Eric Gottesman
2007-Nov-14 20:04 UTC
[Samba] problems with groups, winbind authenticating a centOS 4 machine to AD
WHY HELLO. i have a centOS 4.4 machine running samba 3.0.10-1.4E.9. my goal is to log in to the machine using AD credentials. at the moment, i'm successfully logging in, but i can't retrieve groups for AD users: -bash-3.00$ groups id: cannot find name for group ID 16777216 16777216 id: cannot find name for group ID 16777217 16777217 id: cannot find name for group ID 16777218 16777218 id: cannot find name for group ID 16777219 16777219 id: cannot find name for group ID 16777220 16777220 id: cannot find name for group ID 16777221 16777221 id: cannot find name for group ID 16777222 16777222 id: cannot find name for group ID 16777223 16777223 here's my smb.conf: [global] workgroup = DEV server string = STGRAD01 security = domain log file = /var/log/samba/%m.log log level = 3 local master = no max log size = 50 dns proxy = no password server = devadmin01.dev.company.com idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind use default domain = no winbind enum users = yes winbind enum groups = yes # winbind separator = \ [homes] comment = Home Directories browseable = no writable = yes ...and here's a snippet from winbindd.log: [2007/11/14 11:54:46, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(348) [23928]: getgrgid 16777223 [2007/11/14 11:54:46, 3] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338) sid_to_name [rpc] S-1-5-21-1482476501-926492609-1644491937-518 for domain DEV [2007/11/14 11:54:46, 3] libads/ldap.c:ads_connect(285) Connected to LDAP server 10.11.1.21 [2007/11/14 11:54:46, 3] libads/ldap.c:ads_server_info(2469) got ldap server name devadmin01@DEV.COMPANY.COM, using bind path: dc=DEV,dc=COMPANY,dc=COM [2007/11/14 11:54:46, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109) IPC$ connections done anonymously [2007/11/14 11:54:46, 3] libsmb/cliconnect.c:cli_start_connection(1388) Connecting to host=DEVADMIN01 [2007/11/14 11:54:46, 3] lib/util_sock.c:open_socket_out(752) Connecting to 10.11.1.21 at port 445 [2007/11/14 11:54:46, 1] nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1482476501-926492609-1644491937-518 in domain DEV (error: NT_STATUS_ACCESS_DENIED) also, for some reason everything breaks if i uncomment the winbind separator line. any ideas?
Maybe Matching Threads
- well-known groups and i18n
- Unable to log on (authenticating) to a Samba NT Domain
- Winbind issues with UID and GID mappings
- Fw: AD usres are not show in Domain Controller when apply setfacl command
- Fw: AD usres are not show in Domain Controller when apply setfacl command
Wisdom of the Ancients
