[Samba] problems with groups,
winbind authenticating a centOS 4 machine to AD
Eric Gottesman
ericg at ingenio.com
Wed Nov 14 19:58:47 GMT 2007
WHY HELLO. i have a centOS 4.4 machine running samba 3.0.10-1.4E.9. my
goal is to log in to the machine using AD credentials. at the moment,
i'm successfully logging in, but i can't retrieve groups for AD users:
-bash-3.00$ groups
id: cannot find name for group ID 16777216
16777216 id: cannot find name for group ID 16777217
16777217 id: cannot find name for group ID 16777218
16777218 id: cannot find name for group ID 16777219
16777219 id: cannot find name for group ID 16777220
16777220 id: cannot find name for group ID 16777221
16777221 id: cannot find name for group ID 16777222
16777222 id: cannot find name for group ID 16777223
16777223
here's my smb.conf:
[global]
workgroup = DEV
server string = STGRAD01
security = domain
log file = /var/log/samba/%m.log
log level = 3
local master = no
max log size = 50
dns proxy = no
password server = devadmin01.dev.company.com
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = no
winbind enum users = yes
winbind enum groups = yes
# winbind separator = \
[homes]
comment = Home Directories
browseable = no
writable = yes
...and here's a snippet from winbindd.log:
[2007/11/14 11:54:46, 3]
nsswitch/winbindd_group.c:winbindd_getgrgid(348)
[23928]: getgrgid 16777223
[2007/11/14 11:54:46, 3] nsswitch/winbindd_rpc.c:msrpc_sid_to_name(338)
sid_to_name [rpc] S-1-5-21-1482476501-926492609-1644491937-518 for
domain DEV
[2007/11/14 11:54:46, 3] libads/ldap.c:ads_connect(285)
Connected to LDAP server 10.11.1.21
[2007/11/14 11:54:46, 3] libads/ldap.c:ads_server_info(2469)
got ldap server name devadmin01 at DEV.COMPANY.COM, using bind path:
dc=DEV,dc=COMPANY,dc=COM
[2007/11/14 11:54:46, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(109)
IPC$ connections done anonymously
[2007/11/14 11:54:46, 3] libsmb/cliconnect.c:cli_start_connection(1388)
Connecting to host=DEVADMIN01
[2007/11/14 11:54:46, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 10.11.1.21 at port 445
[2007/11/14 11:54:46, 1] nsswitch/winbindd_group.c:fill_grent_mem(133)
could not lookup membership for group rid
S-1-5-21-1482476501-926492609-1644491937-518 in domain DEV (error:
NT_STATUS_ACCESS_DENIED)
also, for some reason everything breaks if i uncomment the winbind
separator line.
any ideas?
More information about the samba
mailing list