Hi,
I'm using Squid (Fedora core2 rpm squid-2.5.STABLE5-4.fc2), with Samba (rpm
samba-3.0.6-2.fc2) for NTML authentication against an Windows NT4 domain
controller
This works fine... However, we want to authenticate against an Domain
NT-Group, and that's where I'm getting stuck..
I've tried various exampels I've found using wbinfo_group.pl, but it just doesn't seem to work... Has anybody succeeded with this combination?
When I run wbinfo_group manually, with debug turned on, I get the following results:
# ./wbinfo_group.pl RZH_NT+RBasti Internet Got RZH_NT+RBasti Internet from squid User: -RZH_NT+RBasti- Group: -Internet- SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)- GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2) to gid- Sending ERR to squid ERR
where RZH_NT is our NT domain, RBasti is the username, and Internet is a domain group... (and yes, RBasti is a member of the group Internet)...
Looks like something is going wrong converting the sid to the gid, but this is a black-hole for me... Why is it trying to do this, and why is it not succeeding?
Winbind seems to work fine:
# wbinfo -t checking the trust secret via RPC calls succeeded
# wbinfo -g |grep Internet Internet
# wbinfo -u |grep RBasti RBasti
# wbinfo -a RBasti%******** (passwd blanked) plaintext password authentication succeeded challenge/response password authentication succeeded
Oh, and I already gave squid read-accecss to /var/cache/samba/winbindd_privileged by doing a chgrp squid...
Thanks. Remco
Well the error message is one generated by wbinfo so you might want to hit up the samba user's lists. wbinfo_group.pl just calls wbinfo -Y with the sid and that's failing. I would make sure you have a line like "winbind gid = 10000-20000" in smb.conf but if that's not it check the samba list if you don't get any luck here.
Billy
