Windows clients connect to a share as DOMAIN+user, winbind sees this as a valid
user, but when checking groups the user is listed as simply user without the
domain for the group, which does not match DOMAIN+user, so group membership is
broken with use default domain = yes.
Here's the technical background:
Debian 3.0 Woody Box
Samba 3.0.10-1 deb package
security = ADS
Here's the trouble, if I set up a share such as this:
comment = Network Drive
path = /home/shared
valid users = @testgroup, @"DOMAIN+testgroup"
read only = no
browseable = yes
and I try to connect as my test user account, test which is in the test group as
verified like so:
styx~# getent group |grep test
The primary group for the test user is domain users, the secondary group is
testgroup. Thats all working, if I run id on test it shows all the groups:
styx:~# id test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users),15010(testgroup)
Here's were everything breaks down. If you connect to the share from a windows
2000 machine while logged in as test the password box pops telling me I'm denied
access. Here is the auth log for the connection:
[2005/01/20 16:05:29, 2] smbd/service.c:make_connection_snum(314)
user 'DOMAIN+test' (from session setup) not permitted to access this share
So I thought hmm, I wonder if its failing because it thinks that DOMAIN+test is
a different user than test. If I run id on the DOMAIN+test user I get this:
styx:~# id DOMAIN+test
uid=15000(test) gid=15002(Domain Users) groups=15002(Domain Users)
Same UID and same primary GID, but when searching the group file for the
username DOMAIN+test, it rightfully finds no entries because winbind has
stripped the domain from all users.
I hate 'winbind use default domain'. I'll look into this.
I hear ya, but don't get too down, it works beautifully for email and all the
other applications, just some minor wrinkles, but other than that its FRIGGIN
I'm scripting a work around for myself until a patch is out. If you need any
data, debug logs, version information, etc, let me know.
Possibly helpful idea:
I'm not a coder, just a lowly computer janitor so the following idea may not be
tractable, but could you do something like this:
if the setting is enabled, and a computer attempts a connection, smbd must be
handing the username over to winbind, with the domain, can winbind hand back the
username without the domain?
I don't really know if thats how it works, it could be more of a smbd asks
winbind is this guy real, yes or no and winbind only returns a yes or no.
Should be fixed post 3.0.23.