[Samba] Does Samba/Winbind not follow nested groups in AD?!?
James A. Dinkel
groups are sometimes members of a 2nd level of groups. If a folder has
permissions assigned to a 2nd level group, then the user can not access
the share. Doing a "getent group | grep user | grep 2nd_level_group"
also returns nothing. Samba seems to not be recognizing that a user is
a member of a group under another group.
Is there any way to enable Samba, or Winbind, to follow down the group
hierarchy?
James Dinkel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Aaron Kincer
1) User testing member of: group1
2) group1 member of group 2
3) group2 has rights to folderA
4) User testing can successfully open folderA.
5) Removing group2 rights from folderA results in access denied.
Matt Skerritt
> Here's the situation: We have users who are members of groups and
> those
> groups are sometimes members of a 2nd level of groups. If a folder
> has
> permissions assigned to a 2nd level group, then the user can not
> access
> the share. Doing a "getent group | grep user | grep 2nd_level_group"
> also returns nothing. Samba seems to not be recognizing that a
> user is
> a member of a group under another group.
>
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
There is an option in smb.conf called "winbind nested groups" ... and
the help text from swat says:
"winbind nested groups (G)
If set to yes, this parameter activates the support for nested
groups. Nested groups are also called local groups or aliases. They
work like their counterparts in Windows: Nested groups are defined
locally on any machine (they are shared between DC's through their
SAM) and can contain users and global groups from any trusted SAM. To
be able to use nested groups, you need to run nss_winbind.
Please note that per 3.0.3 this is a new feature, so handle with
care.
Default: winbind nested groups = no"
So I'm guessing that you want to set winbind nested groups = yes in
your smb.conf.
--
Matt Skerritt
matt.s...@agrav.net
James A. Dinkel
> From: Matt Skerritt
>
> There is an option in smb.conf called "winbind nested groups" ... and
> the help text from swat says:
>
> "winbind nested groups (G)
>
> If set to yes, this parameter activates the support for nested
> groups. Nested groups are also called local groups or aliases. They
> work like their counterparts in Windows: Nested groups are defined
> locally on any machine (they are shared between DC's through their
> SAM) and can contain users and global groups from any trusted SAM. To
> be able to use nested groups, you need to run nss_winbind.
>
> Please note that per 3.0.3 this is a new feature, so handle with
> care.
>
> Default: winbind nested groups = no"
>
> So I'm guessing that you want to set winbind nested groups = yes in
> your smb.conf.
>
> --
> Matt Skerritt
> matt.s...@agrav.net
I've put the "winbind nested groups = yes" in the global section of my
samba.conf. (Sorry, I did go over the swat help text, I must have
missed this). I went ahead and rebooted the server and tried it again,
but it's still a no-go.
Aaron, in the smb.conf you showed me, you did not have "winbind nested
groups = yes" ?!? I don't remember if you've told me, but are you using
the default Samba 3.0.22 that comes with Ubuntu 6.06?
Could there be something wrong with my Winbind setup? Something that
has to do with nss_winbind maybe? Is there any way I can test this from
the Samba server, using wbinfo maybe?
Aaron Kincer
You are correct--I don't have windbind nested groups = yes set in my
smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
instructions to the letter found in the Ubuntu forums that I've posted
before with only the changes you've seen in my smb.conf. Here is the
link to the forum post:
http://ubuntuforums.org/archive/index.php/t-91510.html
If you have a machine you can throw together as a test machine, fire it
up as a stock install and follow these instructions to the letter (if
you didn't on your production box) and see if you have any success.
Here's where the rubber meets the road. If your test machine correctly
nests permissions, then there is something wrong with your production
config. If it doesn't, then you have something going on in Active Directory.
One more thing--I'm using POSIX ACLs for permissions. Are you?
James A. Dinkel
> From: Aaron Kincer
>
> James,
>
> You are correct--I don't have windbind nested groups = yes set in my
> smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> instructions to the letter found in the Ubuntu forums that I've posted
> before with only the changes you've seen in my smb.conf. Here is the
> link to the forum post:
>
> http://ubuntuforums.org/archive/index.php/t-91510.html
>
> If you have a machine you can throw together as a test machine, fire
it
> up as a stock install and follow these instructions to the letter (if
> you didn't on your production box) and see if you have any success.
>
> Here's where the rubber meets the road. If your test machine correctly
> nests permissions, then there is something wrong with your production
> config. If it doesn't, then you have something going on in Active
> Directory.
>
> One more thing--I'm using POSIX ACLs for permissions. Are you?
>
Yeah, I'm using POSIX ACLs. I did not follow that Ubuntu guide; I used
some generic instructions from a couple different places. The biggest
difference I see at first glance is the krb5.conf (mine is blank, it
gets domain info from DNS) and a lot of the PAM configuration.
I'll try another machine with that Ubuntu guide and see what happens.
