Hi list,
I'm having an issue with wbinfo_group.pl - it fails to detect some users'
group membership in my Active Directory environment.
I know that replication between domain controllers can be an issue, so I've
decided to wait a few weeks and check again, just to rule that out.
The result is still the same:
----------------------------------------------------------
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid some_group
OK
myuserid this-is-the_group-I-want
ERR
----------------------------------------------------------
----------------------------------------------------------
With debugging enabled:
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid this-is-the_group-I-want
Got myuserid this-is-the_group-I-want from squid
User: -myuserid-
Group: -this-is-the_group-I-want-
SID: -S-1-5-21-10digitshere-10digitshere-10digitshere-4digitshere Domain
Group (2)- [This belongs to the line above]
GID: -5digitshere-
Sending ERR to squid
ERR
----------------------------------------------------------
Checking this on windows, however, I get:
----------------------------------------------------------
U:\>net user myuserid /domain
[...]
Local Group Memberships *yet_another_group
Global Group Memberships *some_group
[...]
*this-is-the_group-I-want
[...]
*some-other-group
Command completed successfully.
----------------------------------------------------------
...so everything looks fine on the Windows side.
Note: I'm running Debian Sarge, and would consider upgrading to Etch if
this is a known problem that can be fixed by upgrading.
Also, if there's a way to solve this by moving from winbind to LDAP, I'd
be interested in a migration how-to document, if there is one.
Here's some more info that might be useful for debugging:
----------------------------------------------------------
MYSERVERNAME:~# squid -v
Squid Cache: Version 2.5.STABLE9
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm
--enable-carp --with-large-files i386-debian-linux
----------------------------------------------------------
----------------------------------------------------------
smbd, nmbd, winbindd -v:
Version 3.0.14a-Debian
----------------------------------------------------------
----------------------------------------------------------
wbinfo -t:
checking the trust secret via RPC calls succeeded
----------------------------------------------------------
----------------------------------------------------------
wbinfo -g:
BUILTIN\system operators
BUILTIN\replicators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
some_groups
[...]
#
[...]
some_more_groups
[...]
this-is-the_group-I-want
[...]
yet_another_group
----------------------------------------------------------
The "#" that appears in the middle of the group list is a bit strange.
There is no such group in my Active Directory.
----------------------------------------------------------
smb.conf excerpt:
[global]
netbios name = MYSERVERNAME
security = ads
realm = my.realm.here
password server = fqdn.of.my.password.server.here
workgroup = MYWORKGROUP
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096 [This belongs to the line above]
encrypt passwords = true
client use spnego = yes
passdb backend = smbpasswd guest
wins support = no
wins server = ser.ver.ip.one ser.ver.ip.two ser.ver.ip.three
ser.ver.ip.four [This belongs to the line above]
os level = 0
domain master = no
local master = no
preferred master = no
ANNOUNCE VERSION = 5.2
name resolve order = lmhosts host wins bcast
dns proxy = no
preserve case = yes
short preserve case = yes
unix password sync = false
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .[This belongs to the line above]
max log size = 1000
obey pam restrictions = yes
winbind use default domain = yes
winbind nested groups = yes
idmap uid = 10000-10000000
idmap gid = 10000-10000000
template shell = /bin/bash
unix charset = iso-8859-15
display charset = iso-8859-15
dos charset = 850
----------------------------------------------------------
Please let me know how to fix this, it's really irritating as it works for
some, but not all users that are members of said group.
Kind Regards,
Stefan Baur