[Samba] Winbind problem with more details.

Trimble, Ronald D Ronald.Trimble at unisys.com
Fri Feb 15 15:29:12 GMT 2008

-----Original Message-----
From: Ross S. W. Walker [mailto:rwalker at medallion.com]
Sent: Thursday, February 14, 2008 4:37 PM
To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis
Cc: samba at lists.samba.org
Subject: RE: [Samba] Winbind problem with more details.

Ross S. W. Walker wrote:
> Trimble, Ronald D wrote:
> >
> > Just an FYI... this is not a local group but an AD Domain
> > Local group.  We are using Domain Local groups since they can
> > contain users from other domains.
> Are all these users members of the same domain?
> If not, do you have the 'allow trusted domains = yes' option set?
> What does your idmap setup look like?

After reading more carefully I have more questions below...

> > -----Original Message-----
> > From: Herb Lewis [mailto:hlewis at panasas.com]
> > Sent: Thursday, February 14, 2008 3:08 PM
> > To: Trimble, Ronald D
> > Cc: samba at lists.samba.org
> > Subject: Re: [Samba] Winbind problem with more details.
> >
> > you will notice that the SID type for the requested group is
> > 4 which we
> > see from smb.h is SID_NAME_ALIAS  /* local group */
> >
> >
> > Trimble, Ronald D wrote:
> > > Everyone,
> > >                 One of our developers was kind enough to
> > insert some bug checking into the mod_auth_pam and
> > mod_auth_sys_group so that we could see a little more of what
> > was going on with our authentication failures.  Here is what
> > we just saw.  Two of our users NA\connelmp and NA\guminssa
> > both started getting messages that they were not part of the
> > required group.   Here is the log for you all to see...

These users started getting messages, this means it was working
correctly for a while?

Yes, it was working for quite some time.  And throughout any given day it will work and then stop and then begin working again... all without intervention.

When did it stop working?

We had a system crash several weeks ago.  At that point we upgraded to the latest levels of samba as recommended by Novell.  It has not been consistent in performance since.

Did anything change around that time that could impact this?

Yes, we upgraded samba.

> > >>From /var/log/apache2/error_log

Maybe /var/log/messages, or /var/log/samba/... may have more
detail as to why things aren't working.

<snip lots of sid stuff>

> > > Can anyone shed some light on what is going on here?  This
> > problem has been driving me crazy for several weeks now and I
> > could use all the help I could get.  I have a full compliment
> > of logs to go along with all the above information if anyone
> > would be so kind as to take a look.  I can make it worth your
> > while... I have a code for two free movie tickets on
> > fandango.com if you can help me solve this.  Not much, but
> > better then an email saying thanks.  :)

Try running your SID output with nscd shut down and see if that
is affecting it, otherwise I would start looking at what changed
in your environment that might have caused this.

I will look into disabling NSCD as you suggested.

Maybe permissions on the AD object?

Permissions have not changed.

The computer object representing this box has adequate rights
to query all group objects in AD?

The server is a member of the domain and thus has all the rights it needs to query the domain.

Just throwing out some ideas here.


This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

More information about the samba mailing list