-----Original Message----- From: Ross S. W. Walker [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 4:37 PM To: Ross S. W. Walker; Trimble, Ronald D; Herb Lewis Cc: samba@lists.samba.org Subject: RE: [Samba] Winbind problem with more details.
Ross S. W. Walker wrote: > Trimble, Ronald D wrote: > > > > Just an FYI... this is not a local group but an AD Domain > > Local group. We are using Domain Local groups since they can > > contain users from other domains. > > > Are all these users members of the same domain? > > If not, do you have the 'allow trusted domains = yes' option set? > > What does your idmap setup look like? After reading more carefully I have more questions below... > > -----Original Message----- > > From: Herb Lewis [mailto:[EMAIL PROTECTED] > > Sent: Thursday, February 14, 2008 3:08 PM > > To: Trimble, Ronald D > > Cc: samba@lists.samba.org > > Subject: Re: [Samba] Winbind problem with more details. > > > > you will notice that the SID type for the requested group is > > 4 which we > > see from smb.h is SID_NAME_ALIAS /* local group */ > > > > > > Trimble, Ronald D wrote: > > > Everyone, > > > One of our developers was kind enough to > > insert some bug checking into the mod_auth_pam and > > mod_auth_sys_group so that we could see a little more of what > > was going on with our authentication failures. Here is what > > we just saw. Two of our users NA\connelmp and NA\guminssa > > both started getting messages that they were not part of the > > required group. Here is the log for you all to see... These users started getting messages, this means it was working correctly for a while? Yes, it was working for quite some time. And throughout any given day it will work and then stop and then begin working again... all without intervention. When did it stop working? We had a system crash several weeks ago. At that point we upgraded to the latest levels of samba as recommended by Novell. It has not been consistent in performance since. Did anything change around that time that could impact this? Yes, we upgraded samba. > > >>From /var/log/apache2/error_log Maybe /var/log/messages, or /var/log/samba/... may have more detail as to why things aren't working. <snip lots of sid stuff> > > > Can anyone shed some light on what is going on here? This > > problem has been driving me crazy for several weeks now and I > > could use all the help I could get. I have a full compliment > > of logs to go along with all the above information if anyone > > would be so kind as to take a look. I can make it worth your > > while... I have a code for two free movie tickets on > > fandango.com if you can help me solve this. Not much, but > > better then an email saying thanks. :) Try running your SID output with nscd shut down and see if that is affecting it, otherwise I would start looking at what changed in your environment that might have caused this. I will look into disabling NSCD as you suggested. Maybe permissions on the AD object? Permissions have not changed. The computer object representing this box has adequate rights to query all group objects in AD? The server is a member of the domain and thus has all the rights it needs to query the domain. Just throwing out some ideas here. -Ross ______________________________________________________________________ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba