On 04/07/15 16:28 +0200, Luca Olivetti wrote: >I'm currently using cyrus-imapd 2.4.17 and sssd to obtain nss groups >from an openldap server. >I have some group acl which are currently working fine. >I'm testing the migration to samba4 as an active directory domain >controller and I'm trying to use winbind instead of sssd (which works >perfectly btw). >The problem is that with winbind group acls don't work. >Group enumeration (a pain to configure) works: > >$ getent group | grep m_sist >m_sist:x:674:ojeda,luca,calmet,rafa,oscar > >But I cannot set acl on that group: > > >$ cyradm -u cyrus localhost >Password: > >localhost> sam m_sist group:m_sist lrw >setaclmailbox: group:m_sist: lrw: Invalid identifier >localhost> Could this be a permissions problem? Can the cyrus user successfully execute the getent command? >Meanwhile I have winbindd running in the foregroung and the above sam >command will cause no messages at all (i.e. it seems it isn't querying >winbindd for group information) > >If I change nsswitch back to sssd (which is pulling data from the same >samba4 server) and restart cyrus, it works: > >$ cyradm -u cyrus localhost >Password: > >localhost> sam m_sist group:m_sist lrw >localhost> > >The simple solution is to use sssd and forget about winbind, but I'm >curious: why one works and the other doesn't giving that group >enumeration works with both? Presumably your auth_mech is set to the default (unix), which is not scalable, and has caused serious performance issues for me in the past. See: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/overview.php#aclauth If your group information is exposed over an LDAP backend, consider using pts. -- Dan White ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
