On Nov 4, 2016, at 5:33 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
So... it turns out there are issues with winbindd getting group information, and that it may be wrong. The Samba team are currently discussing on the list about ripping some bits of winbindd out, which may include some of the group stuff.
:( Active Directory isn't simple. In fact, it's almost deliberately obtuse.
The right way seems to be to get a list of sids after an authentication, and enumerate those, which will list the groups that the user is in. It's only good after an auth when the data has been cached locally.
Wow.
I'm going to stare at the code and see if I can update anything, but in the mean time anyone who is using rlm_winbind for group checks just a warning it may not stay in the current state for much longer :( And it's probably best to call group lookups in post-auth when Samba has the group lists cached, rather than in authorize.
Sounds good, thanks. Alan DeKok.