Hi,
Could this a bug or misconfiguration?
'wbinfo -g' only return partial result compare to 'net ads
group', thus
unable to authenticate
# wbinfo -g | wc -l
4998
# net ads group | wc -l
9114
# getent group | wc -l
5047 [+ local groups]
Take a group dl.samplegroup, which is in the DC, but missing from wbinfo
# net ads group | grep dl.samplegroup
dl.samplegroup [found]
# wbinfo -g | grep dl.samplegroup
[not found]
# getent group | grep dl.samplegroup
[not found]
BUT, these works
# getent group dl.samplegroup
dl.samplegroup:*:15053: user1,user2,....
# wbinfo -n dl.samplegroup
S-1-5-21-839012768-2468886555-2058922813-7287 Domain Group (2) # wbinfo
-Y S-1-5-21-839012768-2468886555-2058922813-7287
15053
So what's goes wrong?
My configurations are as follow, quite simple:
smb.conf
=======
[global]
workgroup = MYDOMAIN
netbios name = MYSERVER
server string = MYSERVER
interfaces = eth0 lo
bind interfaces only = Yes
security = ads
password server = mydc1 mydc2
realm = MYDOMAIN.COM
log file = /var/log/samba/%m.log
log level = 3 winbind:5 nmb:5
max log size = 10000
encrypt passwords = Yes
update encrypted = Yes
smb passwd file = /etc/samba/smbpasswd # NOTE: Use these with
'encrypt passwords' and 'smb passwd file' above.
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# Avoid other domains in forest
allow trusted domains = no
winbind cache time = 300
winbind uid = 10000-100000
winbind gid = 10000-100000
winbind enum users = no
winbind enum groups = yes
winbind use default domain = yes
winbind trusted domains only = no
name resolve order = lmhosts wins host bcast
wins server = mydc1 mydc2
wins proxy = yes
wins support = no
dns proxy = No
oplocks = Yes
level2 oplocks = Yes
read only = yes
browseable = yes
printable = No
nsswitch.conf
============
passwd: files winbind
group: files winbind
krb5.conf
========
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
[realms]
MYDOMAIN.COM = {
kdc = mydc1.MYDOMAIN.com:88
admin_server = mydc1.MYDOMAIN.com:749
default_domain = MYDOMAIN.com
}
[domain_realm]
.MYDOMAIN.com = MYDOMAIN.COM
MYDOMAIN.com = MYDOMAIN.COM
[kdc]
profile = /etc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Checking with Domain admin, it turns out that the groups does not appear
in wbinfo are of Group Type: 'Distribution' in Win2k AD? The other is of
'Security'.
My system:
CentOS 5 2.6.18-8.el5
Samba:
samba-common-3.0.23c-2.el5.2.0.2
samba-3.0.23c-2.el5.2.0.2
Thanks.
Cheers,
CK Ng