Check your winbind group memberships -- I'm willing to bet that your
winbind will only show group membership for users in the same domain
as the group. We are seeing the same mis-behavior here. Group
members from other domains are simply not being enumerated by winbind
as a group member (getent group), even though the other-domain user
itself is properly listed (getent passwd).
I tried to report this as a bug, but it was closed/reopened as a
feature request. Discussion was left that I had to prove that the
other-domain user can successfully connect to a resource with
permissions mapped directly to that other-domain user, but fails to
connect to the same resource when permissions are mapped to a domain
local group in the local server's domain that contains the
other-domain user. (I have yet to create this test-case because of
unrelated time-constraints...)
Cheers,
-D
At 02:02 PM 3/2/2006, Trimble, Ronald D wrote:
Everyone,
With many thank to Jerry, my cross domain authentication is now
working. This leads to a new problem. I cannot get samba to
authenticate a remote domain user in a Universal group to authenticate
properly.
Here are the details:
USTR-LINUX-1:~ # wbinfo --name-to-sid=NA\\USTR-LINUX-1-REDHAT-READ
S-1-5-21-725345543-2052111302-527237240-349134 Domain Group (2)
USTR-LINUX-1:~ # wbinfo --name-to-sid=EU\\inblr-auth1
S-1-5-21-606747145-879983540-1177238915-173280 User (1)
USTR-LINUX-1:~ # wbinfo
--user-domgroups=S-1-5-21-606747145-879983540-1177238915-173280
S-1-5-21-606747145-879983540-1177238915-513
.
.
.
S-1-5-21-606747145-879983540-1177238915-79634
S-1-5-21-606747145-879983540-1177238915-79966
S-1-5-21-725345543-2052111302-527237240-349134 **Here is the group!!**
S-1-5-21-725345543-2052111302-527237240-177738
S-1-5-21-725345543-2052111302-527237240-349185
S-1-5-21-725345543-2052111302-527237240-307510
S-1-5-21-725345543-2052111302-527237240-177742
S-1-5-21-606747145-879983540-1177238915-90389
S-1-5-21-606747145-879983540-1177238915-72164
S-1-5-21-606747145-879983540-1177238915-91149
S-1-5-21-606747145-879983540-1177238915-70785
S-1-5-21-606747145-879983540-1177238915-91412
However, when I try to set up a test web page to
require group "NA\USTR-LINUX-1-REDHAT-READ"
And then attempt to access the page, I get the following error:
error] [client 192.63.xxx.xxx] GROUP: EU\\inblr-auth1 not in required
group(s).
Does anyone else have something like this working? What am I doing
wrong?
Thanks,
Ron
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
