Andre Fernando Goldacker
2005-Oct-14 12:07 UTC
[Samba] wbinfo not looking up groups in mixed MS NT/2k AD
Hello,
I'm having trouble when I try do get a group SID from my domain, the
user lookup and authentication is working fine.
Actually what I'm trying to do is to authenticate squid against MS AD
using winbind. I need to restrict access by group, so I'm using
wbinfo_group.pl to do it.
The machine has been built to be a proxy server only.
I'm using Suse Linux 9.3 Professional
samba-3.0.13-1.1
squid-2.5.STABLE9-4.4
Below are my .conf files:
/etc/nsswitch.conf
passwd: files winbind
shadow: files nis
group: files winbind
hosts: files lwres dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files winbind
publickey: files
bootparams: files
automount: files nis
aliases: files
/etc/samba/smb.conf
[global]
workgroup = EARTH
server string = Samba Server
netbios name = Mordor
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
printer admin = @ntadmin, root, administrator
security = ads
realm = EARTH.COM
allow trusted domains = no
password server = ads01.earth.com ads02.earth.com
encrypt passwords = yes
winbind uid = 5000-100000000
winbind gid = 5000-100000000
# winbind use default domain = yes
winbind separator = \\
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
Auth lines from my squid.conf file:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
external_acl_type grupo ttl=900 concurrency=70 %
LOGIN /usr/sbin/wbinfo_group.pl
acl acesso external grupo internet
acl CONNECT method CONNECT
acl rede proxy_auth REQUIRED src 172.31.16.0/24
http_access allow acesso
If I change to just authenticate users against the AD it works, but
group restrictions don't...
OK, let's see what's going on....
wbinfo -t
checking the trust secret via RPC calls succeeded
.... Looks ok...
wbinfo -u
EARTH\user1
EARTH\user2
EARTH\user3
... Looks great too...
wbinfo -g
BUILTIN\system operators
BUILTIN\replicators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
EARTH\domain users
EARTH\domain guests
EARTH\domain computers
EARTH\group policy creator owners
EARTH\schema adm
.... Again everything seems to be fine, as with the getent passwd and
getent group too...
getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
EARTH\user1:x:502:501:User1:/home/EARTH/user1:/bin/bash
EARTH\user2:x:503:501:User2:/home/EARTH/user2:/bin/bash
EARTH\user3:x:504:501:User3:/home/EARTH/user3:/bin/bash
getent group
root:x:0:
bin:x:1:daemon
EARTH\domain users:x:501:
EARTH\domain guests:x:504:
EARTH\domain computers:x:503:
EARTH\testgroup:x:603:EARTH\user1,EARTH\user-xyz
....
Let's try to authenticate a user
wbinfo -a 'EARTH\user1%testuser'
plaintext password authentication succeeded
challenge/response password authentication succeeded
OK, let's try to get a user SID
wbinfo -n 'EARTH\user1'
S-1-5-21-1707697585-1731156218-134157935-4028 User (1)
But the same with a group SID doesn't work, and theres nothing in the
winbind log file....
wbinfo -n 'EARTH\testgroup'
Could not lookup name EARTH\testgroup
I think that's the reason why my squid can't match users / groups.
My winbind log file reports me the following lines when I try to match
user/group from squid:
[2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301)
string_to_sid: Sid Could not lookup name internet does not start with
'S-'.
[2005/10/13 16:46:48, 1]
nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241)
Could not cvt string to sid Could not lookup name internet
Any clues why I can lookup users, but not goups?
My AD has about 1100 users and 150 groups.
Any help will be much appreciated,
Andr?
Felipe Augusto van de Wiel
2005-Oct-14 13:14 UTC
[Samba] wbinfo not looking up groups in mixed MS NT/2k AD
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andre Fernando Goldacker escreveu: [...]> wbinfo -n 'EARTH\testgroup' > Could not lookup name EARTH\testgroup> I think that's the reason why my squid can't match users / groups. > My winbind log file reports me the following lines when I try to > match user/group from squid:> [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301) > string_to_sid: Sid Could not lookup name internet does not start > with 'S-'. > [2005/10/13 16:46:48, 1] > nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241)> Could not cvt string to sid Could not lookup name internet > Any clues why I can lookup users, but not goups? > My AD has about 1100 users and 150 groups. > Any help will be much appreciated,Never saw this problem before, but looking at the logs, looks like your group entry does not have the proper field set, or the field is not right, in other words, it does not start with a "S-" like all the SID's. It is not much help, but perhaps could be a start, good luck! Kind regards, - -- ////////// // Felipe Augusto van de Wiel <felipe@paranacidade.org.br> // CTI/Suporte - SEDU/PARANACIDADE // http://www.paranacidade.org.br/ ////////// -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFDT69HCj65ZxU4gPQRAud7AKCXdp+qPvaiyDX10VuqO3WpftM5MgCfQ4rN t1bixV+pGNo1N9MTvz9SfsA=AqZF -----END PGP SIGNATURE-----