Re: net ads user info group authenticator

Henrik Nordstrom wrote:
> On Mon, 4 Jul 2005, Joe Cooper wrote:
>
>> For whatever reason (still would like to know why) one of my client
>> systems using NTLM auth to an Active Directory server suddenly could
>> no longer get group and user information via wbinfo -g and wbinfo -u
>> after an AD server update.
>
>
> This is a question to the Samba people.. but I would guess there is some
> problem with the Kerberos computer account. The NTLM authentication uses
> NT Domain RPC login, while ADS lookups (groups etc) uses LDAP with
> Kerberos authentication I think.

Interestingly, wbinfo -t still works, and the rest of the NTLM
authentication stuff works. Even a wbinfo -a user%pass works. So, I
don't think kerberos is the issue (though I've had enough troubles from
that aspect of the system to know not to argue too strongly about it).

>> However, the net ads user info command still worked fine, so as a
>> workaround I rewrote the wbinfo_group.pl to use net ads commands.
>> I've attached the modified version.
>
>
> Not sure if this interface is considered stable, or if it will change
> wildly between Samba versions.. but if the Samba people says it is a
> stable interface then I have no problem with it as an alternative.

My understanding is that the net commands are The Way of the Future, and
are designed to mirror the Windows net commands. That's not to say they
are stable--but they are being recommended as the right way to interact
with the AD.

>> It's probably wrong in some or many ways, and it has the negative of
>> needing a username/password (but seemingly a not very privileged user
>> will work).
>
>
> Probably same requirements as for the LDAP helpers.. you need some
> account who is allowed to see what groups you have. In most
> installations this is any account.

That seems to be the case. I used a plain old user account, which had
the lowest level of privileges available to users in the AD in question.
  I guess it is mostly harmless to have the password in there.

>> Anyway, it solved my immediate problem and got groups working again.
>
>
> If my suspicion above is correct it should help to rejoin the ADS tree,
> followed by a restart of winbind to flush the local cache..

Did that without success a few times--the rejoin was fine, and winbind
came back up without trouble. No errors, wbinfo -t succeeds, and even
winbindd with debugging cranked up to 9 revealed nothing (or at least
nothing I could find...it might have ended up in a log I didn't know to
look at, though I redirected output to STDIO). After an hour or so of
poking at it, I rewrote the group authenticator in about five minutes.
It worked, so I called it done.

I'm guessing something changed in the AD during the upgrade, though I
haven't had time to dig around in the MS knowledge base and google to
see what. This box has been working fine for over a year with the same
configuration...the last Samba upgrade from a few months ago, and went
without a hitch. So I blame Windows.

Thanks for chiming in.
Received on Mon Jul 04 2005 - 17:25:36 MDT