbsam:/etc/samba/passdb.tdb idmap backend = rid (have tested with tdb also with no luck) idmap uid = 110000-119999 idmap gid = 110000-119999 idmap cache time = 3600 idmap negative cache time = 300 winbind cache time = 900 winbind expand groups = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = true template shell = /bin/bash template homedir = /home/%D/%U machine password timeout = 2592000 realm = CME.COM use kerberos keytab = yes password server = prod-srv-8.cme.com nt acl support = yes map acl inherit = yes winbind nss info = rcf2307 allow trusted domains = no [CME] path = /storage/CME writeable = yes inherit acls = yes inherit permissions = yes security mask = 0770 force security mode = 0770 directory security mask = 0770 force directory security mode = 0770 force create mode = 0770 map archive = yes store dos attributes = yes NSSWITCH.CONF ---------------------- passwd: files winbind shadow: files winbind group: files winbind hosts: files wins dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files winbind rpc: files winbind services: files netgroup: files winbind publickey: nisplus automount: files aliases: files nisplus winbind KRB5.CONF ---------------------- [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = CME.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] CME.COM = { kdc = prod-srv-8.cme.com:88 admin_server = prod-srv-8.cme.com:749 default_domain = cme.com kdc = prod-srv-8.cme.com } [domain_realm] ..cme.com = CME.COM cme.com = CME.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Joined Domain ---------------------- net ads testjoin Join is OK Time --------------------- NTP is setup on both Windows and Linux and time is always in sync. Samba Server's nameserver is the AD PDC. Authconfig --test output ------------------------------------------ caching is disabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is enabled SMB workgroup = "CME" SMB servers = "prod-srv-8.cme.com" SMB security = "ads" SMB realm = "CME.COM" Winbind template shell = "/bin/bash" SMB idmap uid = "110000-119999" SMB idmap gid = "110000-119999" nss_wins is enabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is enabled krb5 realm = "CME.COM" krb5 realm via dns is enabled krb5 kdc = "prod-srv-8.cme.com:88,prod-srv-8.cme.com" krb5 kdc via dns is enabled krb5 admin server = "prod-srv-8.cme.com:749" pam_ldap is disabled LDAP+TLS is disabled LDAP server = "ldap://127.0.0.1/" LDAP base DN = "dc=example,dc=com" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_smb_auth is enabled SMB workgroup = "CME" SMB servers = "prod-srv-8.cme.com" pam_winbind is enabled SMB workgroup = "CME" SMB servers = "prod-srv-8.cme.com" SMB security = "ads" SMB realm = "CME.COM" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled Charles Johnson Information Technology Custom Manufacturing & Engineering 2904 44th Ave. N St. Petersburg, FL 33714 P: 727-548-0522 ext 1759 F: 727-541-8822 www.custom-mfg-eng.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |