[Samba] wbinfo & net ads different results

[Ng, Chin-Kiong]

Hi,

 

Could this a bug or misconfiguration?

'wbinfo -g' only return partial result compare to 'net ads group', thus
unable to authenticate

 

 

# wbinfo -g | wc -l

4998

# net ads group | wc -l

9114

# getent group | wc -l

5047        [+ local groups]

 

 

Take a group dl.samplegroup, which is in the DC, but missing from wbinfo

 

# net ads group | grep dl.samplegroup

dl.samplegroup    [found]

# wbinfo -g | grep dl.samplegroup

[not found]

# getent group | grep dl.samplegroup

[not found]

 

BUT, these works

 

# getent group dl.samplegroup

dl.samplegroup:*:15053: user1,user2,....

# wbinfo -n dl.samplegroup

S-1-5-21-839012768-2468886555-2058922813-7287 Domain Group (2) # wbinfo
-Y S-1-5-21-839012768-2468886555-2058922813-7287

15053

 

 

So what's goes wrong?

 

 

My configurations are as follow, quite simple:

 

smb.conf

========

[global]

        workgroup = MYDOMAIN

        netbios name = MYSERVER

        server string = MYSERVER

        interfaces = eth0 lo

        bind interfaces only = Yes

        security = ads

        password server = mydc1 mydc2

        realm = MYDOMAIN.COM

 

        log file = /var/log/samba/%m.log

        log level = 3 winbind:5 nmb:5

        max log size = 10000

 

        encrypt passwords = Yes

        update encrypted = Yes

        smb passwd file = /etc/samba/smbpasswd # NOTE: Use these with
'encrypt passwords' and 'smb passwd file' above.

        passwd program = /usr/bin/passwd %u

        passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

 

# Avoid other domains in forest

        allow trusted domains = no

 

        winbind cache time = 300

        winbind uid = 10000-100000

        winbind gid = 10000-100000

        winbind enum users = no

        winbind enum groups = yes

        winbind use default domain = yes

        winbind trusted domains only = no

 

        name resolve order = lmhosts wins host bcast

 

        wins server = mydc1 mydc2

        wins proxy = yes

        wins support = no

        dns proxy = No

        oplocks = Yes

        level2 oplocks = Yes

        read only = yes

        browseable = yes

        printable = No

 

 

nsswitch.conf

=============

passwd:     files winbind

group:      files winbind

 

 

krb5.conf

=========

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

 default_realm = MYDOMAIN.COM

 dns_lookup_realm = false

 dns_lookup_kdc = false

 ticket_lifetime = 24h

 forwardable = yes

 

[realms]

 MYDOMAIN.COM = {

  kdc = mydc1.MYDOMAIN.com:88

  admin_server = mydc1.MYDOMAIN.com:749

  default_domain = MYDOMAIN.com

 }

 

[domain_realm]

 .MYDOMAIN.com = MYDOMAIN.COM

 MYDOMAIN.com = MYDOMAIN.COM

 

[kdc]

 profile = /etc/kdc.conf

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

 

 

Checking with Domain admin, it turns out that the groups does not appear
in wbinfo are of Group Type: 'Distribution' in Win2k AD? The other is of
'Security'.

 

My system:

CentOS 5 2.6.18-8.el5

 

Samba:

samba-common-3.0.23c-2.el5.2.0.2

samba-3.0.23c-2.el5.2.0.2

 

 

Thanks.

Cheers,

CK Ng