Quick Summary: Windows clients connect to a share as DOMAIN+user, winbind sees this as a valid user, but when checking groups the user is listed as simply user without the domain for the group, which does not match DOMAIN+user, so group membership is broken with use default domain = yes. Here's the technical background: Debian 3.0 Woody Box Samba 3.0.10-1 deb package Win2k AD security = ADS MIT kerberos Here's the trouble, if I set up a share such as this: [shared] comment = Network Drive path = /home/shared valid users = @testgroup, @"DOMAIN+testgroup" read only = no browseable = yes and I try to connect as my test user account, test which is in the test group as verified like so: styx~# getent group |grep test Domain Users:x:15002:test testgroup:x:15010:test styx~# The primary group for the test user is domain users, the secondary group is testgroup. Thats all working, if I run id on test it shows all the groups: styx:~# id test uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup) Here's were everything breaks down. If you connect to the share from a windows 2000 machine while logged in as test the password box pops telling me I'm denied access. Here is the auth log for the connection: [2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314) user 'DOMAIN+test' (from session setup) not permitted to access this share (shared) So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is a different user than test. If I run id on the DOMAIN+test user I get this: styx:~# id DOMAIN+test uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users) Same UID and same primary GID, but when searching the group file for the username DOMAIN+test, it rightfully finds no entries because winbind has stripped the domain from all users. --Dave
I hate 'winbind use default domain'. I'll look into this.
I hear ya, but don't get too down, it works beautifully for email and all the other applications, just some minor wrinkles, but other than that its FRIGGIN AWESOME!! I'm scripting a work around for myself until a patch is out. If you need any data, debug logs, version information, etc, let me know. Possibly helpful idea: I'm not a coder, just a lowly computer janitor so the following idea may not be tractable, but could you do something like this: if the setting is enabled, and a computer attempts a connection, smbd must be handing the username over to winbind, with the domain, can winbind hand back the username without the domain? I don't really know if thats how it works, it could be more of a smbd asks winbind is this guy real, yes or no and winbind only returns a yes or no. Anyways thanks, --Dave
Should be fixed post 3.0.23.