group acl with winbind

Dan White dwhite at olp.net
Tue Apr 7 11:31:59 EDT 2015


On 04/07/15 16:28 +0200, Luca Olivetti wrote:
>I'm currently using cyrus-imapd 2.4.17 and sssd to obtain nss groups
>from an openldap server.
>I have some group acl which are currently working fine.
>I'm testing the migration to samba4 as an active directory domain
>controller and I'm trying to use winbind instead of sssd (which works
>perfectly btw).
>The problem is that with winbind group acls don't work.
>Group enumeration (a pain to configure) works:
>
>$ getent group | grep m_sist
>m_sist:x:674:ojeda,luca,calmet,rafa,oscar
>
>But I cannot set acl on that group:
>
>
>$ cyradm -u cyrus localhost
>Password:
>
>localhost> sam m_sist group:m_sist lrw
>setaclmailbox: group:m_sist: lrw: Invalid identifier
>localhost>

Could this be a permissions problem? Can the cyrus user successfully
execute the getent command?

>Meanwhile I have winbindd running in the foregroung and the above sam
>command will cause no messages at all (i.e. it seems it isn't querying
>winbindd for group information)
>
>If I change nsswitch back to sssd (which is pulling data from the same
>samba4 server) and restart cyrus, it works:
>
>$ cyradm -u cyrus localhost
>Password:
>
>localhost> sam m_sist group:m_sist lrw
>localhost>
>
>The simple solution is to use sssd and forget about winbind, but I'm
>curious: why one works and the other doesn't giving that group
>enumeration works with both?

Presumably your auth_mech is set to the default (unix), which is not
scalable, and has caused serious performance issues for me in the past.
See:

http://cyrusimap.org/docs/cyrus-imapd/2.4.17/overview.php#aclauth

If your group information is exposed over an LDAP backend, consider using
pts.

-- 
Dan White


More information about the Info-cyrus mailing list