[Samba] [help] A problem On the integrate Samba and AD 2k3 ..

Eric.chen chenyj at mail.nsysu.edu.tw
Tue Feb 20 13:38:12 GMT 2007 

the page is my reference 
http://www.infosecwriters.com/text_resources/pdf/AD_and_Linux_TMunn.pdf

i wnat to get users group for squid' wbinfo_group.pl use auth...

now i can join the samba server to AD domain
but i can't read user's group..

can any one tell me what is happend..
=======================================================
[root at wxyz-dns1 samba]# wbinfo -u
Administrator
Guest
SUPPORT_wqwddqw
krbtgt
HLwdqdw
evdwieh
...
...
[root at wxyz-dns1 samba]# wbinfo -g
BUILTIN/System Operators
BUILTIN/Replicators
BUILTIN/Guests
....
HelpServicesGroup
TelnetClients
IIS_WPG
Domain Computers
Domain Controllers
Schema Admins
..
[root at wxyz-dns1 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded

BUT i can't get user'group

[root at wxyz-dns1 samba]# wbinfo -n USBEnabled
S-1-5-21-4121681757-1283273484-4023308939-1859 Domain Group (2)
[root at wxyz-dns1 samba]# wbinfo -Y USBEnabled
Could not convert sid USBEnabled to gid
[root at wxyz-dns1 samba]#

[root at wxyz-dns1 samba]# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
..
..


[root at wxyz-dns1 samba]# tail -n100 winbindd.log
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          001c num_ref_doms_1: 00000001
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0020 ptr_ref_dom   : 00020004
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0024 max_entries   : 00000020
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0028 num_ref_doms_2: 00000001
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint16(613)
              002c uni_str_len: 0008
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint16(613)
              002e uni_max_len: 000a
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0030 buffer     : 00020008
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0034 sid_ptr[0] : 0002000c
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0038 uni_max_len: 00000005
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              003c offset     : 00000000
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0040 uni_str_len: 00000004
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814)
              0044 buffer     : C.M.E.L.
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              004c num_auths: 00000004
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0050 sid_rev_num: 01
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0051 num_auths  : 04
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0052 id_auth[0] : 00
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0053 id_auth[1] : 00
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0054 id_auth[2] : 00
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0055 id_auth[3] : 00
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0056 id_auth[4] : 00
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint8(584)
                  0057 id_auth[5] : 05
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32s(869)
                  0058 sub_auths : 00000015 f5abdf5d 4c7d330c efced28b
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0068 num_entries    : 00000001
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          006c ptr_trans_names: 00020010
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
          0070 num_entries2   : 00000001
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint16(613)
              0074 sid_name_use: 0002
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint16(613)
                  0078 uni_str_len: 0014
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint16(613)
                  007a uni_max_len: 0014
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
                  007c buffer     : 00020014
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0080 domain_idx  : 00000000
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0084 uni_max_len: 0000000a
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              0088 offset     : 00000000
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
              008c uni_str_len: 0000000a
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:dbg_rw_punival(814)
              0090 buffer     : U.S.B.E.n.a.b.l.e.d.
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_uint32(642)
      00a4 mapped_count: 00000001
[2007/02/20 09:19:29, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      00a8 status      : NT_STATUS_OK
[2007/02/20 09:19:29, 5] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(354)
  Mapped sid to [WXYZ]\[USBEnabled]
[2007/02/20 09:19:29, 0] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(288)
  winbindd_sid_to_uid: 'winbind trusted domains only' is set but this group
[USBEnabled] doesn't exist!
[2007/02/20 09:19:29, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 23, pid 6473: EOF
[2007/02/20 09:19:47, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [ 6477]: request interface version
[2007/02/20 09:19:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [ 6477]: request location of privileged pipe
[2007/02/20 09:19:47, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 22, pid 6477: EOF
[2007/02/20 09:19:47, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(238)
  [ 6477]: sid to gid S-1-5-21-4121681757-1283273484-4023308939-1859
[2007/02/20 09:19:47, 0] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(288)
  winbindd_sid_to_uid: 'winbind trusted domains only' is set but this group
[USBEnabled] doesn't exist!
[2007/02/20 09:19:47, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 23, pid 6477: EOF
[2007/02/20 09:20:01, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(261)
  [ 6480]: request interface version
[2007/02/20 09:20:01, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(297)
  [ 6480]: request location of privileged pipe
[2007/02/20 09:20:01, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 22, pid 6480: EOF
[2007/02/20 09:20:01, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1003)
  [ 6480]: getgroups root
[2007/02/20 09:20:01, 5] nsswitch/winbindd.c:winbind_client_read(477)
  read failed on sock 23, pid 6480: EOF

in my lab environment:

Windows 2k3 AD with service pack 1..

samba server:
OS: Cent OS 4.4
install packge:
	samba-common-3.0.10-1.4E.9
	system-config-samba-1.2.21-1
	samba-client-3.0.10-1.4E.9
	samba-3.0.10-1.4E.9
	krb5-devel-1.3.4-33
	krb5-server-1.3.4-33
	pam_krb5-2.1.8-1
	krb5-libs-1.3.4-33
	krb5-workstation-1.3.4-33

smb.conf
[global]
        workgroup = WXYZ
        realm = WXYZ.COM.CN
        netbios name = WXYZ-dns1
        server string = Squid_AD_auth_server
        encrypt passwords = yes
        password server = WXYZdc01.WXYZ.COM.CN
        security = ADS
        wins server = 10.111.9.2
        allow trusted domains = yes
        domain master = no
        local master = no
        preferred master = no

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        log file = /var/log/samba/%m.log
        max log size = 15000
        load printers = no
        # Debug logging information
        log level = 5
        debug timestamp = yes

        dns proxy = no
        printcap name = /etc/printcap
        cups options = raw

        template shell = /bin/false
        template homedir = /home/%U
        winbind trusted domains only = yes
        winbind use default domain = yes
        idmap gid = 10000-20000
        idmap uid = 10000-20000
;
;       idmap gid = 16777216-33554431
;       idmap uid = 16777216-33554431
;
        winbind separator = /
        winbind enum groups = yes
        winbind enum users = yes

.......
.....

krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = WXYZ.COM.CN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 WXYZ.COM.CN = {
  kdc = WXYZDC01.WXYZ.COM.CN:88
  kdc = WXYZDC02.WXYZ.COM.CN:88
  admin_server = WXYZDC01.WXYZ.COM.CN:749
  default_domain = WXYZ.COM.CN
 }

[domain_realm]
 .WXYZ.com.CN = WXYZ.COM.CN
 WXYZ.com.CN = WXYZ.COM.CN

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
------- End of Forwarded Message -------
------- End of Forwarded Message -------

More information about the samba mailing list