I have a linux machine added to a windows 2000 (non native mode) domain with 2000+ users. This machine have some shared resources that some users can access and some not, the problem is that people who don't have access is because winbind doesn't retrieve all the groups (or in some times incorrect groups numbers). I tried this with different results: # wbinfo -r mario.abajo 1013 1501 7194 7213 17789 # id mario.abajo uid=16295(mario.abajo) gid=1013(group1) grupos=1013(group1),7194(group2),7213(group3), 1501(group4),8436(group5),9622(group6),16286(group7), 17789(group8),17800(group9) As you can see there are missing groups, this happend with users with several groups, this recently user for example doesn't have that problem: # wbinfo -r usuario.5631 508 1013 17800 # id usuario.5631 uid=3707(usuario.5631) gid=1013(group1) grupos=1013(group1),17800(group9) 508 is the "BUILTIN\users" group, i don't know if this have to be like that but it works. I'm using a Debian Sarge 3.1r0 with the "sernet samba version" # smbd -V Version 3.0.14a-SerNet-Debian My smb.conf configration: [global] workgroup = DOMAIN realm = DOMAIN.ES netbios name = SRV-DEB server string = Servidor debian security = ADS passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u password server = srv1.domain.es, srv2.domain.es passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . log level = 2 syslog = 0 os level = 65 log file = /var/log/samba/log.%m max log size = 1000 smb ports = 139 445 load printers = No obey pam restrictions = yes printcap name = /etc/printcap ldap ssl = start tls panic action = /usr/share/samba/panic-action %d allow trusted domains = no idmap backend = idmap_rid:INECO=500-100000000 idmap uid = 500-100000000 idmap gid = 500-100000000 print command = lp -d%p -oraw %s; rm %s queuepause command = disable %p queueresume command = enable %p socket options = TCP_NODELAY winbind cache time = 600 winbind separator = / winbind enum users = no winbind enum groups = yes winbind nested groups = yes nt acl support = yes [files] comment = Fichero path = /mnt/datos admin users = DOMAIN/mario.abajo writable = yes map acl inherit = yes inherit acls = yes The debian normal packages have the same problem, but i tried a red hat enterprise 4 with samba version 3.0.10 and doesn't suffer from this bug. Thanks for all
please retest againsty 3.0.20a. Should be fixed now.
(In reply to comment #1) > please retest againsty 3.0.20a. Should be fixed now. I have tested the new packages # smbd -V Version 3.0.20-SerNet-Debian and with the same configuration that is in the first post, and i got this: # wbinfo -r DOMAIN/a_user 1013 13305 7213 1501 15615 17919 17152 17800 17789 7194 # id DOMAIN/a_user uid=8745(DOMAIN/a_user) gid=1013(DOMAIN/Usuarios del dominio) groups=1013(DOMAIN/Usuarios del dominio),7194(DOMAIN/group1),7213(DOMAIN/group2),1501(DOMAIN/group3), 10086(DOMAIN/group4),8436(DOMAIN/group5),12767(DOMAIN/group6), 16286(DOMAIN/group7),16302(DOMAIN/group8),15615(DOMAIN/group9), 17152(DOMAIN/group10),17789(DOMAIN/group11),17800(DOMAIN/group12), 17919(DOMAIN/group13) For security reasons the name of the user and its member groups have to be changed. As you can see the problem continues, now i will give you the exit of the same commands in a RedHat Entreprisse Linux AS 4 with # smbd -V Version 3.0.10-1.4E with this configuration: [global] workgroup = DOMAIN realm = DOMAIN.ES netbios name = DEMO_CLUS server string = Servidor de ficheros security = ADS password server = srv1.domain.es srv2.domain.es load printers = No obey pam restrictions = yes allow trusted domains = no # idmap backend = idmap_rid:DOMAIN=500-100000000 idmap uid = 500-100000000 idmap gid = 500-100000000 socket options = TCP_NODELAY winbind cache time = 600 winbind separator = / winbind enum users = yes winbind enum groups = yes # winbind nested groups = yes template shell = /bin/false winbind use default domain = no map acl inherit = yes inherit acls = Yes log level = 2 [datos] path = /mnt/san_gfs writeable = yes The configuration is very similar to the one in the first post, the major significant different is the ausence of the idmap_rid module, that make the number of the groups to be different # wbinfo -r DOMAIN/a_user 500 501 502 517 592 593 623 771 776 778 805 # id DOMAIN/a_user uid=2553(DOMAIN/a_user) gid=500(DOMAIN/Usuarios del dominio) grupos=500(DOMAIN/Usuarios del dominio),501(DOMAIN/group1),502,517(DOMAIN/group8),592(DOMAIN/group2), 593(DOMAIN/group3),623(DOMAIN/group4),771(DOMAIN/group5), 776(DOMAIN/group7),778(DOMAIN/group9),805(DOMAIN/group6) This last version is perfectly funcional, while the 3.0.14a and now the 3.0.20 dont coincide in the groups showed by winbind. For that reason, the shares with acl's received "permission denied", priviledges different from the one the should have. If you need any other information like a log please tell me, and thanks a lot.
Please retest against 3.0.21rc1. I expect Guenther's recent PAC work to resolve this.
Now it works perfectly, :)))))))))))))))))))))))))))))))))))) I hope to see this version soon in sernet. Thanks a lot
The target date for the final 3.0.21 release is the end of this month.