samba - Feb 2006 - wbinfo_group.pl / wbinfo -r not working!

Hello,

I have been using samba to authenticate my squid users to Active
Directory. Because of the amount of users, I would like to set up my
ACL's based on groups, rather than individual user accounts.

I have successfully joined my samba box to our windows domain (2k).
For some reason I had to enter the domain controller name instead of
the domain name when doing so. I am now having issues looking up user
groups using wbinfo_group and/or "wbinfo -r username".

The following are some commands, conf files & logs (the parts that I
believe are relevant). I have a feeling I have more than one issue
going on here. Please let me know if you need more info.

I doubt there are limitations, but we are in a somewhat large
environment (about 4,000 users accounts) with multiple sub domains.

-----
# I compiled squid with...
./configure --enable-external-acl-helpers="unix_group,wbinfo_group"
--------------
[root@lions squid]# rpm -q samba
samba-3.0.21c-1
--------------
[root@lions squid]# wbinfo -a domainuser1%hispass
plaintext password authentication succeeded
challenge/response password authentication succeeded
-------------------
[root@lions squid]# wbinfo -t
checking the trust secret via RPC calls succeeded
-------------------
[root@lions squid]# wbinfo -u |more
SUBDOMAIN1\exemployees
SUBDOMAIN1\installservice
...
..
SUBDOMAIN2\exch
SUBDOMAIN2\adcsv
SUBDOMAIN2\administrator
..
..
domainuser1  #These are the accounts that I would be working with and
would need lookup there groups. note that
domainuser2
domainuser2
..
..
--------------------------------
[root@lions samba]# wbinfo -n domainuser1
S-1-5-21-954140891-1229348589-1136263860-10879 User (1)
--------------------------------
*********[root@lions squid]# ./wbinfo_group.pl
user1 "domain users"
Could not lookup name domain users
Could not convert sid  to gid
Could not get groups for user user1
OK
# also tried domain\\user domain\\group
------------------
********[root@lions samba]# wbinfo -r domainuser1
Could not get groups for user domainuser1
#also tried with domain\\domainuser1
-------------------
[root@lions samba]# wbinfo --sequence
SubDomain1 : DISCONNECTED
SubDomain2 : DISCONNECTED
Subdomain3 : 2576451
LIONS : 1
BUILTIN : 1
MyDomain : DISCONNECTED # it states disconnected, but I am able to
view users and groups?
--------------------

My conf files....
------------------------------------------------
(smb.conf) # note that this is the while conf file. I read that this
is all I need

[global]
workgroup = MyDomain
netbios name = lions
password server = 10.20.250.2
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
------------------------------------------------
(nsswitch.conf)
#
# /etc/nsswitch.conf
#
# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files winbind
shadow:     files winbind
group:      files winbind
#hosts:     db files nisplus nis dns
hosts:  files winbind dns
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers:     db files
netmasks:   files
networks:   files dns
protocols:  files winbind
rpc:        db files
services:   files winbind
netgroup:   files winbind
publickey:  nisplus
automount:  files winbind
aliases:    files nisplus
---------------------------------
(krb5.conf)

[libdefaults]
 default_realm = Mydomain.domain.com

 dns_lookup_realm = true
 dns_lookup_kdc = true
[realms]
MY = {
  kdc = domaincontroller1.mydomain.domain.com
  admin_server = domaincontroller1
  kdc = domaincontroller1
}

[domain_realm]
.kerberos.server = MYDOMAIN.DOMAIN.COM
---------------------------------------

Log files:
--------------------------------
[root@lions samba]# vi winbindd.log
[2006/02/27 08:02:32, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
  ads_connect for domain SUBDOMAIN2 failed: No such file or directory
[2006/02/27 08:04:08, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
  Could not get convert sid  from string
[2006/02/27 08:04:27, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
  Could not get convert sid  from string
[2006/02/27 08:05:06, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
  Could not get convert sid  from string
[2006/02/27 08:06:29, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
  Could not get convert sid  from string
[2006/02/27 08:17:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
  ads_connect for domain SUBDOMAIN2 failed: No such file or directory
[2006/02/27 08:21:16, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
  Could not get convert sid  from string
[2006/02/27 08:35:55, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
  ads_connect for domain SUBDOMAIN2 failed: No such file or directory

