Indeed! It seems to me that if a member server of domain A can get
the list of groups from DC in A, and can enumerate the users from
both domains A & B, then it should be able to present the membership
of a group in A, to the extent that the users belong to domain A or
B. Right now, winbind can only present that membership for users
that are in the same domain as the group -- in this example, only
from domain A.
Quite frankly, I can understand why a Samba member server in domain A
might not be able to fully present the group membership for a group
from domain B -- but it really ought to be able to do it more fully
when the group in question is from its own domain...
And especially when other tools in the suite can do it:
net rpc group members {groupname} -S {domain-name} -U {username%pass}
Will get you a correct listing of group membership if username%pass
is valid credentials on the specified domain. (Does not have to be
admin in my testing.)
Since winbind has access to the "auth-user" that can be set by
"wbinfo --set-auth-user=...", and it knows which domain to query from
the group list, winbind should be able to put 2 & 2 together to get a
proper group listing from the home domain.
(Yes, assuming "wbinfo --set-auth-user=" has been used to set the
auth-user credentials to use, and assuming that those credentials are
for the server's home domain.)
It would sure be nice if Winbind would at least try to derive a
full(er) group list, rather than simply not bothering to try because
it won't always succeed...
Cheers,
-D
At 01:28 PM 5/10/2006, Trimble, Ronald D wrote:
Volker,
I know you and I have been over this in the past, but I have a
few questions based on this thread. If winbind does correctly list the
groups, why does it not correctly tell you that the user is indeed a
member of that group? Are you saying that if you were an admin in all
domains it would work? What if the server was not merely a member
server? Would it work then?
I am not trying to be a pain, I am just looking for solutions to
a problem that lots of other Windows admins like myself see as a huge
issue.
Sincerely,
Ron
-----Original Message-----
From: Volker Lendecke [mailto:[EMAIL PROTECTED] On Behalf Of Volker
Lendecke
Sent: Wednesday, May 10, 2006 11:17 AM
To: Trimble, Ronald D
Cc: [email protected]
Subject: Re: [Samba] AD users from different AD domains - update
On Wed, May 10, 2006 at 11:00:44AM -0400, Trimble, Ronald D wrote:
> In other words, i would like to know if it is possible to
> check the membership of a user in a group of another AD
> domain ?
No, it is not. The only operation regarding group membership
that is doable reliably is getting the list of groups a user
is member of directly while this user is logging in.
Anything beyond that like asking the same question without
having logged in, getting a list of members of a group,
getting lists of users and groups and so on will sooner or
later fail if you are not administrator of all domains in
question. Winbind is not made for being admin in all
domains, and this is nothing that you _want_ winbind on a
member server to be.
Please look at the explanations in bug #3530. Don't wait for
this to be fixed.
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
