samba - Sep 2011 - getent group not listing domain groups / wbinfo -r not working

I know, I know, this again :)


The company I work for would like to use squid for proxy authentication
purposes using NTLM, using a Windows 2008 R2 server as a DC. I've
managed to setup samba/winbind to use ads and successfully joined the
domain. Configured nsswitch.conf to lookup winbind entities (however I
didn't touch PAM configuration, as I don't actually want the users to be
able to login to the linux machine).

wbinfo -t reports a successful check of trust.
wbinfo -u / wbinfo -g work as intended, e.g. dump a list of domain users
/ groups.
I can authenticate using wbinfo -a (both plaintext and
challenge-response) and wbinfo -K.

nsswitch.conf:
> passwd:         compat winbind
> group:          compat winbind
As far as I can tell, nsswitch.conf is also configured properly, since
`getent passwd` dumps local users, waits about .2 seconds, and dumps
domain users:
> sasa.sokolova:*:10283:10001:Sasa
> Sokolova:/home/LIONSK/sasa.sokolova:/bin/false
> adam.szabados:*:10284:10001:Adam
> Szabados:/home/LIONSK/adam.szabados:/bin/false
(All domain users are members of group '10001', is this normal?)

However, `getent group` lists only local groups. No waiting time, it
just dumps local groups and exits. Likewise, when attempting to `wbinfo
-r <domainuser>`, the command fails with 'Could not get groups for
<domainuser>'. I've run strace on `getent group` (which,
incidentally,
shows a timeout, but none is perceived), the result can hopefully be
viewed here: http://halka.yw.sk/ext/strace_getent_group.txt

A widely suggested fix for this was to delete
/var/lib/samba/winbindd_idmap.tdb (for Samba versions up to 3.2.x?), but
the problems persist even after clearing the cache.


This is the point at which I'm stumped, since management wants to apply
different squid ACLs based on domain user's group. The funny (or not)
thing is, when authenticating using domain group restriction,
e.g.:
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=DOMAIN\\it
...works as intended (allows only member of the group 'it' to
authenticate successfully), but that's about as far as I can get.

I'm using samba 3.5.8 as provided by, cough, Ubuntu (10.08) packages.
I've previously tried a similar solution on Debian lenny. Now, this is a
virtual server which only holds samba and squid, so I have no qualms
about reinstalling, using various pre-alpha versions or anything, so
wild ideas like this are not unwelcome.


I've linked my configuration files below, since I'm not yet sure about
proper attachment etiquette in mailing lists:
http://halka.yw.sk/ext/krb5.conf
http://halka.yw.sk/ext/smb.conf
http://halka.yw.sk/ext/nsswitch.conf

Any help is of course greatly appreciated.

-- 
?ubom?r Brindza
xmpp: lubomir.brindza at gmail.com

Your eyes are weary from staring at the CRT. You feel sleepy. 
Notice how restful it is to watch the cursor blink. Close your 
eyes. The opinions stated above are yours. You cannot imagine 
why you ever felt otherwise.

Update. Ugly hacks abound, be warned.
> As far as I can tell, nsswitch.conf is also configured properly, since
> `getent passwd` dumps local users, waits about .2 seconds, and dumps
> domain users:
>> sasa.sokolova:*:10283:10001:Sasa
>> Sokolova:/home/LIONSK/sasa.sokolova:/bin/false
>> adam.szabados:*:10284:10001:Adam
>> Szabados:/home/LIONSK/adam.szabados:/bin/false
> (All domain users are members of group '10001', is this normal?)
As I've found out, the `getent passwd` lists users and their *primary*
AD group, which is 'Domain Users' by default. After changing the
user's
primary group (and restarting the whole server, unsure how often wbinfo
refreshes its data), `getent passwd` shows users along with their new
primary group (the one I'm actually looking for).

Please note that at my organization, there is very little to no overlap
between different AD groups, so this ugly ha^H^H^H fix may not
necessarily work out for you. I'm using 'plain' AD -> UID/GID
identity
mapping, and you might want to use idmap_rid backend.

Since `wbinfo -r <user>` still fails however, I've resorted to
altering
the wbinfo_group.pl script shipped with squid (it's used to check
whether a user belongs to a group). Patch attached; don't laugh :>

I understand that this could result in a large performance hit (among
other things), but so far it's working as intended.

Please don't hesitate to point out the flaws.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ad_group.patch
URL:
<http://lists.samba.org/pipermail/samba/attachments/20110921/487310bb/attachment.ksh>