Hi Samba Folks, we use Ubuntu 16.04 LTS with Samba 4.3.11 (from distribution). Our ADS is Windows 2008 R2. We want to use Linux as a squid proxy with domain auth (SSO). Problem is, that most of the usernames have a white space and it seems that winbind wont handle it. I get this on my cache log with /usr/lib/squid/ext_wbinfo_group_acl (wbinfo_group.pl) script. Got max Internet-Access from squid User: -max- Group: -Internet-Accesss- SID: -S-1-5-21-3122064890-3824127986-1965815265-2719- GID: -10004- failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND Could not get groups for user max Sending ERR to squid Problem is, that username is not max, it is "max mustermann". You can see, that the user sid is well resolved (how ever it is possible). Users with no white spaces works fine in squid. Same problem with wbinfo: $ wbinfo -u|grep max max mustermann but when I try to get user info or user group info: $ wbinfo -i "max mustermann" failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user max mustermann $ wbinfo -r "max mustermann" failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND Could not get groups for user max mustermann And when the username contains no white space, it works well: $ wbinfo -i Administrator administrator:*:10000:10005:Administrator:/home/MYDOM/administrator:/bin/false $ wbinfo -r Administrator 10005 10006 10007 10008 10009 10010 10011 10012 10013 10014 10015 10016 10017 10018 10019 10020 10021 10022 10001 10000 $ wbinfo -t kinit checking the trust secret for domain MYDOM via RPC calls succeeded Any thing I can do? Is there any needed smb.conf param, which can help? I have found many ppl on internet, which have suffered from the same problem, but I found no solution for my case. Regards, Thomas
On Tue, 18 Apr 2017 17:47:55 +0200 Thomas Creutz via samba <samba at lists.samba.org> wrote:> Hi Samba Folks, > > we use Ubuntu 16.04 LTS with Samba 4.3.11 (from distribution). Our > ADS is Windows 2008 R2. We want to use Linux as a squid proxy with > domain auth (SSO). > Problem is, that most of the usernames have a white space and it > seems that winbind wont handle it. > > I get this on my cache log with /usr/lib/squid/ext_wbinfo_group_acl > (wbinfo_group.pl) script. > > Got max Internet-Access from squid > User: -max- > Group: -Internet-Accesss- > SID: -S-1-5-21-3122064890-3824127986-1965815265-2719- > GID: -10004- > failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND > Could not get groups for user max > Sending ERR to squid > > Problem is, that username is not max, it is "max mustermann".Are you mixing up the users 'cn' and 'samaccountname' ? The users 'cn' could be 'max mustermann', but the users 'samaccountname' could well be 'max', in fact it can be anything, upto 20 characters long and without spaces. So the question should be, what is squid asking for ? Rowland
Hello Penny Am 18.04.2017 um 18:27 schrieb Rowland Penny via samba:> On Tue, 18 Apr 2017 17:47:55 +0200 > > Are you mixing up the users 'cn' and 'samaccountname' ? > > The users 'cn' could be 'max mustermann', but the users > 'samaccountname' could well be 'max', in fact it can be anything, upto > 20 characters long and without spaces.sorry but the sAMAccountName has the white spaces too: $ ldapsearch -h server -x -LLL -b "dc=mydom,dc=de" -D "cn=Proxy Benutzer,cn=Users,dc=mydom,dc=de" -W "cn=max mustermann" sAMAccountName | grep sAMAccountName Enter LDAP Password: sAMAccountName: Max Mustermann I know it is ugly, but it is not born on my idea. But MS also dont have any problems with it. Is it not really supported in samba? Regards Thomas