--------------------------------
# /var/log/messages

Feb 27 07:57:52 lions net: [2006/02/27 07:57:52, 0]
utils/net_ads.c:ads_startup(191)
Feb 27 07:57:52 lions net:   ads_connect: No results returned
Feb 27 07:58:25 lions net: [2006/02/27 07:58:25, 0]
utils/net_ads.c:ads_startup(191)
Feb 27 07:58:25 lions net:   ads_connect: No results returned
Feb 27 08:01:01 lions crond(pam_unix)[11231]: session opened for user
root by (uid=0)
Feb 27 08:01:02 lions crond(pam_unix)[11231]: session closed for user root
Feb 27 08:30:10 lions winbindd[11510]: [2006/02/27 08:30:10, 0]
libsmb/clientgen.c:cli_rpc_pipe_close(375)
Feb 27 08:30:10 lions winbindd[11510]:   cli_rpc_pipe_close: cli_close
failed on pipe \NETLOGON, fnum 0x4009 to machine DOMAINCONTROLLER. 
Error was SUCCESS - 0
Feb 27 09:01:01 lions crond(pam_unix)[11766]: session opened for user
root by (uid=0)
Feb 27 09:01:02 lions crond(pam_unix)[11766]: session closed for user root
------------------------------------

Thanks,
Adam

Sorry, I did not include my distro.

Fedora Core 4 - 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686
i686 i386 GNU/Linux

