[Samba] problems with groups, winbind authenticating a centOS 4 machine to AD

Eric Gottesman ericg at ingenio.com
Wed Nov 14 19:58:47 GMT 2007 

WHY HELLO. i have a centOS 4.4 machine running samba 3.0.10-1.4E.9. my
goal is to log in to the machine using AD credentials. at the moment,
i'm successfully logging in, but i can't retrieve groups for AD users:
 
-bash-3.00$ groups
id: cannot find name for group ID 16777216
16777216 id: cannot find name for group ID 16777217
16777217 id: cannot find name for group ID 16777218
16777218 id: cannot find name for group ID 16777219
16777219 id: cannot find name for group ID 16777220
16777220 id: cannot find name for group ID 16777221
16777221 id: cannot find name for group ID 16777222
16777222 id: cannot find name for group ID 16777223
16777223

 
here's my smb.conf:
 
[global]
   workgroup = DEV
 
   server string = STGRAD01
 
   security = domain
 
   log file = /var/log/samba/%m.log
   log level = 3
   local master = no
   max log size = 50
   dns proxy = no
   password server = devadmin01.dev.company.com
   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = no
   winbind enum users = yes
   winbind enum groups = yes
#   winbind separator = \
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

 
...and here's a snippet from winbindd.log:
 
[2007/11/14 11:54:46, 3]
nsswitch/winbindd_group.c:winbindd_getgrgid(348)
  [23928]: getgrgid 16777223
[2007/11/14 11:54:46, 3] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
  sid_to_name [rpc] S-1-5-21-1482476501-926492609-1644491937-518 for
domain DEV
[2007/11/14 11:54:46, 3] libads/ldap.c:ads_connect(285)
  Connected to LDAP server 10.11.1.21
[2007/11/14 11:54:46, 3] libads/ldap.c:ads_server_info(2469)
  got ldap server name devadmin01 at DEV.COMPANY.COM, using bind path:
dc=DEV,dc=COMPANY,dc=COM
[2007/11/14 11:54:46, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
  IPC$ connections done anonymously
[2007/11/14 11:54:46, 3] libsmb/cliconnect.c:cli_start_connection(1388)
  Connecting to host=DEVADMIN01
[2007/11/14 11:54:46, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.11.1.21 at port 445
[2007/11/14 11:54:46, 1] nsswitch/winbindd_group.c:fill_grent_mem(133)
  could not lookup membership for group rid
S-1-5-21-1482476501-926492609-1644491937-518 in domain DEV (error:
NT_STATUS_ACCESS_DENIED)

 
 
also, for some reason everything breaks if i uncomment the winbind
separator line.
 
any ideas?

More information about the samba mailing list