Marcio Demetrio Bacci
2015-Dec-01 16:45 UTC
[Samba] Problems with authentication in Samba4
Hi, I'm having problems to authenticate users with winbind. I'm implementing Squid3 Server and this server is working properly. But I think there is a problem with winbind (perhaps winbind separator), because when I put ^ as separator, how in Domain^Users, the error message appeared: root at proxy:~# *echo "bacci Domain^Users" | /usr/lib/squid3/wbinfo_group.pl <http://wbinfo_group.pl>* failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name Domain^Users failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM Could not convert sid to gid ERR But, when I put %20 as separator, how in Domain%20Users, the authentication is OK. root at proxy:~# *echo "bacci Domain%20Users" | /usr/lib/squid3/wbinfo_group.pl <http://wbinfo_group.pl>* OK My environment is: Samba 4.2.1 on Debian 7.2 as DC Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. Here is my smb.conf in Proxy Server (Member Server) [global] netbios name = DC1 workgroup = EMPRESA security = ads realm = EMPRESA.COM encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab preferred master = no idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-9999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map Is there any way to fix this problem in the Winbind?
On 01/12/15 16:45, Marcio Demetrio Bacci wrote:> Hi, > > I'm having problems to authenticate users with winbind. I'm implementing > Squid3 Server and this server is working properly. But I think there is a > problem with winbind (perhaps winbind separator), because when I put ^ as > separator, how in Domain^Users, the error message appeared: > > > root at proxy:~# *echo "bacci Domain^Users" | /usr/lib/squid3/wbinfo_group.pl > <http://wbinfo_group.pl>* > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name Domain^Users > failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM > Could not convert sid to gid > ERR > > But, when I put %20 as separator, how in Domain%20Users, the authentication > is OK. > > root at proxy:~# *echo "bacci Domain%20Users" | > /usr/lib/squid3/wbinfo_group.pl <http://wbinfo_group.pl>* > OK > > My environment is: Samba 4.2.1 on Debian 7.2 as DC > Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. > > Here is my smb.conf in Proxy Server (Member Server) > > [global] > netbios name = DC1 > workgroup = EMPRESA > security = ads > realm = EMPRESA.COM > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > preferred master = no > idmap config *:backend = tdb > idmap config *:range = 1000-3000 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 10000-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > username map = /etc/samba/user.map > > Is there any way to fix this problem in the Winbind?Why do you need to use '^' ? getent group Domain^Users doesn't work either, but getent group Domain\ Users does Rowland
Hai, I cant remember exactly how my setup on wheezy did these, im running now Jessie squid 3.5.10 with 3 authentication layers and 1 group check, and this works perfectly. ( squid recompiled with ssl enabled from sid ) For the wbinfo, ( i dont use that one but here a test ) echo "myusers my_internet_users"| /usr/lib/squid/ext_wbinfo_group_acl -d show the correct output ( OK ) same for echo "myusers DOMAIN\\my_internet_users"| /usr/lib/squid/ext_wbinfo_group_acl -d so i can only think of 3 things. 1) you group is missing a GID 2) the wbinfo_group from wheezy is to old. 3) remove the space from the squid, but since your using domain users, Create a new group without spaces. If you want a nice squid example, just ask, i'll post my setup. Oh and above did also work good for me on wheezy with squid 3.4.8(backports) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: dinsdag 1 december 2015 18:05 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with authentication in Samba4 > > On 01/12/15 16:45, Marcio Demetrio Bacci wrote: > > Hi, > > > > I'm having problems to authenticate users with winbind. I'm implementing > > Squid3 Server and this server is working properly. But I think there is > a > > problem with winbind (perhaps winbind separator), because when I put ^ > as > > separator, how in Domain^Users, the error message appeared: > > > > > > root at proxy:~# *echo "bacci Domain^Users" | > /usr/lib/squid3/wbinfo_group.pl > > <http://wbinfo_group.pl>* > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name Domain^Users > > failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM > > Could not convert sid to gid > > ERR > > > > But, when I put %20 as separator, how in Domain%20Users, the > authentication > > is OK. > > > > root at proxy:~# *echo "bacci Domain%20Users" | > > /usr/lib/squid3/wbinfo_group.pl <http://wbinfo_group.pl>* > > OK > > > > My environment is: Samba 4.2.1 on Debian 7.2 as DC > > Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. > > > > Here is my smb.conf in Proxy Server (Member Server) > > > > [global] > > netbios name = DC1 > > workgroup = EMPRESA > > security = ads > > realm = EMPRESA.COM > > encrypt passwords = yes > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > preferred master = no > > idmap config *:backend = tdb > > idmap config *:range = 1000-3000 > > idmap config EMPRESA:backend = ad > > idmap config EMPRESA:schema_mode = rfc2307 > > idmap config EMPRESA:range = 10000-9999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > username map = /etc/samba/user.map > > > > Is there any way to fix this problem in the Winbind? > > Why do you need to use '^' ? > getent group Domain^Users doesn't work either, but getent group Domain\ > Users does > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba