[Samba] nested group support still broken in 3.2.2?
This is a discussion on [Samba] nested group support still broken in 3.2.2? within the Samba forums, part of the Networking and Network Related category; Hi there I've just upgraded to 3.2.2 and it still looks like nested group support isn't ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-27-2008
|
|||
|
|||
[Samba] nested group support still broken in 3.2.2?
Hi there
I've just upgraded to 3.2.2 and it still looks like nested group support isn't finished? e.g. if I have "domain1/user1" in group "domain2/group1" and that in turn is in "domain3/group2" (i.e. domain1/user1 is in domain3/group2), then "getent group domain3/group2" should return domain1/user1 - and yet it doesn't. "winbind enum groups" is enabled if that matters (it didn't seem to make a difference) However, "id domain1/user1" does show that domain3/group2 is listed as one of that users groups - so it's working well in that direction...? Am I right, or have we got a problem that could actually be fixed? :-) This is under FC8. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
08-27-2008
|
|||
|
|||
|
Re: [Samba] nested group support still broken in 3.2.2?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Jason Haar wrote: > Hi there > > I've just upgraded to 3.2.2 and it still looks like nested group support > isn't finished? > > e.g. if I have "domain1/user1" in group "domain2/group1" and that in > turn is in "domain3/group2" (i.e. domain1/user1 is in domain3/group2), > then "getent group domain3/group2" should return domain1/user1 - and yet > it doesn't. "winbind enum groups" is enabled if that matters (it didn't > seem to make a difference) > > However, "id domain1/user1" does show that domain3/group2 is listed as > one of that users groups - so it's working well in that direction...? > > Am I right, or have we got a problem that could actually be fixed? :-) > This is under FC8. What is "winbind expand groups" set to ? cheers, jerry - -- ================================================== =================== Samba ------- http://www.samba.org Likewise Software --------- http://www.likewisesoftware.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFItb3iIR7qMdg1EfYRAuz6AJ9gOmDHWYGrJgQTvGZkzy hXzuW5vgCfXLje 0eUmatOrEzoRc8CrTCN5p4s= =efXx -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-27-2008
|
|||
|
|||
|
Re: [Samba] nested group support still broken in 3.2.2?
Gerald (Jerry) Carter wrote:
> > > What is "winbind expand groups" set to ? > > Oh sorry - "3". I've just tried something. I upped "log level = 10", deleted "/var/lib/samba/winbind*" (to trash cached values), cleaned out /var/log/samba/* and restarted winbind. Then I tried "id localDomain\user" and "getent group localDomain\group" and they worked successfully. Then I tried the "getent group domain3\group2" mentioned in my example: remote domain containing groups containing users from many (trusted) other domains. It *immediately* returned with no content (which is odd - yesterday it returned 5 domain3 users). Strangely, I didn't see a log.wb-domain3 created. Then I ran "wbinfo -u", and immediately all the log.wb-XXXX files appeared - one per trusted domain. It hung for many minutes while it went all over the world (I had tcpdump running) via LDAP downloading "stuff". Eventually I got "Error looking up domain users" - probably hit a timeout. I'm not surprised :-) However, winbindd was still downloading "stuff" - in fact there are now 167 copies of winbind running on my FC8 box and it's still working at the problem ;-) "wbinfo -m|wc" reports 14 BTW - so I don't know how 167 showed up. Then I ran "getent group domain3\group2" again, this time it hung for 5 secs - before returning nothing again :-( Grep'ping /var/log/sambe/* for the groupname shows only 'getgrnam domain3\group2' - no real error as such PS: there are now 155 winbindd processes running - so it did come down a bit. But I don't think that's normal? Under 3.0.30 it never seemed to go above 10-ish? -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
08-28-2008
|
|||
|
|||
|
Re: [Samba] nested group support still broken in 3.2.2?
I just thought of something else. Are there any Samba limits on
Universal groups vs Global vs Domain Local (this is a Win2K3 env). Obviously the problem I'm having involves a Universal Group - but it contains a mixture of Universal and Global groups. The top one (ie domain3\group2) is a Distribution List too BTW (not just a Security Group). -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
