Hi,



Could this a bug or misconfiguration?

'wbinfo -g' only return partial result compare to 'net ads group', thus
unable to authenticate





# wbinfo -g | wc -l

4998

# net ads group | wc -l

9114

# getent group | wc -l

5047 [+ local groups]





Take a group dl.samplegroup, which is in the DC, but missing from wbinfo



# net ads group | grep dl.samplegroup

dl.samplegroup [found]

# wbinfo -g | grep dl.samplegroup

[not found]

# getent group | grep dl.samplegroup

[not found]



BUT, these works



# getent group dl.samplegroup

dl.samplegroup:*:15053: user1,user2,....

# wbinfo -n dl.samplegroup

S-1-5-21-839012768-2468886555-2058922813-7287 Domain Group (2) # wbinfo
-Y S-1-5-21-839012768-2468886555-2058922813-7287

15053





So what's goes wrong?





My configurations are as follow, quite simple:



smb.conf

========

[global]

workgroup = MYDOMAIN

netbios name = MYSERVER

server string = MYSERVER

interfaces = eth0 lo

bind interfaces only = Yes

security = ads

password server = mydc1 mydc2

realm = MYDOMAIN.COM



log file = /var/log/samba/%m.log

log level = 3 winbind:5 nmb:5

max log size = 10000



encrypt passwords = Yes

update encrypted = Yes

smb passwd file = /etc/samba/smbpasswd # NOTE: Use these with
'encrypt passwords' and 'smb passwd file' above.

passwd program = /usr/bin/passwd %u

passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*success fully*



# Avoid other domains in forest

allow trusted domains = no



winbind cache time = 300

winbind uid = 10000-100000

winbind gid = 10000-100000

winbind enum users = no

winbind enum groups = yes

winbind use default domain = yes

winbind trusted domains only = no



name resolve order = lmhosts wins host bcast



wins server = mydc1 mydc2

wins proxy = yes

wins support = no

dns proxy = No

oplocks = Yes

level2 oplocks = Yes

read only = yes

browseable = yes

printable = No





nsswitch.conf

=============

passwd: files winbind

group: files winbind





krb5.conf

=========

[logging]

default = FILE:/var/log/krb5libs.log

kdc = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log



[libdefaults]

default_realm = MYDOMAIN.COM

dns_lookup_realm = false

dns_lookup_kdc = false

ticket_lifetime = 24h

forwardable = yes



[realms]

MYDOMAIN.COM = {

kdc = mydc1.MYDOMAIN.com:88

admin_server = mydc1.MYDOMAIN.com:749

default_domain = MYDOMAIN.com

}



[domain_realm]

.MYDOMAIN.com = MYDOMAIN.COM

MYDOMAIN.com = MYDOMAIN.COM



[kdc]

profile = /etc/kdc.conf



[appdefaults]

pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

}





Checking with Domain admin, it turns out that the groups does not appear
in wbinfo are of Group Type: 'Distribution' in Win2k AD? The other is of
'Security'.



My system:

CentOS 5 2.6.18-8.el5



Samba:

samba-common-3.0.23c-2.el5.2.0.2

samba-3.0.23c-2.el5.2.0.2





Thanks.

Cheers,

CK Ng







--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba