Bug 77 - ADS auth does not work with all groups
ADS auth does not work with all groups
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Linux
: P2 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-09 04:12 UTC by Mads Toustrup
Modified: 2005-11-14 09:26 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mads Toustrup 2003-05-09 04:12:01 UTC
Hi 
I've set up a samba fileserver which authenticates its users by using Winbind 
against a Active Directory.

It seems that there is a bug with this. It looks like Samba sometimes has 
problems with authenticating users from groups. 

An example. 

User1 is a member of Group1 
If i set Valid user = @"Group1" ... Now i log in as User1 ... and then i 
doesn't work. But if i make Group1 a member of Group2 and set Valid user = 
@"Group 2" ... That means i am using group2 like a kind of proxy group.... and 
then it works... Isn't this wierd?
Log from attempt to connect to a share which i am 100% sure that i should have 
access to: 
http://dev.kolkaer.dk/mads/samba/error.log.2


Also when i tried to set up another fileserver. Then Valid user = @"Group 2" 
didn't work (while it still works on the first server) ... but now Group1 works 
directly. 

And ... If i fail authenticate to one share (even though i am authorized by the 
AD and samba to access this...) .. and then try to access one of the other 
shares that i were able to access before. It fails here to until i restart 
smbd. 
Log from attemt to access the share that now fails: 
 - http://dev.kolkaer.dk/mads/samba/error.log.1

At this very moment i have 3 servers with Samba3.0 working and running with 
about 500 users. I have managed to work around this bug, but it makes no sense 
to me at all. Hope it will be fixed sometime =o) 

Greetings from 
 Mads / Denmark
Comment 1 Jim McDonough 2003-06-17 10:08:07 UTC
Very interesting...I'm not sure quite what it is yet, but I was able to get the
nested group working just like this.  Then, I delted the user from the nested
group and readded back to the same group (group1 in this case), and it no longer
works.  It no longer finds the nested groups.  Something being cached, maybe?
Comment 2 Jim McDonough 2003-06-17 11:36:27 UTC
Ok, I found my issues to be about the winbind cache time parameter.  It's now
defaulting to 5 minutes, and so updates take that long.  If I reduce it to just
a few seconds, everything works fine for me.  I can include a group directly, or
use a nested group, as described, and the user gets access properly.

If you're still having trouble, please include your smb.conf and perhaps a more
detailed debug log.  Also I'd suggest running some wbinfo commands on the SIDs,
group names, or gid's involved, and the wbinfo -r userid command.
Comment 3 Gerald (Jerry) Carter 2005-02-07 07:54:28 UTC
originally reported against 3.0alpha23.  Bugzilla spring cleaning.
Comment 4 Gerald (Jerry) Carter 2005-11-14 09:26:13 UTC
database cleanup