TIA


On 2/27/06, Adam Bruncaj <abruncaj@gmail.com>
wrote:
> Hello,
>
> I have been using samba to authenticate my squid users to Active
> Directory. Because of the amount of users, I would like to set up my
> ACL's based on groups, rather than individual user accounts.
>
> I have successfully joined my samba box to our windows domain (2k).
> For some reason I had to enter the domain controller name instead of
> the domain name when doing so. I am now having issues looking up user
> groups using wbinfo_group and/or "wbinfo -r username".
>
> The following are some commands, conf files & logs (the parts that I
> believe are relevant). I have a feeling I have more than one issue
> going on here. Please let me know if you need more info.
>
> I doubt there are limitations, but we are in a somewhat large
> environment (about 4,000 users accounts) with multiple sub domains.
>
> -----
> # I compiled squid with...
> ./configure
--enable-external-acl-helpers="unix_group,wbinfo_group"
> --------------
> [root@lions squid]# rpm -q samba
> samba-3.0.21c-1
> --------------
> [root@lions squid]# wbinfo -a domainuser1%hispass
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
> -------------------
> [root@lions squid]# wbinfo -t
> checking the trust secret via RPC calls succeeded
> -------------------
> [root@lions squid]# wbinfo -u |more
> SUBDOMAIN1\exemployees
> SUBDOMAIN1\installservice
> ...
> ..
> SUBDOMAIN2\exch
> SUBDOMAIN2\adcsv
> SUBDOMAIN2\administrator
> ..
> ..
> domainuser1  #These are the accounts that I would be working with and
> would need lookup there groups. note that
> domainuser2
> domainuser2
> ..
> ..
> --------------------------------
> [root@lions samba]# wbinfo -n domainuser1
> S-1-5-21-954140891-1229348589-1136263860-10879 User (1)
> --------------------------------
> *********[root@lions squid]# ./wbinfo_group.pl
> user1 "domain users"
> Could not lookup name domain users
> Could not convert sid  to gid
> Could not get groups for user user1
> OK
> # also tried domain\\user domain\\group
> ------------------
> ********[root@lions samba]# wbinfo -r domainuser1
> Could not get groups for user domainuser1
> #also tried with domain\\domainuser1
> -------------------
> [root@lions samba]# wbinfo --sequence
> SubDomain1 : DISCONNECTED
> SubDomain2 : DISCONNECTED
> Subdomain3 : 2576451
> LIONS : 1
> BUILTIN : 1
> MyDomain : DISCONNECTED # it states disconnected, but I am able to
> view users and groups?
> --------------------
>
> My conf files....
> ------------------------------------------------
> (smb.conf) # note that this is the while conf file. I read that this
> is all I need
>
> [global]
> workgroup = MyDomain
> netbios name = lions
> password server = 10.20.250.2
> security = domain
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind use default domain = yes
> ------------------------------------------------
> (nsswitch.conf)
> #
> # /etc/nsswitch.conf
> #
> # To use db, put the "db" in front of "files" for
entries you want to be
> # looked up first in the databases
> #
> # Example:
> #passwd:    db files nisplus nis
> #shadow:    db files nisplus nis
> #group:     db files nisplus nis
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> #hosts:     db files nisplus nis dns
> hosts:  files winbind dns
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
> bootparams: nisplus [NOTFOUND=return] files
> ethers:     db files
> netmasks:   files
> networks:   files dns
> protocols:  files winbind
> rpc:        db files
> services:   files winbind
> netgroup:   files winbind
> publickey:  nisplus
> automount:  files winbind
> aliases:    files nisplus
> ---------------------------------
> (krb5.conf)
>
> [libdefaults]
>  default_realm = Mydomain.domain.com
>
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
> [realms]
> MY = {
>   kdc = domaincontroller1.mydomain.domain.com
>   admin_server = domaincontroller1
>   kdc = domaincontroller1
> }
>
> [domain_realm]
> .kerberos.server = MYDOMAIN.DOMAIN.COM
> ---------------------------------------
>
> Log files:
> --------------------------------
> [root@lions samba]# vi winbindd.log
> [2006/02/27 08:02:32, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
>   ads_connect for domain SUBDOMAIN2 failed: No such file or directory
> [2006/02/27 08:04:08, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
>   Could not get convert sid  from string
> [2006/02/27 08:04:27, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
>   Could not get convert sid  from string
> [2006/02/27 08:05:06, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
>   Could not get convert sid  from string
> [2006/02/27 08:06:29, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
>   Could not get convert sid  from string
> [2006/02/27 08:17:00, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
>   ads_connect for domain SUBDOMAIN2 failed: No such file or directory
> [2006/02/27 08:21:16, 1] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(221)
>   Could not get convert sid  from string
> [2006/02/27 08:35:55, 1] nsswitch/winbindd_ads.c:ads_cached_connection(109)
>   ads_connect for domain SUBDOMAIN2 failed: No such file or directory
>
> --------------------------------
> # /var/log/messages
>
> Feb 27 07:57:52 lions net: [2006/02/27 07:57:52, 0]
> utils/net_ads.c:ads_startup(191)
> Feb 27 07:57:52 lions net:   ads_connect: No results returned
> Feb 27 07:58:25 lions net: [2006/02/27 07:58:25, 0]
> utils/net_ads.c:ads_startup(191)
> Feb 27 07:58:25 lions net:   ads_connect: No results returned
> Feb 27 08:01:01 lions crond(pam_unix)[11231]: session opened for user
> root by (uid=0)
> Feb 27 08:01:02 lions crond(pam_unix)[11231]: session closed for user root
> Feb 27 08:30:10 lions winbindd[11510]: [2006/02/27 08:30:10, 0]
> libsmb/clientgen.c:cli_rpc_pipe_close(375)
> Feb 27 08:30:10 lions winbindd[11510]:   cli_rpc_pipe_close: cli_close
> failed on pipe \NETLOGON, fnum 0x4009 to machine DOMAINCONTROLLER.
> Error was SUCCESS - 0
> Feb 27 09:01:01 lions crond(pam_unix)[11766]: session opened for user
> root by (uid=0)
> Feb 27 09:01:02 lions crond(pam_unix)[11766]: session closed for user root
> ------------------------------------
>
> Thanks,
> Adam
>