you will notice that the SID type for the requested group is 4 which we
see from smb.h is SID_NAME_ALIAS /* local group */
Trimble, Ronald D wrote:> Everyone,
> One of our developers was kind enough to insert some bug
checking into the mod_auth_pam and mod_auth_sys_group so that we could see a
little more of what was going on with our authentication failures. Here is what
we just saw. Two of our users NA\connelmp and NA\guminssa both started getting
messages that they were not part of the required group. Here is the log for
you all to see...
>
>>From /var/log/apache2/error_log
>
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
> [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is
NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members)
> [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
NA\\connelmp not in required group(s).
> [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is
NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members)
> [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
NA\\connelmp not in required group(s).
> [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is
na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members),
referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
na\\connelmp not in required group(s)., referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is
na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members),
referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
na\\connelmp not in required group(s)., referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is
na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members),
referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
na\\connelmp not in required group(s)., referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is
na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members),
referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
na\\connelmp not in required group(s)., referer:
https://ustr-linux-1/scm/spar/trac/ticket/130
> [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is
NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO,
NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members)
> [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP:
NA\\connelmp not in required group(s).
> [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is
na\\guminssa a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO,
na\\guminssa is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members)
> [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: GROUP:
na\\guminssa not in required group(s).
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is
na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES,
na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members
>
>
> Here I looked up the SIDs of each user so I could further document what
winbind sees.
>
> USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\guminssa'
> S-1-5-21-725345543-2052111302-527237240-100501 User (1)
>
> USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\connelmp'
> S-1-5-21-725345543-2052111302-527237240-25886 User (1)
>
>
> The first thing that jumps out at me is that the -user-domgroups switch
does not show all the groups the user belongs to and sure enough the needed
group NA\USTR-LINUX-1-SPAR is not there.
>
>
> USTR-LINUX-1:~ # for i in `wbinfo
--user-domgroups=S-1-5-21-725345543-2052111302-527237240-100501`; do wbinfo
--sid-to-name=$i; done
> NA\guminssa 1
> NA\USAUS-WEBBrowsers 2
> NA\USMV IIs Releases 2
> NA\USTR CMP SSafe DB 2
> NA\USRV-JOPLIN-CHANGE-NULDEV 2
> NA\Domain Users 2
> NA\Tredyffrin Users 2
> NA\USAUS-Knowlix 2
> NA\TCUsers 2
> NA\PKI MFA Smartcards 2
> NA\OE-P D T Tred-000106 2
> NA\AD ClearPath MCP 2
> NA\All Employees 2
> NA\CTY-United St-US 2
> NA\CE-United Sta-US 2
> NA\OE-Systems & -000004 2
> NA\Org-Eastern -002418 2
> NA\MessageStats Web 2
> NA\OE-Eastern De-002418 2
> NA\All NA Employees 2
> NA\Org-Product D-000106 2
> NA\Org-Systems &-000004 2
> NA\All Users 2
> NA\All S&T Employees Wo 2
> NA\OE-Product De-000011 2
> NA\OE-ClearPath -002418 2
> NA\Org-P D T Tre-000106 2
> NA\All NA Users 2
> NA\IdNexus Certificate Subscribers 2
> NA\AD Product Development & Technology 2
> NA\Universal Services 2
> NA\USTR LE-US340 2
> NA\USMV Resources Access 2
> NA\Hendrix Unit Test Support 2
> NA\Org-ClearPath-002418 2
> NA\USTR Loc-US340 2
> NA\USRV-All PDT Users 2
>
> The same is true for this user.
