On Mon, 4 Jul 2005, Joe Cooper wrote:
> For whatever reason (still would like to know why) one of my client systems
> using NTLM auth to an Active Directory server suddenly could no longer get
> group and user information via wbinfo -g and wbinfo -u after an AD server
> update.
This is a question to the Samba people.. but I would guess there is some
problem with the Kerberos computer account. The NTLM authentication uses
NT Domain RPC login, while ADS lookups (groups etc) uses LDAP with
Kerberos authentication I think.
> However, the net ads user info command still worked fine, so as a
> workaround I rewrote the wbinfo_group.pl to use net ads commands. I've
> attached the modified version.
Not sure if this interface is considered stable, or if it will change
wildly between Samba versions.. but if the Samba people says it is a
stable interface then I have no problem with it as an alternative.
> It's probably wrong in some or many ways, and it has the negative of needing
> a username/password (but seemingly a not very privileged user will work).
Probably same requirements as for the LDAP helpers.. you need some
account who is allowed to see what groups you have. In most installations
this is any account.
> Anyway, it solved my immediate problem and got groups working again.
If my suspicion above is correct it should help to rejoin the ADS tree,
followed by a restart of winbind to flush the local cache..
Regards
Henrik
Received on Mon Jul 04 2005 - 12:02:50 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:03 MDT