[Samba] Winbind problem with more details.

Fri Feb 15 15:24:15 GMT 2008

The users who are failing are all in the same domain.  What are you referring to in terms of the idmap?

-----Original Message-----
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Thursday, February 14, 2008 4:26 PM
To: Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.

Trimble, Ronald D wrote:
>
> Just an FYI... this is not a local group but an AD Domain
> Local group.  We are using Domain Local groups since they can
> contain users from other domains.

Are all these users members of the same domain?

If not, do you have the 'allow trusted domains = yes' option set?

What does your idmap setup look like?

-Ross

> -----Original Message-----
> From: Herb Lewis [mailto:hlewis at panasas.com]
> Sent: Thursday, February 14, 2008 3:08 PM
> To: Trimble, Ronald D
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Winbind problem with more details.
>
> you will notice that the SID type for the requested group is
> 4 which we
> see from smb.h is SID_NAME_ALIAS  /* local group */
>
>
> Trimble, Ronald D wrote:
> > Everyone,
> >                 One of our developers was kind enough to
> insert some bug checking into the mod_auth_pam and
> mod_auth_sys_group so that we could see a little more of what
> was going on with our authentication failures.  Here is what
> we just saw.  Two of our users NA\connelmp and NA\guminssa
> both started getting messages that they were not part of the
> required group.   Here is the log for you all to see...
> >
> >>From /var/log/apache2/error_log
> >
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63]
> CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, NA\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members)
> > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: NA\\connelmp not in required group(s).
> > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63]
> CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, NA\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members)
> > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: NA\\connelmp not in required group(s).
> > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63]
> CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, na\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members), referer:
> https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: na\\connelmp not in required group(s).,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63]
> CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, na\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members), referer:
> https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: na\\connelmp not in required group(s).,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, na\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members), referer:
> https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: na\\connelmp not in required group(s).,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, na\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members), referer:
> https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: na\\connelmp not in required group(s).,
> referer: https://ustr-linux-1/scm/spar/trac/ticket/130
> > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63]
> CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63]
> CHKAUTH: NO, NA\\connelmp is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members)
> > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63]
> CHKAUTH: GROUP: NA\\connelmp not in required group(s).
> > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139]
> CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139]
> CHKAUTH: NO, na\\guminssa is NOT a member of
> NA\\USTR-LINUX-1-SPAR group (with 58 members)
> > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139]
> CHKAUTH: GROUP: na\\guminssa not in required group(s).
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR?
> > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40]
> CHKAUTH: YES, na\\huynhsv is listed amongst the
> NA\\USTR-LINUX-1-SPAR group members
> >
> >
> > Here I looked up the SIDs of each user so I could further
> document what winbind sees.
> >
> > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\guminssa'
> > S-1-5-21-725345543-2052111302-527237240-100501 User (1)
> >
> > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\connelmp'
> > S-1-5-21-725345543-2052111302-527237240-25886 User (1)
> >
> >
> > The first thing that jumps out at me is that the
> -user-domgroups switch does not show all the groups the user
> belongs to and sure enough the needed group
> NA\USTR-LINUX-1-SPAR is not there.
> >
> >
> > USTR-LINUX-1:~ # for i in `wbinfo
> --user-domgroups=S-1-5-21-725345543-2052111302-527237240-10050
> 1`; do wbinfo --sid-to-name=$i; done
> > NA\guminssa 1
> > NA\USAUS-WEBBrowsers 2
> > NA\USMV IIs Releases 2
> > NA\USTR CMP SSafe DB 2
> > NA\USRV-JOPLIN-CHANGE-NULDEV 2
> > NA\Domain Users 2
> > NA\Tredyffrin Users 2
> > NA\USAUS-Knowlix 2
> > NA\TCUsers 2
> > NA\PKI MFA Smartcards 2
> > NA\OE-P D T Tred-000106 2
> > NA\AD ClearPath MCP 2
> > NA\All Employees 2
> > NA\CTY-United St-US 2
> > NA\CE-United Sta-US 2
> > NA\OE-Systems & -000004 2
> > NA\Org-Eastern -002418 2
> > NA\MessageStats Web 2
> > NA\OE-Eastern De-002418 2
> > NA\All NA Employees 2
> > NA\Org-Product D-000106 2
> > NA\Org-Systems &-000004 2
> > NA\All Users 2
> > NA\All S&T Employees Wo 2
> > NA\OE-Product De-000011 2
> > NA\OE-ClearPath -002418 2
> > NA\Org-P D T Tre-000106 2
> > NA\All NA Users 2
> > NA\IdNexus Certificate Subscribers 2
> > NA\AD Product Development & Technology 2
> > NA\Universal Services 2
> > NA\USTR LE-US340 2
> > NA\USMV Resources Access 2
> > NA\Hendrix Unit Test Support 2
> > NA\Org-ClearPath-002418 2
> > NA\USTR Loc-US340 2
> > NA\USRV-All PDT Users 2
> >
> > The same is true for this user.
> >
> > USTR-LINUX-1:~ # for i in `wbinfo
> --user-domgroups=S-1-5-21-725345543-2052111302-527237240-25886
> `; do wbinfo --sid-to-name=$i; done
> > NA\CONNELMP 1
> > NA\USTR-VSS_SPMS 2
> > NA\RV-CMP Plateau Read 2
> > NA\RV-Aurora ReadOnly 2
> > NA\USTR-Avalon-Development-Change 2
> > NA\USAUS-WEBBrowsers 2
> > NA\USTR CMP Pit DB 2
> > NA\TR NIOSourceSafe 2
> > NA\USTR CMP SSafe DB 2
> > NA\RV-SDA Read 2
> > NA\USRV-JOPLIN-CHANGE-NULDEV 2
> > NA\RV-CMP-NUL Eng Test 2
> > NA\Domain Users 2
