Bastiaans, Remco wrote:
> Hi,
>
> I'm using Squid (Fedora core2 rpm squid-2.5.STABLE5-4.fc2), with Samba (rpm
> samba-3.0.6-2.fc2) for NTML authentication against an Windows NT4 domain
> controller
>
> This works fine... However, we want to authenticate against an Domain
> NT-Group, and that's where I'm getting stuck..
>
> I've tried various exampels I've found using wbinfo_group.pl, but it just
> doesn't seem to work... Has anybody succeeded with this combination?
>
> When I run wbinfo_group manually, with debug turned on, I get the following
> results:
>
> # ./wbinfo_group.pl
> RZH_NT+RBasti Internet
> Got RZH_NT+RBasti Internet from squid
> User: -RZH_NT+RBasti-
> Group: -Internet-
> SID: -S-1-5-21-637226847-105070846-619646970-7160 Domain Group (2)-
> GID: -Could not convert sid S-1-5-21-637226847-105070846-619646970-7160
> Domain Group (2) to gid-
> Sending ERR to squid
> ERR
>
> where RZH_NT is our NT domain, RBasti is the username, and Internet is a
> domain group... (and yes, RBasti is a member of the group Internet)...
>
> Looks like something is going wrong converting the sid to the gid, but this
> is a black-hole for me... Why is it trying to do this, and why is it not
> succeeding?
>
> Winbind seems to work fine:
>
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> # wbinfo -g |grep Internet
> Internet
>
> # wbinfo -u |grep RBasti
> RBasti
>
> # wbinfo -a RBasti%******** (passwd blanked)
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> Oh, and I already gave squid read-accecss to
> /var/cache/samba/winbindd_privileged by doing a chgrp squid...
>
> Thanks.
> Remco
>
Well the error message is one generated by wbinfo so you might want to
hit up the samba user's lists. wbinfo_group.pl just calls wbinfo -Y
with the sid and that's failing. I would make sure you have a line like
"winbind gid = 10000-20000" in smb.conf but if that's not it check the
samba list if you don't get any luck here.
Billy
Received on Wed Sep 15 2004 - 00:07:31 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Oct 01 2004 - 12:00:02 MDT