rlm_winbind and groups

Matthew Newton mcn4 at leicester.ac.uk
Fri Nov 4 22:33:52 CET 2016


So... it turns out there are issues with winbindd getting group
information, and that it may be wrong. The Samba team are
currently discussing on the list about ripping some bits of
winbindd out, which may include some of the group stuff.

Essentially the nice benefit that seemed to be the case with
winbindd - all groups being in a large flat list rather than
having to work out the right LDAP lookups for nested groups etc -
isn't necessarily true and not dealt with correctly.

The right way seems to be to get a list of sids after an
authentication, and enumerate those, which will list the groups
that the user is in. It's only good after an auth when the data
has been cached locally.

I'm going to stare at the code and see if I can update anything,
but in the mean time anyone who is using rlm_winbind for group
checks just a warning it may not stay in the current state for
much longer :( And it's probably best to call group lookups in
post-auth when Samba has the group lists cached, rather than in


Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Devel mailing list