>
> USTR-LINUX-1:~ # for i in `wbinfo
--user-domgroups=S-1-5-21-725345543-2052111302-527237240-25886`; do wbinfo
--sid-to-name=$i; done
> NA\CONNELMP 1
> NA\USTR-VSS_SPMS 2
> NA\RV-CMP Plateau Read 2
> NA\RV-Aurora ReadOnly 2
> NA\USTR-Avalon-Development-Change 2
> NA\USAUS-WEBBrowsers 2
> NA\USTR CMP Pit DB 2
> NA\TR NIOSourceSafe 2
> NA\USTR CMP SSafe DB 2
> NA\RV-SDA Read 2
> NA\USRV-JOPLIN-CHANGE-NULDEV 2
> NA\RV-CMP-NUL Eng Test 2
> NA\Domain Users 2
> NA\USTR-FS1-Change 2
> NA\Exchange_TR 2
> NA\Tredyffrin Users 2
> NA\USAUS-Knowlix 2
> NA\TR EDL Op Sys Dev 2
> NA\RV-Odyssey Change 2
> NA\USTR-PCBLIBS 2
> NA\USEAEXCH2 2
> NA\TCUsers 2
> NA\PKI MFA Smartcards 2
> NA\OE-P D T Tred-000106 2
> NA\AD ClearPath MCP 2
> NA\All Employees 2
> NA\CTY-United St-US 2
> NA\CE-United Sta-US 2
> NA\OE-Systems & -000004 2
> NA\Org-Eastern -002418 2
> NA\MessageStats Web 2
> NA\OE-Eastern De-002418 2
> NA\All NA Employees 2
> NA\Org-Product D-000106 2
> NA\Org-Systems &-000004 2
> NA\All Users 2
> NA\All S&T Employees Wo 2
> NA\OE-Product De-000011 2
> NA\OE-ClearPath -002418 2
> NA\Org-P D T Tre-000106 2
> NA\All NA Users 2
> NA\IdNexus Certificate Subscribers 2
> NA\AD Product Development & Technology 2
> NA\Universal Services 2
> NA\USTR LE-US340 2
> NA\USMV Resources Access 2
> NA\Org-ClearPath-002418 2
> NA\USTR Loc-US340 2
> NA\USRV-All PDT Users 2
>
> However, if I use the -user-sids switch, all the groups do show up and the
group in question is there.
>
> USTR-LINUX-1:~ # for i in `wbinfo
--user-sids=S-1-5-21-725345543-2052111302-527237240-100501`; do wbinfo
--sid-to-name=$i;done
> NA\GuminsSA 1
> NA\GuminsSA 1
> NA\USAUS-WEBBrowsers 2
> NA\USMV IIs Releases 2
> NA\USTR CMP SSafe DB 2
> NA\USRV-JOPLIN-CHANGE-NULDEV 2
> NA\Domain Users 2
> NA\Tredyffrin Users 2
> NA\USAUS-Knowlix 2
> NA\TCUsers 2
> NA\PKI MFA Smartcards 2
> NA\OE-P D T Tred-000106 2
> NA\AD ClearPath MCP 2
> NA\All Employees 2
> NA\CTY-United St-US 2
> NA\CE-United Sta-US 2
> NA\OE-Systems & -000004 2
> NA\Org-Eastern -002418 2
> NA\MessageStats Web 2
> NA\OE-Eastern De-002418 2
> NA\All NA Employees 2
> NA\Org-Product D-000106 2
> NA\Org-Systems &-000004 2
> NA\All Users 2
> NA\All S&T Employees Wo 2
> NA\OE-Product De-000011 2
> NA\OE-ClearPath -002418 2
> NA\Org-P D T Tre-000106 2
> NA\All NA Users 2
> NA\IdNexus Certificate Subscribers 2
> NA\AD Product Development & Technology 2
> NA\Universal Services 2
> NA\USTR LE-US340 2
> NA\USMV Resources Access 2
> NA\Hendrix Unit Test Support 2
> NA\Org-ClearPath-002418 2
> NA\USTR Loc-US340 2
> NA\USRV-All PDT Users 2
> NA\USTR-CMPData-READ 4
> NA\USTR-LINUX-1-WSP-Virtualization 4
> NA\USTR-LINUX-1-BMC_CM 4
> NA\USTR-LINUX-1-SUSE-READ 4
> NA\USTR-LINUX-1-SPAR 4
> NA\USTR-LINUX-1-WSP 4
> NA\USTR-LINUX-1-REDHAT-READ 4
> NA\USTR-LINUX-1-RRSMF 4
> NA\USAUS-WEBBrowsersGlobal 4
> NA\USPLVDATA1-SOLEIL-READ 4
> NA\WSWTGeneralAccess 4
> NA\USPLVDATA2-PLYMOUTHSCO-READ 4
> NA\USPLVDATA1-LIBDATA1-READ 4
> NA\USPLVDATA1-MFGDATA-LIST 4
> NA\USPLVDATA1-PREPRESS2-READ 4
> NA\USPLVDATA1-RECEIPTS-MODIFY 4
> NA\USPLVDATA1-PREPRESS1-READ 4
> NA\FMT-Web WWW NAOps Admin Share 4
