Trimble, Ronald D wrote: > > Just an FYI... this is not a local group but an AD Domain > Local group. We are using Domain Local groups since they can > contain users from other domains.
Are all these users members of the same domain? If not, do you have the 'allow trusted domains = yes' option set? What does your idmap setup look like? -Ross > -----Original Message----- > From: Herb Lewis [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 14, 2008 3:08 PM > To: Trimble, Ronald D > Cc: samba@lists.samba.org > Subject: Re: [Samba] Winbind problem with more details. > > you will notice that the SID type for the requested group is > 4 which we > see from smb.h is SID_NAME_ALIAS /* local group */ > > > Trimble, Ronald D wrote: > > Everyone, > > One of our developers was kind enough to > insert some bug checking into the mod_auth_pam and > mod_auth_sys_group so that we could see a little more of what > was going on with our authentication failures. Here is what > we just saw. Two of our users NA\connelmp and NA\guminssa > both started getting messages that they were not part of the > required group. Here is the log for you all to see... > > > >>From /var/log/apache2/error_log > > > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, NA\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, NA\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: is na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, na\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members), referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: na\\connelmp not in required group(s)., > referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] > CHKAUTH: is NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] > CHKAUTH: NO, NA\\connelmp is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] > CHKAUTH: GROUP: NA\\connelmp not in required group(s). > > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] > CHKAUTH: is na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] > CHKAUTH: NO, na\\guminssa is NOT a member of > NA\\USTR-LINUX-1-SPAR group (with 58 members) > > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] > CHKAUTH: GROUP: na\\guminssa not in required group(s). > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: is na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] > CHKAUTH: YES, na\\huynhsv is listed amongst the > NA\\USTR-LINUX-1-SPAR group members > > > > > > Here I looked up the SIDs of each user so I could further > document what winbind sees. > > > > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\guminssa' > > S-1-5-21-725345543-2052111302-527237240-100501 User (1) > > > > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\connelmp' > > S-1-5-21-725345543-2052111302-527237240-25886 User (1) > > > > > > The first thing that jumps out at me is that the > -user-domgroups switch does not show all the groups the user > belongs to and sure enough the needed group > NA\USTR-LINUX-1-SPAR is not there. > > > > > > USTR-LINUX-1:~ # for i in `wbinfo > --user-domgroups=S-1-5-21-725345543-2052111302-527237240-10050 > 1`; do wbinfo --sid-to-name=$i; done > > NA\guminssa 1 > > NA\USAUS-WEBBrowsers 2 > > NA\USMV IIs Releases 2 > > NA\USTR CMP SSafe DB 2 > > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > > NA\Domain Users 2 > > NA\Tredyffrin Users 2 > > NA\USAUS-Knowlix 2 > > NA\TCUsers 2 > > NA\PKI MFA Smartcards 2 > > NA\OE-P D T Tred-000106 2 > > NA\AD ClearPath MCP 2 > > NA\All Employees 2 > > NA\CTY-United St-US 2 > > NA\CE-United Sta-US 2 > > NA\OE-Systems & -000004 2 > > NA\Org-Eastern -002418 2 > > NA\MessageStats Web 2 > > NA\OE-Eastern De-002418 2 > > NA\All NA Employees 2 > > NA\Org-Product