Domain group permissions, ZFS, ACL, winbind

[mletzgus]

Hi FreeBSD forum,

I'm quite new to FreeBSD, but I'm a Linux user and admin for nearly two decades now.

I'd like to use FreeBSD to build a small (file) server with ZFS and ADS integration.

I successfully compiled the net/samba36 port, joined my domain, made PAM working with SSH and created a ZFS file system with ACLs.

The Windows clients are working fine with my setup, even ACLs are working on the Windows clients. But one remaining problem is:

When logging in into the server (ssh/sftp) there is a problem with the file permissions: Domain groups are not considered. On a Windows client I granted full access to TESTFILE for the domain group AD\testgroup with the member AD\testuser. This is working well on Windows clients, but not on the server.

When granting access to AD\mletzgus directly testuser can access TESTFILE on the server.
It looks like a problem resolving the group members... but why...?

Does not work:

group:testgroup:r-x---a-R-c---:------:allow

Works:

user:testuser:r-x---a-R-c---:------:allow

Tested so far:

• no nscd runnig
• tried with and without winbinds enumerate options
• resolving almost everything with wbinfo works

Could you help me?

Best regards,
Michael

 

[mletzgus]

Hm, partial success.

It works with enabled enumerations.

But the problem is: I have 2000 groups and 30000 users - so enumeration crashes winbind 3.6.1.

I posted a bug report @ samba.org, there is a patch for 3.6.4 which corrects problems with so many groups and users:

https://bugzilla.samba.org/show_bug.cgi?id=8871
https://bugzilla.samba.org/show_bug.cgi?id=8904

How can I apply patches against the port net/samba36?

 

[phoenix]

Update your ports tree, and update the net/samb36 port. The port is currently at version 3.6.5.

 

[mletzgus]

Hi,

Many thanks for the hint. Updating ports to 3.6.5 and applying the attached patches to fix samba bugs 8871 and 8904 worked fine.

Thanks,
Michael