Sorry, I did not include my distro.
Fedora Core 4 - 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686
i686 i386 GNU/Linux
TIA
On 2/27/06, Adam Bruncaj <abruncaj@gmail.com>
wrote:> Hello,
>
> I have been using samba to authenticate my squid users to Active
> Directory. Because of the amount of users, I would like to set up my
> ACL's based on groups, rather than individual user accounts.
>
> I have successfully joined my samba box to our windows domain (2k).
> For some reason I had to enter the domain controller name instead of
> the domain name when doing so. I am now having issues looking up user
> groups using wbinfo_group and/or "wbinfo -r username".
>
> The following are some commands, conf files & logs (the parts that I
> believe are relevant). I have a feeling I have more than one issue
> going on here. Please let me know if you need more info.
>
> I doubt there are limitations, but we are in a somewhat large
> environment (about 4,000 users accounts) with multiple sub domains.
>
> -----
> # I compiled squid with...
> ./configure
--enable-external-acl-helpers="unix_group,wbinfo_group"
> --------------
> [root@lions squid]# rpm -q samba
> samba-3.0.21c-1
> --------------
> [root@lions squid]# wbinfo -a domainuser1%hispass
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> -------------------
> [root@lions squid]# wbinfo -t
> checking the trust secret via RPC calls succeeded
> -------------------
> [root@lions squid]# wbinfo -u |more
> SUBDOMAIN1\exemployees
> SUBDOMAIN1\installservice
> ...
> ..
> SUBDOMAIN2\exch
> SUBDOMAIN2\adcsv
> SUBDOMAIN2\administrator
> ..
> ..
> domainuser1 #These are the accounts that I would be working with and
> would need lookup there groups. note that
> domainuser2
> domainuser2
> ..
> ..
> --------------------------------
> [root@lions samba]# wbinfo -n domainuser1
> S-1-5-21-954140891-1229348589-1136263860-10879 User (1)
> --------------------------------
> *********[root@lions squid]# ./wbinfo_group.pl
> user1 "domain users"
> Could not lookup name domain users
> Could not convert sid to gid
> Could not get groups for user user1
> OK
> # also tried domain\\user domain\\group
> ------------------
> ********[root@lions samba]# wbinfo -r domainuser1
> Could not get groups for user domainuser1
> #also tried with domain\\domainuser1
> -------------------
> [root@lions samba]# wbinfo --sequence
> SubDomain1 : DISCONNECTED
> SubDomain2 : DISCONNECTED
> Subdomain3 : 2576451
> LIONS : 1
> BUILTIN : 1
> MyDomain : DISCONNECTED # it states disconnected, but I am able to
> view users and groups?
> --------------------
>
> My conf files....
> ------------------------------------------------
> (smb.conf) # note that this is the while conf file. I read that this
> is all I need
>
> [global]
> workgroup = MyDomain
> netbios name = lions
> password server = 10.20.250.2
> security = domain
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind use default domain = yes
> ------------------------------------------------
> (nsswitch.conf)
> #
> # /etc/nsswitch.conf
> #
> # To use db, put the "db" in front of "files" for
entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd: db files nisplus nis
> #shadow: db files nisplus nis
> #group: db files nisplus nis
> passwd: files winbind
> shadow: files winbind
> group: files winbind
> #hosts: db files nisplus nis dns
> hosts: files winbind dns
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
> bootparams: nisplus [NOTFOUND=return] files
> ethers: db files
> netmasks: files
> networks: files dns
> protocols: files winbind
> rpc: db files
> services: files winbind
> netgroup: files winbind
> publickey: nisplus
> automount: files winbind
> aliases: files nisplus
> ---------------------------------
> (krb5.conf)
>
> [libdefaults]
> default_realm = Mydomain.domain.com
>
> dns_lookup_realm = true
> dns_lookup_kdc = true
> [realms]
> MY = {
> kdc = domaincontroller1.mydomain.domain.com
> admin_server = domaincontroller1
> kdc = domaincontroller1
> }
>
> [domain_realm]
> .kerberos.server = MYDOMAIN.DOMAIN.COM
> ---------------------------------------
>
> Log files:
> --------------------------------
> [root@lions samba]# vi winbindd.log
> [2006/02/27 08:02:32, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
> ads_connect for domain SUBDOMAIN2 failed: No such file or directory
> [2006/02/27 08:04:08, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
> Could not get convert sid from string
> [2006/02/27 08:04:27, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
> Could not get convert sid from string
> [2006/02/27 08:05:06, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
> Could not get convert sid from string
> [2006/02/27 08:06:29, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
> Could not get convert sid from string
> [2006/02/27 08:17:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
> ads_connect for domain SUBDOMAIN2 failed: No such file or directory
> [2006/02/27 08:21:16, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
> Could not get convert sid from string
> [2006/02/27 08:35:55, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
> ads_connect for domain SUBDOMAIN2 failed: No such file or directory
>
> --------------------------------
> # /var/log/messages
>
> Feb 27 07:57:52 lions net: [2006/02/27 07:57:52, 0]
> utils/net_ads.c:ads_startup(191)
> Feb 27 07:57:52 lions net: ads_connect: No results returned
> Feb 27 07:58:25 lions net: [2006/02/27 07:58:25, 0]
> utils/net_ads.c:ads_startup(191)
> Feb 27 07:58:25 lions net: ads_connect: No results returned
> Feb 27 08:01:01 lions crond(pam_unix)[11231]: session opened for user
> root by (uid=0)
> Feb 27 08:01:02 lions crond(pam_unix)[11231]: session closed for user root
> Feb 27 08:30:10 lions winbindd[11510]: [2006/02/27 08:30:10, 0]
> libsmb/clientgen.c:cli_rpc_pipe_close(375)
> Feb 27 08:30:10 lions winbindd[11510]: cli_rpc_pipe_close: cli_close
> failed on pipe \NETLOGON, fnum 0x4009 to machine DOMAINCONTROLLER.
> Error was SUCCESS - 0
> Feb 27 09:01:01 lions crond(pam_unix)[11766]: session opened for user
> root by (uid=0)
> Feb 27 09:01:02 lions crond(pam_unix)[11766]: session closed for user root
> ------------------------------------
>
> Thanks,
> Adam
>