[Samba] "wbinfo -g"return incomplete list

PIGNOL, Christian christian_pignol at merck.com
Tue Nov 4 10:33:07 GMT 2008


Hello,

I've a trouble with my Samba (3.0.10-1.4E.11) on a RHEL4.

This Samba was joined in a Windows AD Domain without problem.

Bellow, an extract of the smb.conf (without the share)

[global]
        workgroup = ONE
        realm = MYDOM.COM
        netbios aliases = srv0001
        server string = SRV0001 / Intranet & Applications Server
        security = DOMAIN
        password server = PWDSRV01, PWDSRV02, PWDSRV03, *
        algorithmic rid base = 100000
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        log level = 4
        log file = /var/log/samba/%m.log
        max log size = 1000
        debug pid = Yes
        debug uid = Yes
        max xmit = 65535
        socket options = IPTOS_THROUGHPUT TCP_NODELAY SO_RCVBUF=16384
SO_SNDBUF=16384
        add user script = /usr/sbin/useradd %u -g smbusers
        delete user script = /usr/sbin/userdel %u
        os level = 33
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = xx.xx.xx.xx yy.yy.yy.yy
        ldap ssl = no
        idmap uid = 100000-999999999
        idmap gid = 100000-999999999
        template shell = /bin/bash
        winbind separator = /
        winbind enable local accounts = Yes
        winbind use default domain = Yes
        winbind nested groups = Yes
        create mask = 0775
        nt acl support = No
        printing = lprng
        print command = lpr -r -P'%p' %s
        lpq command = lpq -P'%p'
        lprm command = lprm -P'%p' %j
        lppause command = lpc hold '%p' %j
        lpresume command = lpc release '%p' %j
        queuepause command = lpc stop '%p'
        queueresume command = lpc start '%p'

This domain, ONE.MYDOM.COM has bidirectionnal relationships with other
domains ... TWO.MYDOM.COM    THREE.MYDOM.COM    ...etc, ...

When I ask a list of domains with "wbinfo -m", the result is :

[root at srv0001 samba]# wbinfo -m
SRV0001
BUILTIN
TWO
THREE
FOUR
FIVE
. . .
[root at srv0001 samba]#

I see all the trusted domain, well, but I don't see the ONE domain !
A "wbinfo -g" command return me only trusted domains groups ... never
groups of the primary "ONE" domain

It seems that everything is working fine ... (see below)

[root at srv0001 samba]# wbinfo -n ONE/user01
S-1-5-21-6776287-1952083785-2110791508-497344 User (1)
[root at srv0001 samba]# wbinfo -S
S-1-5-21-6776287-1952083785-2110791508-497344
100020
[root at srv0001 samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root at srv0001 samba]#  wbinfo -a ONE/user01%good_password
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at srv0001 samba]#  wbinfo -a ONE/user01%bad_password
challenge/response password authentication failed
error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
error messsage was: Wrong Password
Could not authenticate user ONE/user01 with challenge/response
[root at srv0001 samba]#

Except accessing groups and users of the primary domain ONE ... and I
need to access these groups to include them in ACLs

When I try a "wbinfo -g", I see the following message in winbindd.log :

[2008/11/04 11:30:25, 3, pid=22415, effective(0, 0), real(0, 0)]
nsswitch/winbindd_group.c:get_sam_group_entries(536)
  get_sam_group_entries: could not enumerate domain groups! Error:
NT_STATUS_ACCESS_DENIED

Is it related ?


Any help would be appreciated.

Thanks a lot in advance and regards.


Christian PIGNOL
04  73 67 48 65

Notice:  This e-mail message, together with any attachments, contains
information of Merck & Co., Inc. (One Merck Drive, Whitehouse Station,
New Jersey, USA 08889), and/or its affiliates (which may be known
outside the United States as Merck Frosst, Merck Sharp & Dohme or
MSD and in Japan, as Banyu - direct contact information for affiliates is
available at http://www.merck.com/contact/contacts.html) that may be
confidential, proprietary copyrighted and/or legally privileged. It is
intended solely for the use of the individual or entity named on this
message. If you are not the intended recipient, and have received this
message in error, please notify us immediately by reply e-mail and
then delete it from your system.


More information about the samba mailing list