Samba/Winbind Problem - Redhat

This is a discussion on Samba/Winbind Problem - Redhat ; I have a Redhat AS 3 Update 7 machine configured to use Samba/ Winbind. It is enumerating the users and groups correctly from Active Directory. wbinfo and getent both work great! When I run getent passwd, I get all of ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Samba/Winbind Problem

  1. Samba/Winbind Problem

    I have a Redhat AS 3 Update 7 machine configured to use Samba/
    Winbind. It is enumerating the users and groups correctly from
    Active Directory.

    wbinfo and getent both work great!

    When I run getent passwd, I get all of the results needed. However,
    that does not seem to be passing to the individual user.

    The authentication piece is working. I am now trying to assing group
    ownership to a group that a user is a member of.

    For instance, if user testuser(uid=15000) is a member of AD group
    data_testuser(gid=16000), then I do:

    chgrp 16000
    chown 770

    testuser should then be able access the files. This is not working.

    Now for the really tricky part...

    If I log in as user +testuser, and run 'groups', I get
    different results than if I run 'groups +testuser'

    Why would that happen?


  2. Re: Samba/Winbind Problem

    On Mar 19, 3:21 pm, casimm...@gmail.com wrote:
    > I have a Redhat AS 3 Update 7 machine configured to use Samba/
    > Winbind. It is enumerating the users and groups correctly from
    > Active Directory.
    >
    > wbinfo and getent both work great!
    >
    > When I run getent passwd, I get all of the results needed. However,
    > that does not seem to be passing to the individual user.
    >
    > The authentication piece is working. I am now trying to assing group
    > ownership to a group that a user is a member of.
    >

    Here is an example of the output difference:

    [CORP+asimmons@shdc-apexp01m apps]$ whoami
    CORP+asimmons

    [CORP+asimmons@shdc-apexp01m apps]$ id -Gn
    CORP+Domain Users CORP+CERTSVC_DCOM_ACCESS CORP+CGIT CORP+CGWeb CORP
    +Data_Web_W CORP+Data_WebIntranet_W CORP+Adm_Workstations CORP+Adm_MBX
    CORP+Adm_MBX_PF CORP+App _Documentum CORP+App_Remedy CORP+CGRas CORP+
    $LJ2000-UD84GUD7A317 CORP+Doc_IT_W CORP+Mbx_Pf_IT_W CORP+Mbx_Support_W
    CORP+Users_TechnicalServices CORP+Data_IT_W CORP +Adm_Domain CORP
    +Adm_DSAdmin CORP+DL-All Cheniere Employees CORP+Data_ITProjects_W CORP
    +Data_ITProjects_ERP_W CORP+Data_ITProjects_Commercial_W CORP
    +Data_ITProject s_Plant_W CORP+Data_Setup_W CORP+DRA_resetpass CORP
    +DRA_Helpdesk CORP+Home_Migration CORP+Data_AppData_W CORP+Data_Apps_W
    CORP+Data_Bucket_W

    [CORP+asimmons@shdc-apexp01m apps]$ id -Gn CORP+asimmons
    CORP+Domain Users CORP+CGIT CORP+Data_Web_W CORP+Data_WebIntranet_W
    CORP+Adm_Workstations CORP+Adm_MBX CORP+Adm_MBX_PF CORP+App_Documentum
    CORP+App_Remedy CORP+CGRas CORP+$LJ2000-UD84GUD7A317 CORP+Doc_IT_W CORP
    +DL-IT Department CORP+Mbx_Pf_IT_W CORP+Mbx_Support_W CORP
    +Users_TechnicalServices CORP+Data_IT_W CORP+Adm_Domain CORP+DL-IT
    Technical Services CORP+Adm_DSAdmin CORP+DL-Texas Ave Office CORP+DL-
    Texas Ave Employees CORP+DL-All Cheniere Employees CORP+DL-All
    Cheniere Energy CORP+Data_ITProjects_W CORP+Data_ITProjects_ERP_W CORP
    +Data_ITProjects_Commercial_W CORP+Data_ITProjects_Plant_W CORP
    +Data_Setup_W CORP+DRA_resetpass CORP+DRA_Helpdesk CORP+DL-Texas Ave
    31 CORP+Home_Migration CORP+Data_AppData_W CORP+Data_Apps_W CORP
    +Data_Bucket_W CORP+App_Lexco CORP+Adm_Goodlink CORP+Spam_TagSubject
    CORP+Data_Net_W CORP+RDP_LannerWitness CORP+Users_Cheniere CORP
    +Ret_IT_Tech_Svs CORP+Ret_IT_All CORP+DL-IT Technical Service Alerts
    CORP+App_CitrixDesktop CORP+App_VPN CORP+dl-test1 CORP
    +allsubscribers7f4b4cfe CORP+Adm_BlackBerry CORP+App_KeaX CORP
    +App_CiscoIPCommunicator CORP+App_CitrixRDP CORP+App_CorporateApps CORP
    +App_RightFax CORP+App_Landmark_MO CORP+App_Larson_MO


    I don't understand why that would be different. We are not using
    NSCD.

    > For instance, if user testuser(uid=15000) is a member of AD group
    > data_testuser(gid=16000), then I do:
    >
    > chgrp 16000
    > chown 770
    >
    > testuser should then be able access the files. This is not working.
    >
    > Now for the really tricky part...
    >
    > If I log in as user +testuser, and run 'groups', I get
    > different results than if I run 'groups +testuser'
    >
    > Why would that happen?




  3. Re: Samba/Winbind Problem

    On Mar 19, 3:52 pm, "casimmons" wrote:
    > On Mar 19, 3:21 pm, casimm...@gmail.com wrote:> I have a Redhat AS 3 Update 7 machine configured to use Samba/
    > > Winbind. It is enumerating the users and groups correctly from
    > > Active Directory.

    >
    > > wbinfo and getent both work great!

    >
    > > When I run getent passwd, I get all of the results needed. However,
    > > that does not seem to be passing to the individual user.

    >
    > > The authentication piece is working. I am now trying to assing group
    > > ownership to a group that a user is a member of.

    >
    > Here is an example of the output difference:
    >
    > [CORP+asimmons@shdc-apexp01m apps]$ whoami
    > CORP+asimmons
    >
    > [CORP+asimmons@shdc-apexp01m apps]$ id -Gn
    > CORP+Domain Users CORP+CERTSVC_DCOM_ACCESS CORP+CGIT CORP+CGWeb CORP
    > +Data_Web_W CORP+Data_WebIntranet_W CORP+Adm_Workstations CORP+Adm_MBX
    > CORP+Adm_MBX_PF CORP+App _Documentum CORP+App_Remedy CORP+CGRas CORP+
    > $LJ2000-UD84GUD7A317 CORP+Doc_IT_W CORP+Mbx_Pf_IT_W CORP+Mbx_Support_W
    > CORP+Users_TechnicalServices CORP+Data_IT_W CORP +Adm_Domain CORP
    > +Adm_DSAdmin CORP+DL-All Cheniere Employees CORP+Data_ITProjects_W CORP
    > +Data_ITProjects_ERP_W CORP+Data_ITProjects_Commercial_W CORP
    > +Data_ITProject s_Plant_W CORP+Data_Setup_W CORP+DRA_resetpass CORP
    > +DRA_Helpdesk CORP+Home_Migration CORP+Data_AppData_W CORP+Data_Apps_W
    > CORP+Data_Bucket_W
    >
    > [CORP+asimmons@shdc-apexp01m apps]$ id -Gn CORP+asimmons
    > CORP+Domain Users CORP+CGIT CORP+Data_Web_W CORP+Data_WebIntranet_W
    > CORP+Adm_Workstations CORP+Adm_MBX CORP+Adm_MBX_PF CORP+App_Documentum
    > CORP+App_Remedy CORP+CGRas CORP+$LJ2000-UD84GUD7A317 CORP+Doc_IT_W CORP
    > +DL-IT Department CORP+Mbx_Pf_IT_W CORP+Mbx_Support_W CORP
    > +Users_TechnicalServices CORP+Data_IT_W CORP+Adm_Domain CORP+DL-IT
    > Technical Services CORP+Adm_DSAdmin CORP+DL-Texas Ave Office CORP+DL-
    > Texas Ave Employees CORP+DL-All Cheniere Employees CORP+DL-All
    > Cheniere Energy CORP+Data_ITProjects_W CORP+Data_ITProjects_ERP_W CORP
    > +Data_ITProjects_Commercial_W CORP+Data_ITProjects_Plant_W CORP
    > +Data_Setup_W CORP+DRA_resetpass CORP+DRA_Helpdesk CORP+DL-Texas Ave
    > 31 CORP+Home_Migration CORP+Data_AppData_W CORP+Data_Apps_W CORP
    > +Data_Bucket_W CORP+App_Lexco CORP+Adm_Goodlink CORP+Spam_TagSubject
    > CORP+Data_Net_W CORP+RDP_LannerWitness CORP+Users_Cheniere CORP
    > +Ret_IT_Tech_Svs CORP+Ret_IT_All CORP+DL-IT Technical Service Alerts
    > CORP+App_CitrixDesktop CORP+App_VPN CORP+dl-test1 CORP
    > +allsubscribers7f4b4cfe CORP+Adm_BlackBerry CORP+App_KeaX CORP
    > +App_CiscoIPCommunicator CORP+App_CitrixRDP CORP+App_CorporateApps CORP
    > +App_RightFax CORP+App_Landmark_MO CORP+App_Larson_MO
    >
    > I don't understand why that would be different. We are not using
    > NSCD.
    >
    > > For instance, if user testuser(uid=15000) is a member of AD group
    > > data_testuser(gid=16000), then I do:

    >
    > > chgrp 16000
    > > chown 770

    >
    > > testuser should then be able access the files. This is not working.

    >
    > > Now for the really tricky part...

    >
    > > If I log in as user +testuser, and run 'groups', I get
    > > different results than if I run 'groups +testuser'

    >
    > > Why would that happen?


    FYI, I found out where this issue is coming from. There is a limit of
    32 groups a user can belong to in Linux with the 2.4.x kernel. It is
    possible to patch the kernel to accomodate, but this is not supported
    by redhat (http://radu.rendec.ines.ro/howto/32groups.html).


+ Reply to Thread