Olaf.Boldt at hvbg.hessen.de
2011-May-05 13:32 UTC
[Samba] Could not convert sid ..... to ..... gid
Hi! More than a week ago I sent the below-mentioned message but did not receive any answer. I think that the subject heading was not correct, and so I changed it. Hope that I will get an answer now. Olaf -------------------- Von: Boldt, Olaf (HVBG) Gesendet: Mittwoch, 27. April 2011 14:58 An: 'samba at lists.samba.org' Betreff: Problems with Squid and Active Directory Hello! Since a few weeks I have Squid Version 2.7.STABLE7 on Ubuntu Server 10.04. All worked fine - different users in an AD-Group could reach the internet through my proxy. Because of this my Squid-configuration seems to be OK. Since the name of the AD-Group was changed it is no more possible to reach the internet through the proxy. The error is: "Access control configuration prevents your request from being allowed at this time." ? Switching to the old group name all works fine again, switching to the new one: the same error as above. I changed the debug options and found this entry in cache.log: "Could not convert sid S-1-5-21-3365863304-72330373-946326852-415981 to gid">From the Squid Mailing List I got the answer that this is a problem of Samba and/or winbind.I have installed: samba? 2:3.4.7~dfsg-1ubuntu3.5 winbind 2:3.4.7~dfsg-1ubuntu3.5 What to do? Thanks! Olaf
See what wbinfo --name-to-sid (group) reports for both groups , also did you change the ACL in squid to point to the new group? On 05/05/2011 09:32 AM, Olaf.Boldt at hvbg.hessen.de wrote:> Hi! > More than a week ago I sent the below-mentioned message but did not receive any answer. > I think that the subject heading was not correct, and so I changed it. > Hope that I will get an answer now. > > Olaf > > -------------------- > > Von: Boldt, Olaf (HVBG) > Gesendet: Mittwoch, 27. April 2011 14:58 > An: 'samba at lists.samba.org' > Betreff: Problems with Squid and Active Directory > > Hello! > > Since a few weeks I have Squid Version 2.7.STABLE7 on Ubuntu Server 10.04. All worked fine - different users in an AD-Group could reach the internet through my proxy. Because of this my Squid-configuration seems to be OK. Since the name of the AD-Group was changed it is no more possible to reach the internet through the proxy. The error is: > "Access control configuration prevents your request from being allowed at this time." > > Switching to the old group name all works fine again, switching to the new one: the same error as above. > > I changed the debug options and found this entry in cache.log: > "Could not convert sid S-1-5-21-3365863304-72330373-946326852-415981 to gid" > > From the Squid Mailing List I got the answer that this is a problem of Samba and/or winbind. > I have installed: > samba 2:3.4.7~dfsg-1ubuntu3.5 > winbind 2:3.4.7~dfsg-1ubuntu3.5 > > What to do? > > Thanks! > Olaf >
Olaf.Boldt at hvbg.hessen.de wrote:> Since a few weeks I have Squid Version 2.7.STABLE7 on Ubuntu Server > 10.04. All worked fine - different users in an AD-Group could reach the > internet through my proxy. Because of this my Squid-configuration seems > to be OK. Since the name of the AD-Group was changed it is no more > possible to reach the internet through the proxy. The error is: > "Access control configuration prevents your request from being allowed > at this time." > > Switching to the old group name all works fine again, switching to the > new one: the same error as above. > > I changed the debug options and found this entry in cache.log: > "Could not convert sid S-1-5-21-3365863304-72330373-946326852-415981 to > gid" > > >From the Squid Mailing List I got the answer that this is a problem of > Samba and/or winbind. > I have installed: > samba 2:3.4.7~dfsg-1ubuntu3.5 > winbind 2:3.4.7~dfsg-1ubuntu3.5Maybe the Samba group mapping for the new AD-Group name to Unix group is not set up. Use "net groupmap list" to see what the current mappings are, and see the Samba doc http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html for adding new ones. Moray. "To err is human; to purr, feline."