Native mode, global groups.
Try the test server with a stock installation and adding ACLs and
extended DOS attributes. If you do not have success with that, I can
only conclude there is corruption in your AD forest. That isn't unheard
of by the way.
If you upgraded from mixed mode to native mode, I'd wager a good chance
that your corruption started there.
James A. Dinkel wrote:
The tdb thing didn’t work. Are you running your Win 2000 domain in
mixed-mode or native-mode? (ours is native mode, so I’m wondering if
that is a problem for samba). Also what is the scope on your groups,
we have “global” for the scope on all our groups.
**James Dinkel**
Network Engineer
Butler County of Kansas
//There are 10 types of people in the world: those who understand
binary, and those who don't.//
------------------------------------------------------------------------
*From:* Aaron Kincer [mailto:[EMAIL PROTECTED]
*Sent:* Thursday, December 07, 2006 5:43 PM
*To:* James A. Dinkel
*Cc:* [email protected]
*Subject:* Re: [Samba] Does Samba/Winbind not follow nested groups in
AD?!?
I had some problems with authentication on a Red Hat server due to
corrupted .tdb files in /var/cache/samba and fixed it by deleting
them. You could give it a shot by stopping Samba and Winbind, backing
up those files to be safe, delete them and restart Samba and WInbind.
If that doesn't work, I suspect there is a problem with your AD
forest. All the pieces should be there for you.
On 12/7/06, *James A. Dinkel* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Well, I think I'm giving up. I've tried following that guide. I've
tried replacing my smb.conf to look just like yours. I've tried a bunch
of other things that I though might do something.
For the life of me, I can not get nested groups to work on this server.
James Dinkel
> -----Original Message-----
> From: Aaron Kincer
>
> James,
>
> You are correct--I don't have windbind nested groups = yes set in my
> smb.conf. Yes, default 3.0.22. I followed the Ubuntu configuration
> instructions to the letter found in the Ubuntu forums that I've posted
> before with only the changes you've seen in my smb.conf. Here is the
> link to the forum post:
>
> http://ubuntuforums.org/archive/index.php/t-91510.html
>
> If you have a machine you can throw together as a test machine, fire
it
> up as a stock install and follow these instructions to the letter (if
> you didn't on your production box) and see if you have any success.
>
> Here's where the rubber meets the road. If your test machine correctly
> nests permissions, then there is something wrong with your production
> config. If it doesn't, then you have something going on in Active
> Directory.
>
> One more thing--I'm using POSIX ACLs for permissions. Are you?
>
> James A. Dinkel wrote:
> >> -----Original Message-----
> >> From: Matt Skerritt
> >>
> >> There is an option in smb.conf called "winbind nested groups" ...
and
> >> the help text from swat says:
> >>
> >> "winbind nested groups (G)
> >>
> >> If set to yes, this parameter activates the support for nested
> >> groups. Nested groups are also called local groups or aliases. They
> >> work like their counterparts in Windows: Nested groups are defined
> >> locally on any machine (they are shared between DC's through their
> >> SAM) and can contain users and global groups from any trusted SAM.
To
> >> be able to use nested groups, you need to run nss_winbind.
> >>
> >> Please note that per 3.0.3 this is a new feature, so handle
with
> >> care.
> >>
> >> Default: winbind nested groups = no"
> >>
> >> So I'm guessing that you want to set winbind nested groups = yes in
> >> your smb.conf.
> >>
> >> --
> >> Matt Skerritt
> >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> >>
> >
> > I've put the "winbind nested groups = yes" in the global section of
my
> > samba.conf. (Sorry, I did go over the swat help text, I must have
> > missed this). I went ahead and rebooted the server and tried it
again,
> > but it's still a no-go.
> >
> > Aaron, in the smb.conf you showed me, you did not have "winbind
nested
> > groups = yes" ?!? I don't remember if you've told me, but are you
using
> > the default Samba 3.0.22 that comes with Ubuntu 6.06?
> >
> > Could there be something wrong with my Winbind setup? Something
that
> > has to do with nss_winbind maybe? Is there any way I can test this
from
> > the Samba server, using wbinfo maybe?
> >
> >
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
