LDAP Authentification. Secondary Groups empty in samba.

[mapero]

Hello.

I have some problem with configuring freenas using ldap as backend using freenas 9.1.1.

The ldap server is running on another maschine using clearos 6.4.
To make it work i added

nss_map_attribute uniqueMember member

to the ldap auxiliary parameters of ldap settings.

Connection to ldap and the directory service is running fine:
getent passwd

root:$6$Z8BrmoaRjhK4/zYt$WWRVpYEg96zw7qddQvwmKUdhVgBv64W2WWySxEGVEDB1TEgLzpWZSqHlTYUlTWyY4yQbRyeIoRRfFy6QnCPX9.:0:0:root:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:2:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
avahi:*:200:200:avahi user:/nonexistent:/usr/sbin/nologin
messagebus:*:201:201:messagebus user:/nonexistent:/usr/sbin/nologin
ftp:*:14:14::/nonexistent:/bin/csh
winadmin:*:302:1000512:Windows Administrator:/home/winadmin:/bin/sh
nomembers:*:350:63000:No Members:/dev/null:/bin/sh
flexshare:*:351:63000:Flexshare System:/dev/null:/bin/sh
email-archive:*:352:63000:Email Archive:/dev/null:/bin/sh
guest:*:353:63000:Guest Account:/home/guest:/bin/sh
jochen:*:1007:63000:Jochen Scheib:/mnt/WD30EZRX_Mirror/home/jochen:/bin/sh

getent group

wheel:*:0
daemon:*:1
kmem:*:2
sys:*:3
tty:*:4
operator:*:5:uucp
mail:*:6
bin:*:7
news:*:8
man:*:9
games:*:13
ftp:*:14
staff:*:20
sshd:*:22
smmsp:*:25
mailnull:*:26
guest:*:31
bind:*:53
proxy:*:62
authpf:*:63
_pflogd:*:64
_dhcp:*:65
uucp:*:66
dialer:*:68
network:*:69
audit:*:77
www:*:80
nogroup:*:65533
nobody:*:65534
avahi:*:200
messagebus:*:201
allusers:*:63000:jochen
guests:*:1000546:nomembers
openvpn_plugin:*:60000:jochen
pptpd_plugin:*:60001:jochen
user_certificates_plugin:*:60002:jochen
domain_admins:*:1000512:winadmin
domain_users:*:1000513:jochen
domain_guests:*:1000514:guest
domain_computers:*:1000515:nomembers
administrators:*:1000544:nomembers
users:*:1000545:nomembers
power_users:*:1000547:nomembers
account_operators:*:1000548:nomembers
server_operators:*:1000549:nomembers
print_operators:*:1000550:nomembers
backup_operators:*:1000551:nomembers
media:*:60006:jochen

net sam list users

winadmin
guest
jochen

net sam list groups

allusers
Domain Admins
Domain Users
Domain Guests
Domain Computers
media

Main group membership is also working
net sam listmem allusers

GALLIEN\allusers has 4 members
GALLIEN\flexshare
GALLIEN\email-archive
GALLIEN\guest
GALLIEN\jochen

But what is not working is the secondary groups membership
net sam listmem media

GALLIEN\media has 0 members

How i get samba to use all groups, not only the primary group?

Thanks Jochen

 

[dlavigne]

Please create a bug report at bugs.freenas.org and post the issue number here. This may or may not have been solved by the LDAP/AD overhaul coming in 9.1.2 and the developer would like to test the info in the bug report.

 

[reason]

Hello and good morning. Was this issue every reported as a bug or resolved?

 

[cyberjock]

Not sure, but as this thread is more than a year old I think it's safe to say that the problem was either user error or fixed LOOOONG ago.

 

[reason]

Thanks for the reply.

The reason I asked is because I am having issues with the secondary groups as well.

FreeNAS is seeing the users and groups but users do not show secondary groups.

These users, who are part of secondary groups can not access shares via the secondary groups configured on Windows Machines.

Same system: FreeNAS, LDAP, ClearOS.

Everything works as it should when using NT4 in the same environment.

I've been searching online and can't find a definite answer for this.

Primary groups seem to work fine.

Any insight or leads?