[Samba] Winbind problem w/ ADS domain local group and other-domain

This one is probably going off into the esoteric side of things, but
Samba/winbind doesn't seem to be working quite as expected in one
particular area -- domain local groups having members from other
trusted domains. I've searched extensively (google and
elsewhere...), and have found little/no mention of this particular
problem: "domain local group" members from other trusted domains are
not showing up in group lists as enumerated via winbind. Yet group
members from the same domain as the domain local group are
enumerated/listed properly.


In a rather complex ADS arrangement (described below), I have several
RHEL4 systems with Samba/Winbind installed and
configured. Everything appears to be working properly thus far:
users & groups from the default domain are properly enumerated and
resource permissions are mapping correctly. Users and groups from
2-way trusted domains are also enumerated. (This was evaluated with
"wbinfo -u|g" & "getent passwd|group".)

The domain structure & relationships are a bit hairy though, and need
to be spelled out:
Three independent ADS domains in separate forests: "A","B","C"
"A" & "B" have an established 2-way trust.
"A" has a 1-way trust: trusting "C"
There is also a single NT4 domain: "Z"
"A" & "Z" have an established 2-way trust.

For simplicity, we will only deal with "A" & "B" here. The RHEL4
systems are member servers in domain "A". This is tested under Samba
versions 3.0.10-1.4E2 & 3.0.21b-3.

I can see groups from domain "B" just fine in the output, and their
membership of users from domain "B" -- these should be the
global|universal groups from domain "B".

Also, both "A\g-wiz" and "B\j-bogus" show up properly in output from:
wbinfo -u
getent passwd


The PROBLEM:

There are domain local groups defined in "A" that have members from
these other domains. (E.g. domain local group "A\dl_grp" is defined
on the Win2K3 DCs as consisting of two users: "A\g-wiz" and "B\j-bogus".)

On the linux systems, the command:
getent group
shows a group membership for "A\dl_grp" of only one user:
"A\g-wiz".


Now, when I run the command:
net rpc group members dl_grp -S "A" -U:A\\admin%passwd

I receive the full and proper list of users:
A\g-wiz
B\j-bogus


Furthermore, testing user account group membership:
net ads user info g-wiz -S "A" -U:admin%passwd
yields the single response:
"dl_grp"

net ads user info A\\g-wiz -S "A" -U:admin%passwd
yields an empty list.

net ads user info B\\j-bogus -S "A" -U:admin%passwd
yields an empty list.


Now, to get more interesting:
net rpc user info g-wiz -S "A" -U:admin%passwd
yields the more complete response:
"dl_grp"
"Domain Users"

**NOTE the difference between "ads" & "rpc" methods...**

As above with ads, both of the following commands:
net rpc user info A\\g-wiz -S "A" -U:admin%passwd
net rpc user info B\\j-bogus -S "A" -U:admin%passwd
... still yield an empty list.



When I test group membership from a Windows-based member server, we
get the proper list of both "A\g-wiz" & "B\j-bogus".

I have tested these scenarios under both versions of Samba mentioned
above, as well as with the option "winbind use default domain" both
yes & no. I've tested independently with the "winbind separator"
set to "\\" and to "/". Results were identical under all variations tested.


My suspicion is that winbind is somehow limiting its enumeration of
group membership to users from the same domain to which the group
belongs. I believe this to be incorrect behavior, given that a
windows server reports the full list, and that at least one command
on the linux system can properly obtain the full list from the W2K3
DCs. (That said, I remain open to the thought that it might be a
misconfiguration on my part - despite the apparent normal operation
of all other aspects on the linux/samba system.)

I am more than willing to work in- or out-of-band to try to narrow
down the problem/answer questions/test patches/etc.





smb.conf (testparm output) follows:
--------------------------------------------------------------------------------------------
[global]
workgroup = ACES
realm = COLLEGE.ACESNET.UIUC.EDU
netbios name = X-ACES-LBE-2
server string = %L (Samba v%v)
security = ADS
password server = college.acesnet.uiuc.edu
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = host lmhosts wins bcast
deadtime = 15
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = No
dns proxy = No
wins server = 128.###.#.#0, 128.###.#.#1
idmap uid = 10000-100000000
idmap gid = 10000-100000000
template homedir = /home/gaol
winbind separator = \
winbind cache time = 10
hosts allow = 127., 128.###.###.0/255.255.254.0,
128.###.###.0/255.255.254.0, 130.###., 128.###.##.
case sensitive = No
# include = /etc/samba/smb.conf.lbe-2

[dev-W]
path = /export/dev/W
valid users = "@ITCS CSS Team", "@Domain Admins", IUSR_ACESWEB
admin users = "@Domain Admins"
read only = No
create mask = 0664
directory mask = 02770
inherit permissions = Yes
veto oplock files = /*.TTF/*.XLS/*.DOC/

[prod-W]
path = /export/prod/W
valid users = "@ITCS CSS Team", "@Domain Admins", IUSR_ACESWEB
admin users = "@Domain Admins"
read only = No
create mask = 0664
directory mask = 02770
inherit permissions = Yes
veto oplock files = /*.TTF/*.XLS/*.DOC/

[tmp]
comment = Temporary file space
path = /tmp
valid users = "@ITCS CSS Team", "@Domain Admins"
admin users = "@Domain Admins"
read only = No
create mask = 0664
directory mask = 02770
dos filetime resolution = Yes
--------------------------------------------------------------------------------------------


Don Meyer <dlmeyer@uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba