"In het verleden behaalde resultaten bieden geen garanties voor de toekomst"
About this blog

These are the ramblings of Matthijs Kooijman, concerning the software he hacks on, hobbies he has and occasionally his personal life.

Most content on this site is licensed under the WTFPL, version 2 (details).

Questions? Praise? Blame? Feel free to contact me.

My old blog (pre-2006) is also still available.

See also my Mastodon page.

Sun Mon Tue Wed Thu Fri Sat
Powered by Blosxom &Perl onion
(With plugins: config, extensionless, hide, tagging, Markdown, macros, breadcrumbs, calendar, directorybrowse, feedback, flavourdir, include, interpolate_fancy, listplugins, menu, pagetype, preview, seemore, storynum, storytitle, writeback_recent, moreentries)
Valid XHTML 1.0 Strict & CSS
Nested groups and win2000 native mode

Have been fighting with our windows server 2003 domain controller and the various samba/winbind connected FreeBSD servers all day. My objectives were twofold: Properly configuring SFU and getting nested groups to work on our BSD machines.

The first proved relatively easy. Some PHP code that used the LDAP libraries to mess around in the AD directly gave all our users and groups their uids and gids. Works now. Next up was getting nested groups to work to centralize our access management some more.

The current setup is as follows: We have a group "WWW", which is the webcommittee. They should always be able to login to our webserver. Also the group "Beheer" should be able to login, they are our system administrators. Finally, we have the group "Webmasters", which are the webmasters from a few other comittees. Currently, there is a rule that allows these three groups to login. Ideally there should be one group "WebUsers" that is allowed to login and contains these three groups.

Looking around brings me to the "winbind nested groups" feature of samba/winbind. This seems like exactly what we need, but eventually this seems to be meant for samba running as DC only, which is not our case (we have a 2k3 DC). Also, looking through the source, this directive seems to have no function at all anymore...

Anyway, winbind should unwrap nested groups all by itself, people told me. So, my current setup should work. Well, surprise, it doesn't :-). Looking around some more makes me suspect putting our domain controller in "windows 2000 native mode" might help. Currently, our 2k3 server is running in "windows 2000 mixed mode", which is the default. This allows NT4 domain controllers to participate in the domain, so shouldn't really be needed for our setup. So, let's upgrade, right?

Well, not so fast... The "upgrade" button is surrounded with red markers and warnings, since the change is not reversible. Upgrading should not affect the DC itself much, nor any of the clients. We don't have any NT4 machines in our domain, so there should be no problem. Also, our samba servers should be able to talk in windows2000+ protocols, so probably no problem there. The thing is, if it breaks, there is no way back. And since it is at the end of my weekend and people need their systems tomorrow and I need my time (haven't actually gotten to doing anything since I've been struggling with samba since yesterday). So, next opportunity I get, 2000 mixed mode dies. Now, let's settle for not-so-centralized management and get our webserver logins back up.

Update: See this post for more info on the cause of the winbind problem.

Matthijs Kooijman wrote at 2006-05-28 03:41

Okay, we've just upgraded our DC to server 2003 native mode. That didn't help one friggin' bit.

Looking at the code shows that the feature just isn't implemented. More specifically, the "winbind nested groups" configuration directive is never used in the code.

I'm currently coding a fix for this, I'll probably write a post about that when (if) it works...

Comments are closed for this story.

1 comment -:- permalink -:- 22:23
Copyright by Matthijs Kooijman - most content WTFPL