[Samba] Winbind problem with more details.

Ross S. W. Walker rwalker at medallion.com
Thu Feb 14 21:37:16 GMT 2008 

Ross S. W. Walker wrote:
> Trimble, Ronald D wrote:
> > 
> > Just an FYI... this is not a local group but an AD Domain 
> > Local group.  We are using Domain Local groups since they can 
> > contain users from other domains.
> 
> 
> Are all these users members of the same domain?
> 
> If not, do you have the 'allow trusted domains = yes' option set?
> 
> What does your idmap setup look like?

After reading more carefully I have more questions below...

> > -----Original Message-----
> > From: Herb Lewis [mailto:hlewis at panasas.com]
> > Sent: Thursday, February 14, 2008 3:08 PM
> > To: Trimble, Ronald D
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Winbind problem with more details.
> > 
> > you will notice that the SID type for the requested group is 
> > 4 which we
> > see from smb.h is SID_NAME_ALIAS  /* local group */
> > 
> > 
> > Trimble, Ronald D wrote:
> > > Everyone,
> > >                 One of our developers was kind enough to 
> > insert some bug checking into the mod_auth_pam and 
> > mod_auth_sys_group so that we could see a little more of what 
> > was going on with our authentication failures.  Here is what 
> > we just saw.  Two of our users NA\connelmp and NA\guminssa 
> > both started getting messages that they were not part of the 
> > required group.   Here is the log for you all to see...

These users started getting messages, this means it was working
correctly for a while?

When did it stop working?

Did anything change around that time that could impact this?

> > >>From /var/log/apache2/error_log

Maybe /var/log/messages, or /var/log/samba/... may have more
detail as to why things aren't working.

<snip lots of sid stuff>

> > > Can anyone shed some light on what is going on here?  This 
> > problem has been driving me crazy for several weeks now and I 
> > could use all the help I could get.  I have a full compliment 
> > of logs to go along with all the above information if anyone 
> > would be so kind as to take a look.  I can make it worth your 
> > while... I have a code for two free movie tickets on 
> > fandango.com if you can help me solve this.  Not much, but 
> > better then an email saying thanks.  :)

Try running your SID output with nscd shut down and see if that
is affecting it, otherwise I would start looking at what changed
in your environment that might have caused this.

Maybe permissions on the AD object?

The computer object representing this box has adequate rights
to query all group objects in AD?

Just throwing out some ideas here.

-Ross

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the samba mailing list