[Samba] Apache, Winbind and NT Domain Groups

Vanderborght Peter peter.vanderborght at capco.com
Thu Apr 25 04:10:04 GMT 2002


Hi all,

I'm having a stability problem with winbind when I try to resolve NT groups.

Allow me to explain my application:

I've got a Mandrake 8.1 box running Samba 2.2.3a (downloaded and compiled
myself) and Apache 1.3.
I'm building a web application for use within our company that needs to be
accessible ONLY to users in certain NT groups.

To do this, I'm authenticating in 2 parts:
	- First I use the perl module Apache-AuthenNTLM to check that the
user is a valid user in our domain and the password is correct.
	- Then I use Apache-AuthzPasswd (a bit modified) which uses the
getgrgid() call to get the list of all users in a certain group.
	  This works because I have Winbind set up so I can resolve my NT
groups on the linux box.

The problem I have is that Winbind seems to misbehave in about 10% of all
requests.
What I have is either
	- The list of users in a group is incomplete
	- I get a "Group does not exist" error code back

This phenomenon is the same when -- in a unix shell -- I do "id DOM_User"
(I've got my Winbind separator set to _).
AND when I get this issue for a specific user, then it stays that way for
that user until I restart Winbindd...

I've tried fiddling with "winbind cache time, winbind enum groups and
winbind enum users" which seems to affect the issue somewhat, but never to a
point that it's 
completely resolved. (Eg. setting 'winbind enum groups = no' makes that it
doesn't work in 90%¨of the cases)

Any help would be greatly appreciated!

Regards,
Peter
************************************************************************
The information in this email is confidential and is intended solely
for the addressee(s).
Access to this email by anyone else is unauthorised. If you are not
an intended recipient, please notify the sender of this email 
immediately. You should not copy, use or disseminate the 
information contained in the email.
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be
the views of Capco.

http://www.capco.com
***********************************************************************





More information about the samba mailing list