> > NA\USTR-FS1-Change 2
> > NA\Exchange_TR 2
> > NA\Tredyffrin Users 2
> > NA\USAUS-Knowlix 2
> > NA\TR EDL Op Sys Dev 2
> > NA\RV-Odyssey Change 2
> > NA\USTR-PCBLIBS 2
> > NA\USEAEXCH2 2
> > NA\TCUsers 2
> > NA\PKI MFA Smartcards 2
> > NA\OE-P D T Tred-000106 2
> > NA\AD ClearPath MCP 2
> > NA\All Employees 2
> > NA\CTY-United St-US 2
> > NA\CE-United Sta-US 2
> > NA\OE-Systems & -000004 2
> > NA\Org-Eastern -002418 2
> > NA\MessageStats Web 2
> > NA\OE-Eastern De-002418 2
> > NA\All NA Employees 2
> > NA\Org-Product D-000106 2
> > NA\Org-Systems &-000004 2
> > NA\All Users 2
> > NA\All S&T Employees Wo 2
> > NA\OE-Product De-000011 2
> > NA\OE-ClearPath -002418 2
> > NA\Org-P D T Tre-000106 2
> > NA\All NA Users 2
> > NA\IdNexus Certificate Subscribers 2
> > NA\AD Product Development & Technology 2
> > NA\Universal Services 2
> > NA\USTR LE-US340 2
> > NA\USMV Resources Access 2
> > NA\Org-ClearPath-002418 2
> > NA\USTR Loc-US340 2
> > NA\USRV-All PDT Users 2
> >
> > However, if I use the -user-sids switch, all the groups do
> show up and the group in question is there.
> >
> > USTR-LINUX-1:~ # for i in `wbinfo
> --user-sids=S-1-5-21-725345543-2052111302-527237240-100501`;
> do wbinfo --sid-to-name=$i;done
> > NA\GuminsSA 1
> > NA\GuminsSA 1
> > NA\USAUS-WEBBrowsers 2
> > NA\USMV IIs Releases 2
> > NA\USTR CMP SSafe DB 2
> > NA\USRV-JOPLIN-CHANGE-NULDEV 2
> > NA\Domain Users 2
> > NA\Tredyffrin Users 2
> > NA\USAUS-Knowlix 2
> > NA\TCUsers 2
> > NA\PKI MFA Smartcards 2
> > NA\OE-P D T Tred-000106 2
> > NA\AD ClearPath MCP 2
> > NA\All Employees 2
> > NA\CTY-United St-US 2
> > NA\CE-United Sta-US 2
> > NA\OE-Systems & -000004 2
> > NA\Org-Eastern -002418 2
> > NA\MessageStats Web 2
> > NA\OE-Eastern De-002418 2
> > NA\All NA Employees 2
> > NA\Org-Product D-000106 2
> > NA\Org-Systems &-000004 2
> > NA\All Users 2
> > NA\All S&T Employees Wo 2
> > NA\OE-Product De-000011 2
> > NA\OE-ClearPath -002418 2
> > NA\Org-P D T Tre-000106 2
> > NA\All NA Users 2
> > NA\IdNexus Certificate Subscribers 2
> > NA\AD Product Development & Technology 2
> > NA\Universal Services 2
> > NA\USTR LE-US340 2
> > NA\USMV Resources Access 2
> > NA\Hendrix Unit Test Support 2
> > NA\Org-ClearPath-002418 2
> > NA\USTR Loc-US340 2
> > NA\USRV-All PDT Users 2
> > NA\USTR-CMPData-READ 4
> > NA\USTR-LINUX-1-WSP-Virtualization 4
> > NA\USTR-LINUX-1-BMC_CM 4
> > NA\USTR-LINUX-1-SUSE-READ 4
> > NA\USTR-LINUX-1-SPAR 4
> > NA\USTR-LINUX-1-WSP 4
> > NA\USTR-LINUX-1-REDHAT-READ 4
> > NA\USTR-LINUX-1-RRSMF 4
> > NA\USAUS-WEBBrowsersGlobal 4
> > NA\USPLVDATA1-SOLEIL-READ 4
> > NA\WSWTGeneralAccess 4
> > NA\USPLVDATA2-PLYMOUTHSCO-READ 4
> > NA\USPLVDATA1-LIBDATA1-READ 4
> > NA\USPLVDATA1-MFGDATA-LIST 4
> > NA\USPLVDATA1-PREPRESS2-READ 4
> > NA\USPLVDATA1-RECEIPTS-MODIFY 4
> > NA\USPLVDATA1-PREPRESS1-READ 4
> > NA\FMT-Web WWW NAOps Admin Share 4
> > NA\USPLVDATA2-CDR-READ 4
> > NA\USMV SCO Tutor -CHANGE 4
> > NA\USPL-RDATAPRNT-Shared-Software-Read 4
> > NA\USPLVDATA2-ProdData-Bookstore-Read 4
> > NA\USPLVDATA2-APPLICATIONS-READ 4
> > NA\FMT-Web WWW NAOps -Change 4
> > NA\USPLVDATA1-IMG-READ 4
> > NA\USTR-Semitech-Read 4
> > NA\USMV IIS Wintel EWEB Browse 4
> > NA\USMV IIs Wintel Browse 4
