[Samba] getent group not listing domain groups / wbinfo -r not working

Tue Sep 20 01:12:24 MDT 2011

I know, I know, this again :)

The company I work for would like to use squid for proxy authentication
purposes using NTLM, using a Windows 2008 R2 server as a DC. I've
managed to setup samba/winbind to use ads and successfully joined the
domain. Configured nsswitch.conf to lookup winbind entities (however I
didn't touch PAM configuration, as I don't actually want the users to be
able to login to the linux machine).

wbinfo -t reports a successful check of trust.
wbinfo -u / wbinfo -g work as intended, e.g. dump a list of domain users
/ groups.
I can authenticate using wbinfo -a (both plaintext and
challenge-response) and wbinfo -K.

nsswitch.conf:
> passwd:         compat winbind
> group:          compat winbind

As far as I can tell, nsswitch.conf is also configured properly, since
`getent passwd` dumps local users, waits about .2 seconds, and dumps
domain users:
> sasa.sokolova:*:10283:10001:Sasa
> Sokolova:/home/LIONSK/sasa.sokolova:/bin/false
> adam.szabados:*:10284:10001:Adam
> Szabados:/home/LIONSK/adam.szabados:/bin/false

(All domain users are members of group '10001', is this normal?)

However, `getent group` lists only local groups. No waiting time, it
just dumps local groups and exits. Likewise, when attempting to `wbinfo
-r <domainuser>`, the command fails with 'Could not get groups for
<domainuser>'. I've run strace on `getent group` (which, incidentally,
shows a timeout, but none is perceived), the result can hopefully be
viewed here: http://halka.yw.sk/ext/strace_getent_group.txt

A widely suggested fix for this was to delete
/var/lib/samba/winbindd_idmap.tdb (for Samba versions up to 3.2.x?), but
the problems persist even after clearing the cache.

This is the point at which I'm stumped, since management wants to apply
different squid ACLs based on domain user's group. The funny (or not)
thing is, when authenticating using domain group restriction, e.g.:
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=DOMAIN\\it
...works as intended (allows only member of the group 'it' to
authenticate successfully), but that's about as far as I can get.

I'm using samba 3.5.8 as provided by, cough, Ubuntu (10.08) packages.
I've previously tried a similar solution on Debian lenny. Now, this is a
virtual server which only holds samba and squid, so I have no qualms
about reinstalling, using various pre-alpha versions or anything, so
wild ideas like this are not unwelcome.

I've linked my configuration files below, since I'm not yet sure about
proper attachment etiquette in mailing lists:
http://halka.yw.sk/ext/krb5.conf
http://halka.yw.sk/ext/smb.conf
http://halka.yw.sk/ext/nsswitch.conf

Any help is of course greatly appreciated.

-- 
Ľubomír Brindza
xmpp: lubomir.brindza at gmail.com

Your eyes are weary from staring at the CRT. You feel sleepy. 
Notice how restful it is to watch the cursor blink. Close your 
eyes. The opinions stated above are yours. You cannot imagine 
why you ever felt otherwise.