> NA\USPLVDATA2-CDR-READ 4
> NA\USMV SCO Tutor -CHANGE 4
> NA\USPL-RDATAPRNT-Shared-Software-Read 4
> NA\USPLVDATA2-ProdData-Bookstore-Read 4
> NA\USPLVDATA2-APPLICATIONS-READ 4
> NA\FMT-Web WWW NAOps -Change 4
> NA\USPLVDATA1-IMG-READ 4
> NA\USTR-Semitech-Read 4
> NA\USMV IIS Wintel EWEB Browse 4
> NA\USMV IIs Wintel Browse 4
> NA\USMV CBDD Users 4
> NA\USTR-Hendrix-Unit-Test-Support 4
> BUILTIN\Users 4
>
> USTR-LINUX-1:~ # for i in `wbinfo
--user-sids=S-1-5-21-725345543-2052111302-527237240-25886`; do wbinfo
--sid-to-name=$i;done
> NA\CONNELMP 1
> NA\CONNELMP 1
> NA\USTR-VSS_SPMS 2
> NA\RV-CMP Plateau Read 2
> NA\RV-Aurora ReadOnly 2
> NA\USTR-Avalon-Development-Change 2
> NA\USAUS-WEBBrowsers 2
> NA\USTR CMP Pit DB 2
> NA\TR NIOSourceSafe 2
> NA\USTR CMP SSafe DB 2
> NA\RV-SDA Read 2
> NA\USRV-JOPLIN-CHANGE-NULDEV 2
> NA\RV-CMP-NUL Eng Test 2
> NA\Domain Users 2
> NA\USTR-FS1-Change 2
> NA\Exchange_TR 2
> NA\Tredyffrin Users 2
> NA\USAUS-Knowlix 2
> NA\TR EDL Op Sys Dev 2
> NA\RV-Odyssey Change 2
> NA\USTR-PCBLIBS 2
> NA\USEAEXCH2 2
> NA\TCUsers 2
> NA\PKI MFA Smartcards 2
> NA\OE-P D T Tred-000106 2
> NA\AD ClearPath MCP 2
> NA\All Employees 2
> NA\CTY-United St-US 2
> NA\CE-United Sta-US 2
> NA\OE-Systems & -000004 2
> NA\Org-Eastern -002418 2
> NA\MessageStats Web 2
> NA\OE-Eastern De-002418 2
> NA\All NA Employees 2
> NA\Org-Product D-000106 2
> NA\Org-Systems &-000004 2
> NA\All Users 2
> NA\All S&T Employees Wo 2
> NA\OE-Product De-000011 2
> NA\OE-ClearPath -002418 2
> NA\Org-P D T Tre-000106 2
> NA\All NA Users 2
> NA\IdNexus Certificate Subscribers 2
> NA\AD Product Development & Technology 2
> NA\Universal Services 2
> NA\USTR LE-US340 2
> NA\USMV Resources Access 2
> NA\Org-ClearPath-002418 2
> NA\USTR Loc-US340 2
> NA\USRV-All PDT Users 2
> NA\USTR-PRIV58 4
> NA\USTR-LINUX-1-WSP-Virtualization 4
> NA\USTR-LINUX-1-BMC_CM 4
> NA\USTR-LINUX-1-SPAR 4
> NA\USTR-LINUX-1-WSP 4
> NA\USTR-Hornet-Change 4
> NA\USTR-LINUX-1-RRSMF 4
> NA\USTR-MSS-3 Observers 4
> NA\USAUS-WEBBrowsersGlobal 4
> NA\USPLVDATA1-SOLEIL-READ 4
> NA\WSWTGeneralAccess 4
> NA\USPLVDATA2-PLYMOUTHSCO-READ 4
> NA\USPLVDATA1-LIBDATA1-READ 4
> NA\USPLVDATA1-MFGDATA-LIST 4
> NA\USPLVDATA1-PREPRESS2-READ 4
> NA\USPLVDATA1-RECEIPTS-MODIFY 4
> NA\USPLVDATA1-PREPRESS1-READ 4
> NA\FMT-Web WWW NAOps Admin Share 4
> NA\USPLVDATA2-CDR-READ 4
> NA\USMV SCO Tutor -CHANGE 4
> NA\USPL-RDATAPRNT-Shared-Software-Read 4
> NA\USPLVDATA2-ProdData-Bookstore-Read 4
> NA\USPLVDATA2-APPLICATIONS-READ 4
> NA\FMT-Web WWW NAOps -Change 4
> NA\USPLVDATA1-IMG-READ 4
> NA\USTR-Semitech-Read 4
> NA\USMV IIS Wintel EWEB Browse 4
> NA\USMV IIs Wintel Browse 4
> NA\USMV CBDD Users 4
> BUILTIN\Users 4
>
> Can anyone shed some light on what is going on here? This problem has been
driving me crazy for several weeks now and I could use all the help I could get.
I have a full compliment of logs to go along with all the above information if
anyone would be so kind as to take a look. I can make it worth your while... I
have a code for two free movie tickets on fandango.com if you can help me solve
this. Not much, but better then an email saying thanks. :)
>
>