James Dinkel
James A. Dinkel
> http://ubuntuforums.org/archive/index.php/t-91510.html
>
That guide also does not say anything about adding acl and user_xattr to
the mount options of the partition containing the share.
Aaron Kincer
dos attributes stuff is separate.
James A. Dinkel
tried replacing my smb.conf to look just like yours. I've tried a bunch
of other things that I though might do something.
For the life of me, I can not get nested groups to work on this server.
James Dinkel
> -----Original Message-----
> From: Aaron Kincer
>
> James,
>
> You are correct--I don't have windbind nested groups = yes set in my
> smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> instructions to the letter found in the Ubuntu forums that I've posted
> before with only the changes you've seen in my smb.conf. Here is the
> link to the forum post:
>
> http://ubuntuforums.org/archive/index.php/t-91510.html
>
> If you have a machine you can throw together as a test machine, fire
it
> up as a stock install and follow these instructions to the letter (if
> you didn't on your production box) and see if you have any success.
>
> Here's where the rubber meets the road. If your test machine correctly
> nests permissions, then there is something wrong with your production
> config. If it doesn't, then you have something going on in Active
> Directory.
>
> One more thing--I'm using POSIX ACLs for permissions. Are you?
>
Aaron Kincer
.tdb files in /var/cache/samba and fixed it by deleting them. You could give
it a shot by stopping Samba and Winbind, backing up those files to be safe,
delete them and restart Samba and WInbind.
If that doesn't work, I suspect there is a problem with your AD forest. All
the pieces should be there for you.
Aaron Kincer
Try the test server with a stock installation and adding ACLs and
extended DOS attributes. If you do not have success with that, I can
only conclude there is corruption in your AD forest. That isn't unheard
of by the way.
If you upgraded from mixed mode to native mode, I'd wager a good chance
that your corruption started there.
James A. Dinkel wrote:
>
> The tdb thing didn’t work. Are you running your Win 2000 domain in
> mixed-mode or native-mode? (ours is native mode, so I’m wondering if
> that is a problem for samba). Also what is the scope on your groups,
> we have “global” for the scope on all our groups.
>
> **James Dinkel**
>
> Network Engineer
>
> Butler County of Kansas
>
> //There are 10 types of people in the world: those who understand
> binary, and those who don't.//
>
> ------------------------------------------------------------------------
>
> *From:* Aaron Kincer [mailto:kin...@gmail.com]
> *Sent:* Thursday, December 07, 2006 5:43 PM
> *To:* James A. Dinkel
> *Cc:* sa...@lists.samba.org
> *Subject:* Re: [Samba] Does Samba/Winbind not follow nested groups in
> AD?!?
>
> I had some problems with authentication on a Red Hat server due to
> corrupted .tdb files in /var/cache/samba and fixed it by deleting
> them. You could give it a shot by stopping Samba and Winbind, backing
> up those files to be safe, delete them and restart Samba and WInbind.
>
> If that doesn't work, I suspect there is a problem with your AD
> forest. All the pieces should be there for you.
>
> On 12/7/06, *James A. Dinkel* < jdi...@bucoks.com
> > >> matt.s...@agrav.net <mailto:matt.s...@agrav.net>
James A. Dinkel
'wbinfo -r' command. Both of those commands do NOT return any domain
groups that are parents over domain groups for the user.
I don't know if this gives any ideas or means anything to anybody.
James Dinkel
James A. Dinkel
uninstalled the Ubuntu packages with "apt-get remove samba-common samba
winbind", added Samba.com's Debian Sarge repository and did "apt-get
update && apt-get install samba samba-common winbind" and it installed
the newer packages from the Sarge repo.
This fixed my nested domain groups problem, hopefully it didn't
introduce any new ones. I've only done this on my test server. After a
little more QA I'll do this on my semi-production server.
Aaron Kincer
the route, but I guess you were right all along. Curious that I don't
see that behavior. Who knows what gremlins were biting you and not me
despite us having the same OS, Samba version and AD environment.
Hopefully Feisty Fawn will use newer Samba packages by default.
Gerald (Jerry) Carter
Hash: SHA1
James A. Dinkel wrote:
> Here's the situation: We have users who are members of groups and those
> groups are sometimes members of a 2nd level of groups. If a folder has
> permissions assigned to a 2nd level group, then the user can not access
> the share. Doing a "getent group | grep user | grep 2nd_level_group"
> also returns nothing. Samba seems to not be recognizing that a user is
> a member of a group under another group.
>
> Is there any way to enable Samba, or Winbind, to follow down the group
> hierarchy?
We (centeris) have a patch that will be merged upstream shortly.
Either myself or Danilo (it's his code) need to break it out
and submit it for review on samba-technical. Look for this in 3.0.24.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFgEP7IR7qMdg1EfYRAoZQAJ93alsqd2U/sMaXujwTg7+RiqPiGgCePHud
OKepxuL0R4PEr5/TJLEsEuo=
=vFjw
-----END PGP SIGNATURE-----