D-000106 2 > > NA\Org-Systems &-000004 2 > > NA\All Users 2 > > NA\All S&T Employees Wo 2 > > NA\OE-Product De-000011 2 > > NA\OE-ClearPath -002418 2 > > NA\Org-P D T Tre-000106 2 > > NA\All NA Users 2 > > NA\IdNexus Certificate Subscribers 2 > > NA\AD Product Development & Technology 2 > > NA\Universal Services 2 > > NA\USTR LE-US340 2 > > NA\USMV Resources Access 2 > > NA\Hendrix Unit Test Support 2 > > NA\Org-ClearPath-002418 2 > > NA\USTR Loc-US340 2 > > NA\USRV-All PDT Users 2 > > > > The same is true for this user. > > > > USTR-LINUX-1:~ # for i in `wbinfo > --user-domgroups=S-1-5-21-725345543-2052111302-527237240-25886 > `; do wbinfo --sid-to-name=$i; done > > NA\CONNELMP 1 > > NA\USTR-VSS_SPMS 2 > > NA\RV-CMP Plateau Read 2 > > NA\RV-Aurora ReadOnly 2 > > NA\USTR-Avalon-Development-Change 2 > > NA\USAUS-WEBBrowsers 2 > > NA\USTR CMP Pit DB 2 > > NA\TR NIOSourceSafe 2 > > NA\USTR CMP SSafe DB 2 > > NA\RV-SDA Read 2 > > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > > NA\RV-CMP-NUL Eng Test 2 > > NA\Domain Users 2 > > NA\USTR-FS1-Change 2 > > NA\Exchange_TR 2 > > NA\Tredyffrin Users 2 > > NA\USAUS-Knowlix 2 > > NA\TR EDL Op Sys Dev 2 > > NA\RV-Odyssey Change 2 > > NA\USTR-PCBLIBS 2 > > NA\USEAEXCH2 2 > > NA\TCUsers 2 > > NA\PKI MFA Smartcards 2 > > NA\OE-P D T Tred-000106 2 > > NA\AD ClearPath MCP 2 > > NA\All Employees 2 > > NA\CTY-United St-US 2 > > NA\CE-United Sta-US 2 > > NA\OE-Systems & -000004 2 > > NA\Org-Eastern -002418 2 > > NA\MessageStats Web 2 > > NA\OE-Eastern De-002418 2 > > NA\All NA Employees 2 > > NA\Org-Product D-000106 2 > > NA\Org-Systems &-000004 2 > > NA\All Users 2 > > NA\All S&T Employees Wo 2 > > NA\OE-Product De-000011 2 > > NA\OE-ClearPath -002418 2 > > NA\Org-P D T Tre-000106 2 > > NA\All NA Users 2 > > NA\IdNexus Certificate Subscribers 2 > > NA\AD Product Development & Technology 2 > > NA\Universal Services 2 > > NA\USTR LE-US340 2 > > NA\USMV Resources Access 2 > > NA\Org-ClearPath-002418 2 > > NA\USTR Loc-US340 2 > > NA\USRV-All PDT Users 2 > > > > However, if I use the -user-sids switch, all the groups do > show up and the group in question is there. > > > > USTR-LINUX-1:~ # for i in `wbinfo > --user-sids=S-1-5-21-725345543-2052111302-527237240-100501`; > do wbinfo --sid-to-name=$i;done > > NA\GuminsSA 1 > > NA\GuminsSA 1 > > NA\USAUS-WEBBrowsers 2 > > NA\USMV IIs Releases 2 > > NA\USTR CMP SSafe DB 2 > > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > > NA\Domain Users 2 > > NA\Tredyffrin Users 2 > > NA\USAUS-Knowlix 2 > > NA\TCUsers 2 > > NA\PKI MFA Smartcards 2 > > NA\OE-P D T Tred-000106 2 > > NA\AD ClearPath MCP 2 > > NA\All Employees 2 > > NA\CTY-United St-US 2 > > NA\CE-United Sta-US 2 > > NA\OE-Systems & -000004 2 > > NA\Org-Eastern -002418 2 > > NA\MessageStats Web 2 > > NA\OE-Eastern De-002418 2 > > NA\All NA Employees 2 > > NA\Org-Product D-000106 2 > > NA\Org-Systems &-000004 2 > > NA\All Users 2 > > NA\All S&T Employees Wo 2 > > NA\OE-Product De-000011 2 > > NA\OE-ClearPath -002418 2 > > NA\Org-P D T Tre-000106 2 > > NA\All NA Users 2 > > NA\IdNexus Certificate Subscribers 2 > > NA\AD Product Development & Technology 2 > > NA\Universal Services 2 > > NA\USTR LE-US340 2 > > NA\USMV Resources Access 2 > > NA\Hendrix Unit Test Support 2 > > NA\Org-ClearPath-002418 2 > > NA\USTR Loc-US340 2 > > NA\USRV-All PDT Users 2 > > NA\USTR-CMPData-READ 4 > > NA\USTR-LINUX-1-WSP-Virtualization 4 > > NA\USTR-LINUX-1-BMC_CM 4 > > NA\USTR-LINUX-1-SUSE-READ 4 > > NA\USTR-LINUX-1-SPAR 4 > > NA\USTR-LINUX-1-WSP 4 > > NA\USTR-LINUX-1-REDHAT-READ 4 > > NA\USTR-LINUX-1-RRSMF 4 > > NA\USAUS-WEBBrowsersGlobal 4 > > NA\USPLVDATA1-SOLEIL-READ 4 > > NA\WSWTGeneralAccess 4 > > NA\USPLVDATA2-PLYMOUTHSCO-READ 4 > > NA\USPLVDATA1-LIBDATA1-READ 4 > > NA\USPLVDATA1-MFGDATA-LIST 4 > > NA\USPLVDATA1-PREPRESS2-READ 4 > > NA\USPLVDATA1-RECEIPTS-MODIFY 4 > > NA\USPLVDATA1-PREPRESS1-READ 4 > > NA\FMT-Web WWW NAOps Admin Share 4 > > NA\USPLVDATA2-CDR-READ 4 > > NA\USMV SCO Tutor -CHANGE 4 > > NA\USPL-RDATAPRNT-Shared-Software-Read 4 > > NA\USPLVDATA2-ProdData-Bookstore-Read 4 > > NA\USPLVDATA2-APPLICATIONS-READ 4 > > NA\FMT-Web WWW NAOps -Change 4 > > NA\USPLVDATA1-IMG-READ 4 > > NA\USTR-Semitech-Read 4 > > NA\USMV IIS Wintel EWEB Browse 4 > > NA\USMV IIs Wintel Browse 4 > > NA\USMV CBDD Users 4 > > NA\USTR-Hendrix-Unit-Test-Support 4 > > BUILTIN\Users 4 > > > > USTR-LINUX-1:~ # for i in `wbinfo > --user-sids=S-1-5-21-725345543-2052111302-527237240-25886`; > do wbinfo --sid-to-name=$i;done > > NA\CONNELMP 1 > > NA\CONNELMP 1 > > NA\USTR-VSS_SPMS 2 > > NA\RV-CMP Plateau Read 2 > > NA\RV-Aurora ReadOnly 2 > > NA\USTR-Avalon-Development-Change 2 > > NA\USAUS-WEBBrowsers 2 > > NA\USTR CMP Pit DB 2 > > NA\TR NIOSourceSafe 2 > > NA\USTR CMP SSafe DB 2 > > NA\RV-SDA Read 2 > > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > > NA\RV-CMP-NUL Eng Test 2 > > NA\Domain Users 2 > > NA\USTR-FS1-Change 2 > > NA\Exchange_TR 2 > > NA\Tredyffrin Users 2 > > NA\USAUS-Knowlix 2 > > NA\TR EDL Op Sys Dev 2 > > NA\RV-Odyssey Change 2 > > NA\USTR-PCBLIBS 2 > > NA\USEAEXCH2 2 > > NA\TCUsers 2 > > NA\PKI MFA Smartcards 2 > > NA\OE-P D T Tred-000106 2 > > NA\AD ClearPath MCP 2 > > NA\All Employees 2 > > NA\CTY-United St-US 2 > > NA\CE-United Sta-US 2 > > NA\OE-Systems & -000004 2 > > NA\Org-Eastern -002418 2 > > NA\MessageStats Web 2 > > NA\OE-Eastern De-002418 2 > > NA\All NA Employees 2 > > NA\Org-Product D-000106 2 > > NA\Org-Systems &-000004 2 > > NA\All Users 2 > > NA\All S&T Employees Wo 2 > > NA\OE-Product De-000011 2 > > NA\OE-ClearPath -002418 2 > > NA\Org-P D T Tre-000106 2 > > NA\All NA Users 2 > > NA\IdNexus Certificate Subscribers 2 > > NA\AD Product Development & Technology 2 > > NA\Universal Services 2 > > NA\USTR LE-US340 2 > > NA\USMV Resources Access 2 > > NA\Org-ClearPath-002418 2 > > NA\USTR Loc-US340 2 > > NA\USRV-All PDT Users 2 > > NA\USTR-PRIV58 4 > > NA\USTR-LINUX-1-WSP-Virtualization 4 > > NA\USTR-LINUX-1-BMC_CM 4 > > NA\USTR-LINUX-1-SPAR 4 > > NA\USTR-LINUX-1-WSP 4 > > NA\USTR-Hornet-Change 4 > > NA\USTR-LINUX-1-RRSMF 4 > > NA\USTR-MSS-3 Observers 4 > > NA\USAUS-WEBBrowsersGlobal 4 > > NA\USPLVDATA1-SOLEIL-READ 4 > > NA\WSWTGeneralAccess 4 > > NA\USPLVDATA2-PLYMOUTHSCO-READ 4 > > NA\USPLVDATA1-LIBDATA1-READ 4 > > NA\USPLVDATA1-MFGDATA-LIST 4 > > NA\USPLVDATA1-PREPRESS2-READ 4 > > NA\USPLVDATA1-RECEIPTS-MODIFY 4 > > NA\USPLVDATA1-PREPRESS1-READ 4 > > NA\FMT-Web WWW NAOps Admin Share 4 > > NA\USPLVDATA2-CDR-READ 4 > > NA\USMV SCO Tutor -CHANGE 4 > > NA\USPL-RDATAPRNT-Shared-Software-Read 4 > > NA\USPLVDATA2-ProdData-Bookstore-Read 4 > > NA\USPLVDATA2-APPLICATIONS-READ 4 > > NA\FMT-Web WWW NAOps -Change 4 > > NA\USPLVDATA1-IMG-READ 4 > > NA\USTR-Semitech-Read 4 > > NA\USMV IIS Wintel EWEB Browse 4 > > NA\USMV IIs Wintel Browse 4 > > NA\USMV CBDD Users 4 > > BUILTIN\Users 4 > > > > Can anyone shed some light on what is going on here? This > problem has been driving me crazy for several weeks now and I > could use all the help I could get. I have a full compliment > of logs to go along with all the above information if anyone > would be so kind as to take a look. I can make it worth your > while... I have a code for two free movie tickets on > fandango.com if you can help me solve this. Not much, but > better then an email saying thanks. :) > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba