wbinfo_group.pl fails to detect some users' group membership

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

wbinfo_group.pl fails to detect some users' group membership

Stefan Baur
Hi list,

I'm having an issue with wbinfo_group.pl - it fails to detect some users'
group membership in my Active Directory environment.
I know that replication between domain controllers can be an issue, so I've
decided to wait a few weeks and check again, just to rule that out.
The result is still the same:
----------------------------------------------------------
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid some_group
OK
myuserid this-is-the_group-I-want
ERR
----------------------------------------------------------

----------------------------------------------------------
With debugging enabled:
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid this-is-the_group-I-want
Got myuserid this-is-the_group-I-want from squid
User:  -myuserid-
Group: -this-is-the_group-I-want-
SID:   -S-1-5-21-10digitshere-10digitshere-10digitshere-4digitshere Domain
Group (2)- [This belongs to the line above]
GID:   -5digitshere-
Sending ERR to squid
ERR
----------------------------------------------------------

Checking this on windows, however, I get:
----------------------------------------------------------
U:\>net user myuserid /domain
[...]
Local Group Memberships      *yet_another_group
Global Group Memberships     *some_group
[...]
                            *this-is-the_group-I-want
[...]
                            *some-other-group

Command completed successfully.
----------------------------------------------------------
...so everything looks fine on the Windows side.

Note: I'm running Debian Sarge, and would consider upgrading to Etch if
this is a known problem that can be fixed by upgrading.
Also, if there's a way to solve this by moving from winbind to LDAP, I'd
be interested in a migration how-to document, if there is one.

Here's some more info that might be useful for debugging:

----------------------------------------------------------
MYSERVERNAME:~# squid -v
Squid Cache: Version 2.5.STABLE9
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm
--enable-carp --with-large-files i386-debian-linux
----------------------------------------------------------

----------------------------------------------------------
smbd, nmbd, winbindd -v:
Version 3.0.14a-Debian
----------------------------------------------------------

----------------------------------------------------------
wbinfo -t:
checking the trust secret via RPC calls succeeded
----------------------------------------------------------

----------------------------------------------------------
wbinfo -g:
BUILTIN\system operators
BUILTIN\replicators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
some_groups
[...]
#
[...]
some_more_groups
[...]
this-is-the_group-I-want
[...]
yet_another_group
----------------------------------------------------------
The "#" that appears in the middle of the group list is a bit strange.
There is no such group in my Active Directory.

----------------------------------------------------------
smb.conf excerpt:
[global]
 netbios name = MYSERVERNAME
 security = ads
 realm = my.realm.here
 password server = fqdn.of.my.password.server.here
 workgroup = MYWORKGROUP
 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096 [This belongs to the line above]
 encrypt passwords = true
 client use spnego = yes
 passdb backend = smbpasswd guest
 wins support = no
 wins server = ser.ver.ip.one ser.ver.ip.two ser.ver.ip.three
ser.ver.ip.four [This belongs to the line above]
 os level = 0
 domain master = no
 local master = no
 preferred master = no
 ANNOUNCE VERSION = 5.2
 name resolve order = lmhosts host wins bcast
 dns proxy = no
 preserve case = yes
 short preserve case = yes
 unix password sync = false
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .[This belongs to the line above]
 max log size = 1000
 obey pam restrictions = yes
 winbind use default domain = yes
 winbind nested groups = yes
 idmap uid = 10000-10000000
 idmap gid = 10000-10000000
 template shell = /bin/bash
 unix charset = iso-8859-15
 display charset = iso-8859-15
 dos charset = 850
----------------------------------------------------------

Please let me know how to fix this, it's really irritating as it works for
some, but not all users that are members of said group.

Kind Regards,
Stefan Baur