> > NA\USMV CBDD Users 4
> > NA\USTR-Hendrix-Unit-Test-Support 4
> > BUILTIN\Users 4
> >
> > USTR-LINUX-1:~ # for i in `wbinfo
> --user-sids=S-1-5-21-725345543-2052111302-527237240-25886`;
> do wbinfo --sid-to-name=$i;done
> > NA\CONNELMP 1
> > NA\CONNELMP 1
> > NA\USTR-VSS_SPMS 2
> > NA\RV-CMP Plateau Read 2
> > NA\RV-Aurora ReadOnly 2
> > NA\USTR-Avalon-Development-Change 2
> > NA\USAUS-WEBBrowsers 2
> > NA\USTR CMP Pit DB 2
> > NA\TR NIOSourceSafe 2
> > NA\USTR CMP SSafe DB 2
> > NA\RV-SDA Read 2
> > NA\USRV-JOPLIN-CHANGE-NULDEV 2
> > NA\RV-CMP-NUL Eng Test 2
> > NA\Domain Users 2
> > NA\USTR-FS1-Change 2
> > NA\Exchange_TR 2
> > NA\Tredyffrin Users 2
> > NA\USAUS-Knowlix 2
> > NA\TR EDL Op Sys Dev 2
> > NA\RV-Odyssey Change 2
> > NA\USTR-PCBLIBS 2
> > NA\USEAEXCH2 2
> > NA\TCUsers 2
> > NA\PKI MFA Smartcards 2
> > NA\OE-P D T Tred-000106 2
> > NA\AD ClearPath MCP 2
> > NA\All Employees 2
> > NA\CTY-United St-US 2
> > NA\CE-United Sta-US 2
> > NA\OE-Systems & -000004 2
> > NA\Org-Eastern -002418 2
> > NA\MessageStats Web 2
> > NA\OE-Eastern De-002418 2
> > NA\All NA Employees 2
> > NA\Org-Product D-000106 2
> > NA\Org-Systems &-000004 2
> > NA\All Users 2
> > NA\All S&T Employees Wo 2
> > NA\OE-Product De-000011 2
> > NA\OE-ClearPath -002418 2
> > NA\Org-P D T Tre-000106 2
> > NA\All NA Users 2
> > NA\IdNexus Certificate Subscribers 2
> > NA\AD Product Development & Technology 2
> > NA\Universal Services 2
> > NA\USTR LE-US340 2
> > NA\USMV Resources Access 2
> > NA\Org-ClearPath-002418 2
> > NA\USTR Loc-US340 2
> > NA\USRV-All PDT Users 2
> > NA\USTR-PRIV58 4
> > NA\USTR-LINUX-1-WSP-Virtualization 4
> > NA\USTR-LINUX-1-BMC_CM 4
> > NA\USTR-LINUX-1-SPAR 4
> > NA\USTR-LINUX-1-WSP 4
> > NA\USTR-Hornet-Change 4
> > NA\USTR-LINUX-1-RRSMF 4
> > NA\USTR-MSS-3 Observers 4
> > NA\USAUS-WEBBrowsersGlobal 4
> > NA\USPLVDATA1-SOLEIL-READ 4
> > NA\WSWTGeneralAccess 4
> > NA\USPLVDATA2-PLYMOUTHSCO-READ 4
> > NA\USPLVDATA1-LIBDATA1-READ 4
> > NA\USPLVDATA1-MFGDATA-LIST 4
> > NA\USPLVDATA1-PREPRESS2-READ 4
> > NA\USPLVDATA1-RECEIPTS-MODIFY 4
> > NA\USPLVDATA1-PREPRESS1-READ 4
> > NA\FMT-Web WWW NAOps Admin Share 4
> > NA\USPLVDATA2-CDR-READ 4
> > NA\USMV SCO Tutor -CHANGE 4
> > NA\USPL-RDATAPRNT-Shared-Software-Read 4
> > NA\USPLVDATA2-ProdData-Bookstore-Read 4
> > NA\USPLVDATA2-APPLICATIONS-READ 4
> > NA\FMT-Web WWW NAOps -Change 4
> > NA\USPLVDATA1-IMG-READ 4
> > NA\USTR-Semitech-Read 4
> > NA\USMV IIS Wintel EWEB Browse 4
> > NA\USMV IIs Wintel Browse 4
> > NA\USMV CBDD Users 4
> > BUILTIN\Users 4
> >
> > Can anyone shed some light on what is going on here?  This
> problem has been driving me crazy for several weeks now and I
> could use all the help I could get.  I have a full compliment
> of logs to go along with all the above information if anyone
> would be so kind as to take a look.  I can make it worth your
> while... I have a code for two free movie tickets on
> fandango.com if you can help me solve this.  Not much, but
> better then an email saying thanks.  :)
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

______________________________________________________________________
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.