So what does that tell me? -----Original Message----- From: Herb Lewis [mailto:[EMAIL PROTECTED] Sent: Thursday, February 14, 2008 3:08 PM To: Trimble, Ronald D Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind problem with more details.
you will notice that the SID type for the requested group is 4 which we see from smb.h is SID_NAME_ALIAS /* local group */ Trimble, Ronald D wrote: > Everyone, > One of our developers was kind enough to insert some bug > checking into the mod_auth_pam and mod_auth_sys_group so that we could see a > little more of what was going on with our authentication failures. Here is > what we just saw. Two of our users NA\connelmp and NA\guminssa both started > getting messages that they were not part of the required group. Here is the > log for you all to see... > >>From /var/log/apache2/error_log > > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:22:24 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:33 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:23:46 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:42 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:51 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: is > na\\connelmp a member of NA\\USTR-LINUX-1-SPAR?, referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > na\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 > members), referer: https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:24:59 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > na\\connelmp not in required group(s)., referer: > https://ustr-linux-1/scm/spar/trac/ticket/130 > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: is > NA\\connelmp a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: NO, > NA\\connelmp is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:25:25 2008] [error] [client 192.63.212.63] CHKAUTH: GROUP: > NA\\connelmp not in required group(s). > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: is > na\\guminssa a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: NO, > na\\guminssa is NOT a member of NA\\USTR-LINUX-1-SPAR group (with 58 members) > [Thu Feb 14 13:26:29 2008] [error] [client 192.63.212.139] CHKAUTH: GROUP: > na\\guminssa not in required group(s). > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: is > na\\huynhsv a member of NA\\USTR-LINUX-1-SPAR? > [Thu Feb 14 13:27:37 2008] [error] [client 192.63.212.40] CHKAUTH: YES, > na\\huynhsv is listed amongst the NA\\USTR-LINUX-1-SPAR group members > > > Here I looked up the SIDs of each user so I could further document what > winbind sees. > > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\guminssa' > S-1-5-21-725345543-2052111302-527237240-100501 User (1) > > USTR-LINUX-1:~ # wbinfo --name-to-sid='NA\connelmp' > S-1-5-21-725345543-2052111302-527237240-25886 User (1) > > > The first thing that jumps out at me is that the -user-domgroups switch does > not show all the groups the user belongs to and sure enough the needed group > NA\USTR-LINUX-1-SPAR is not there. > > > USTR-LINUX-1:~ # for i in `wbinfo > --user-domgroups=S-1-5-21-725345543-2052111302-527237240-100501`; do wbinfo > --sid-to-name=$i; done > NA\guminssa 1 > NA\USAUS-WEBBrowsers 2 > NA\USMV IIs Releases 2 > NA\USTR CMP SSafe DB 2 > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > NA\Domain Users 2 > NA\Tredyffrin Users 2 > NA\USAUS-Knowlix 2 > NA\TCUsers 2 > NA\PKI MFA Smartcards 2 > NA\OE-P D T Tred-000106 2 > NA\AD ClearPath MCP 2 > NA\All Employees 2 > NA\CTY-United St-US 2 > NA\CE-United Sta-US 2 > NA\OE-Systems & -000004 2 > NA\Org-Eastern -002418 2 > NA\MessageStats Web 2 > NA\OE-Eastern De-002418 2 > NA\All NA Employees 2 > NA\Org-Product D-000106 2 > NA\Org-Systems &-000004 2 > NA\All Users 2 > NA\All S&T Employees Wo 2 > NA\OE-Product De-000011 2 > NA\OE-ClearPath -002418 2 > NA\Org-P D T Tre-000106 2 > NA\All NA Users 2 > NA\IdNexus Certificate Subscribers 2 > NA\AD Product Development & Technology 2 > NA\Universal Services 2 > NA\USTR LE-US340 2 > NA\USMV Resources Access 2 > NA\Hendrix Unit Test Support 2 > NA\Org-ClearPath-002418 2 > NA\USTR Loc-US340 2 > NA\USRV-All PDT Users 2 > > The same is true for this user. > > USTR-LINUX-1:~ # for i in `wbinfo > --user-domgroups=S-1-5-21-725345543-2052111302-527237240-25886`; do wbinfo > --sid-to-name=$i; done > NA\CONNELMP 1 > NA\USTR-VSS_SPMS 2 > NA\RV-CMP Plateau Read 2 > NA\RV-Aurora ReadOnly 2 > NA\USTR-Avalon-Development-Change 2 > NA\USAUS-WEBBrowsers 2 > NA\USTR CMP Pit DB 2 > NA\TR NIOSourceSafe 2 > NA\USTR CMP SSafe DB 2 > NA\RV-SDA Read 2 > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > NA\RV-CMP-NUL Eng Test 2 > NA\Domain Users 2 > NA\USTR-FS1-Change 2 > NA\Exchange_TR 2 > NA\Tredyffrin Users 2 > NA\USAUS-Knowlix 2 > NA\TR EDL Op Sys Dev 2 > NA\RV-Odyssey Change 2 > NA\USTR-PCBLIBS 2 > NA\USEAEXCH2 2 > NA\TCUsers 2 > NA\PKI MFA Smartcards 2 > NA\OE-P D T Tred-000106 2 > NA\AD ClearPath MCP 2 > NA\All Employees 2 > NA\CTY-United St-US 2 > NA\CE-United Sta-US 2 > NA\OE-Systems & -000004 2 > NA\Org-Eastern -002418 2 > NA\MessageStats Web 2 > NA\OE-Eastern De-002418 2 > NA\All NA Employees 2 > NA\Org-Product D-000106 2 > NA\Org-Systems &-000004 2 > NA\All Users 2 > NA\All S&T Employees Wo 2 > NA\OE-Product De-000011 2 > NA\OE-ClearPath -002418 2 > NA\Org-P D T Tre-000106 2 > NA\All NA Users 2 > NA\IdNexus Certificate Subscribers 2 > NA\AD Product Development & Technology 2 > NA\Universal Services 2 > NA\USTR LE-US340 2 > NA\USMV Resources Access 2 > NA\Org-ClearPath-002418 2 > NA\USTR Loc-US340 2 > NA\USRV-All PDT Users 2 > > However, if I use the -user-sids switch, all the groups do show up and the > group in question is there. > > USTR-LINUX-1:~ # for i in `wbinfo > --user-sids=S-1-5-21-725345543-2052111302-527237240-100501`; do wbinfo > --sid-to-name=$i;done > NA\GuminsSA 1 > NA\GuminsSA 1 > NA\USAUS-WEBBrowsers 2 > NA\USMV IIs Releases 2 > NA\USTR CMP SSafe DB 2 > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > NA\Domain Users 2 > NA\Tredyffrin Users 2 > NA\USAUS-Knowlix 2 > NA\TCUsers 2 > NA\PKI MFA Smartcards 2 > NA\OE-P D T Tred-000106 2 > NA\AD ClearPath MCP 2 > NA\All Employees 2 > NA\CTY-United St-US 2 > NA\CE-United Sta-US 2 > NA\OE-Systems & -000004 2 > NA\Org-Eastern -002418 2 > NA\MessageStats Web 2 > NA\OE-Eastern De-002418 2 > NA\All NA Employees 2 > NA\Org-Product D-000106 2 > NA\Org-Systems &-000004 2 > NA\All Users 2 > NA\All S&T Employees Wo 2 > NA\OE-Product De-000011 2 > NA\OE-ClearPath -002418 2 > NA\Org-P D T Tre-000106 2 > NA\All NA Users 2 > NA\IdNexus Certificate Subscribers 2 > NA\AD Product Development & Technology 2 > NA\Universal Services 2 > NA\USTR LE-US340 2 > NA\USMV Resources Access 2 > NA\Hendrix Unit Test Support 2 > NA\Org-ClearPath-002418 2 > NA\USTR Loc-US340 2 > NA\USRV-All PDT Users 2 > NA\USTR-CMPData-READ 4 > NA\USTR-LINUX-1-WSP-Virtualization 4 > NA\USTR-LINUX-1-BMC_CM 4 > NA\USTR-LINUX-1-SUSE-READ 4 > NA\USTR-LINUX-1-SPAR 4 > NA\USTR-LINUX-1-WSP 4 > NA\USTR-LINUX-1-REDHAT-READ 4 > NA\USTR-LINUX-1-RRSMF 4 > NA\USAUS-WEBBrowsersGlobal 4 > NA\USPLVDATA1-SOLEIL-READ 4 > NA\WSWTGeneralAccess 4 > NA\USPLVDATA2-PLYMOUTHSCO-READ 4 > NA\USPLVDATA1-LIBDATA1-READ 4 > NA\USPLVDATA1-MFGDATA-LIST 4 > NA\USPLVDATA1-PREPRESS2-READ 4 > NA\USPLVDATA1-RECEIPTS-MODIFY 4 > NA\USPLVDATA1-PREPRESS1-READ 4 > NA\FMT-Web WWW NAOps Admin Share 4 > NA\USPLVDATA2-CDR-READ 4 > NA\USMV SCO Tutor -CHANGE 4 > NA\USPL-RDATAPRNT-Shared-Software-Read 4 > NA\USPLVDATA2-ProdData-Bookstore-Read 4 > NA\USPLVDATA2-APPLICATIONS-READ 4 > NA\FMT-Web WWW NAOps -Change 4 > NA\USPLVDATA1-IMG-READ 4 > NA\USTR-Semitech-Read 4 > NA\USMV IIS Wintel EWEB Browse 4 > NA\USMV IIs Wintel Browse 4 > NA\USMV CBDD Users 4 > NA\USTR-Hendrix-Unit-Test-Support 4 > BUILTIN\Users 4 > > USTR-LINUX-1:~ # for i in `wbinfo > --user-sids=S-1-5-21-725345543-2052111302-527237240-25886`; do wbinfo > --sid-to-name=$i;done > NA\CONNELMP 1 > NA\CONNELMP 1 > NA\USTR-VSS_SPMS 2 > NA\RV-CMP Plateau Read 2 > NA\RV-Aurora ReadOnly 2 > NA\USTR-Avalon-Development-Change 2 > NA\USAUS-WEBBrowsers 2 > NA\USTR CMP Pit DB 2 > NA\TR NIOSourceSafe 2 > NA\USTR CMP SSafe DB 2 > NA\RV-SDA Read 2 > NA\USRV-JOPLIN-CHANGE-NULDEV 2 > NA\RV-CMP-NUL Eng Test 2 > NA\Domain Users 2 > NA\USTR-FS1-Change 2 > NA\Exchange_TR 2 > NA\Tredyffrin Users 2 > NA\USAUS-Knowlix 2 > NA\TR EDL Op Sys Dev 2 > NA\RV-Odyssey Change 2 > NA\USTR-PCBLIBS 2 > NA\USEAEXCH2 2 > NA\TCUsers 2 > NA\PKI MFA Smartcards 2 > NA\OE-P D T Tred-000106 2 > NA\AD ClearPath MCP 2 > NA\All Employees 2 > NA\CTY-United St-US 2 > NA\CE-United Sta-US 2 > NA\OE-Systems & -000004 2 > NA\Org-Eastern -002418 2 > NA\MessageStats Web 2 > NA\OE-Eastern De-002418 2 > NA\All NA Employees 2 > NA\Org-Product D-000106 2 > NA\Org-Systems &-000004 2 > NA\All Users 2 > NA\All S&T Employees Wo 2 > NA\OE-Product De-000011 2 > NA\OE-ClearPath -002418 2 > NA\Org-P D T Tre-000106 2 > NA\All NA Users 2 > NA\IdNexus Certificate Subscribers 2 > NA\AD Product Development & Technology 2 > NA\Universal Services 2 > NA\USTR LE-US340 2 > NA\USMV Resources Access 2 > NA\Org-ClearPath-002418 2 > NA\USTR Loc-US340 2 > NA\USRV-All PDT Users 2 > NA\USTR-PRIV58 4 > NA\USTR-LINUX-1-WSP-Virtualization 4 > NA\USTR-LINUX-1-BMC_CM 4 > NA\USTR-LINUX-1-SPAR 4 > NA\USTR-LINUX-1-WSP 4 > NA\USTR-Hornet-Change 4 > NA\USTR-LINUX-1-RRSMF 4 > NA\USTR-MSS-3 Observers 4 > NA\USAUS-WEBBrowsersGlobal 4 > NA\USPLVDATA1-SOLEIL-READ 4 > NA\WSWTGeneralAccess 4 > NA\USPLVDATA2-PLYMOUTHSCO-READ 4 > NA\USPLVDATA1-LIBDATA1-READ 4 > NA\USPLVDATA1-MFGDATA-LIST 4 > NA\USPLVDATA1-PREPRESS2-READ 4 > NA\USPLVDATA1-RECEIPTS-MODIFY 4 > NA\USPLVDATA1-PREPRESS1-READ 4 > NA\FMT-Web WWW NAOps Admin Share 4 > NA\USPLVDATA2-CDR-READ 4 > NA\USMV SCO Tutor -CHANGE 4 > NA\USPL-RDATAPRNT-Shared-Software-Read 4 > NA\USPLVDATA2-ProdData-Bookstore-Read 4 > NA\USPLVDATA2-APPLICATIONS-READ 4 > NA\FMT-Web WWW NAOps -Change 4 > NA\USPLVDATA1-IMG-READ 4 > NA\USTR-Semitech-Read 4 > NA\USMV IIS Wintel EWEB Browse 4 > NA\USMV IIs Wintel Browse 4 > NA\USMV CBDD Users 4 > BUILTIN\Users 4 > > Can anyone shed some light on what is going on here? This problem has been > driving me crazy for several weeks now and I could use all the help I could > get. I have a full compliment of logs to go along with all the above > information if anyone would be so kind as to take a look. I can make it > worth your while... I have a code for two free movie tickets on fandango.com > if you can help me solve this. Not much, but better then an email saying > thanks. :) > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
