On Tue, Jun 27, 2006 at 05:45:08PM -0700, Rob Tanner wrote: > So, at this point, I'm not sure how to go about starting to debug why > winbind isn't showing my membership in the 'CATNET\adm' group as well. > I've followed the procedures in the official HOWTO, but if there's > something I missed that would cause just this particular problem, do you > know what that might be?
Using something like 'getent group | grep <whatever>' is unreliable and will always be. However, we are trying to get you access via SMB or after having logged in via pam_winbind even on heavily nested group memberships. It might be true that we are not there yet, but it is achievable. This getent group thing does not work reliably, there's just too many games you can play with group membership in AD. There is one thing that should *always* work however: When presenting the correct username and password to a domain controller, it's this DC's task to untangle the group memberships for us and present the correct group list in the reply to the query whether user Joe has typed in his password correctly. This is a completely different query from listing the groups and figuring out the memberships yourself. It might be possible that we don't yet make proper use of the information the DC has figured out for us. If you have a case where it fails against 3.0.23rc3, please file a bug report at https://bugzilla.samba.org/ with debug level 10 logs of smbd and winbind. I know that there already is one with a similar problem, I just did not yet get around to really walk that stuff. Volker
pgpV7sc38ysnD.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
