Dear list, I'm trying to get a Thumper (Sun Fire X4500) to play nice with AD so that we can offer a nearline storage service. Since many of our users will have multiple group memberships, it's imperative that samba be able to recurse through the groups that a user is a member of to determine if they have access to a resource.
What happens instead is that every user who authenticates is assigned only one group, the "UIUC+domain users" group. Example: # ls -l /export total 72 d---rwx--- 2 root UIUC+domain users 8 Dec 4 14:12 arrakis d---rwx---+ 3 UIUC+vanhoudn UIUC+wsg staff 3 Dec 3 16:49 wsg # getent group UIUC+wsg\ staff UIUC+wsg staff:x:10031:UIUC+cyliang,UIUC+vanhoudn,UIUC+cgoldsmi,UIUC+hougland,UIUC+johnshea,UIUC+jbooth,UIUC+mchesnut,UIUC+dbweber #groups UIUC+vanhoudn UIUC+domain users # getent passwd UIUC+vanhoudn UIUC+vanhoudn:*:10000:10004:vanhoudn:/home/samba/UIUC/vanhoudn:/usr/bin/false So, even though UIUC+vanhoudn is listed as a member of "UIUC+wsg staff", the groups command only sees that he is a member of "UIUC+domain users". I figured that maybe this had something to do with nested groups, so I sat down with the docs. On page 256 of the Samba 3 howto, there is mention of setting this up using # net rpc group add ... However, on my setup, it returns: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE I'm assuming that this is because I'm using AD, instead of RPC. For example: # net rpc testjoin Unable to find a suitable server Join to domain 'UIUC' is not valid # net ads testjoin Join is OK Which demonstrates that, AD is okay, and rpc is not. Perhaps I'm barking up the wrong tree about nested groups. Any pointers to documentation (or just out-and-out fixes!) would be appreciative. Version information and my smb.conf file follows after my sig, in case it is useful to you. Also, I mostly followed the howto here: http://blogs.sun.com/jurasek/entry/ads_domain_member_server1 to initially set it up. (Just in case that helps.) Cheers, Nathan VanHoudnos Kernel version: # uname -a SunOS shai-hulud.cites.uiuc.edu 5.10 Generic_127112-02 i86pc i386 i86pc Samba version: # /usr/sfw/smbd -V Version 3.0.25c /etc/sfw/smb.conf [global] realm = AD.UIUC.EDU workgroup = UIUC security = ADS use kerberos keytab = true encrypt passwords = yes server string = Samba 3.0.x ADS #Winbind configuration: winbind separator = + template homedir = /home/samba/%D/%U # Make their shell fail, just in case template shell = /usr/bin/false idmap domains = UIUC idmap config UIUC:default = yes idmap config UIUC:backend = tdb idmap config UIUC:range = 1000-200000 idmap alloc backend = tdb idmap alloc config:range = 1000-200000 # Stuff to get all the users via winbind winbind enum users = Yes winbind enum groups = Yes winbind nested groups = Yes idmap uid = 1000-200000 idmap gid = 1000-200000 # Logging log level = 5 debug level = 3 log file = /var/log/syslog/samba.log.%m [arrakis] path = "/export/arrakis" comment = "Arraken Test share" writeable = yes user = @"UIUC+domain users" vfs objects = zfsacl nfs4: mode = special [wsg] path = "/export/wsg" comment = "Only WSG should be able to access" writeable = yes valid users = @"UIUC+wsg staff" vfs objects = zfsacl nfs4: mode = special -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
