[squid-users] wbinfo_group.pl fails to detect some users' group membership

Hi list,

I'm having an issue with wbinfo_group.pl - it fails to detect some users'
group membership in my Active Directory environment.
I know that replication between domain controllers can be an issue, so I've
decided to wait a few weeks and check again, just to rule that out.
The result is still the same:
----------------------------------------------------------
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid some_group
OK
myuserid this-is-the_group-I-want
ERR
----------------------------------------------------------

----------------------------------------------------------
With debugging enabled:
MYSERVERNAME:~# /usr/lib/squid/wbinfo_group.pl
myuserid this-is-the_group-I-want
Got myuserid this-is-the_group-I-want from squid
User: -myuserid-
Group: -this-is-the_group-I-want-
SID: -S-1-5-21-10digitshere-10digitshere-10digitshere-4digitshere Domain
Group (2)- [This belongs to the line above]
GID: -5digitshere-
Sending ERR to squid
ERR
----------------------------------------------------------

Checking this on windows, however, I get:
----------------------------------------------------------
U:\>net user myuserid /domain
[...]
Local Group Memberships *yet_another_group
Global Group Memberships *some_group
[...]
                            *this-is-the_group-I-want
[...]
                            *some-other-group

Command completed successfully.
----------------------------------------------------------
...so everything looks fine on the Windows side.

Note: I'm running Debian Sarge, and would consider upgrading to Etch if
this is a known problem that can be fixed by upgrading.
Also, if there's a way to solve this by moving from winbind to LDAP, I'd
be interested in a migration how-to document, if there is one.

Here's some more info that might be useful for debugging:

----------------------------------------------------------
MYSERVERNAME:~# squid -v
Squid Cache: Version 2.5.STABLE9
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log --enable-auth=basic,digest,ntlm
--enable-carp --with-large-files i386-debian-linux
----------------------------------------------------------

----------------------------------------------------------
smbd, nmbd, winbindd -v:
Version 3.0.14a-Debian
----------------------------------------------------------

----------------------------------------------------------
wbinfo -t:
checking the trust secret via RPC calls succeeded
----------------------------------------------------------

----------------------------------------------------------
wbinfo -g:
BUILTIN\system operators
BUILTIN\replicators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
some_groups
[...]
#
[...]
some_more_groups
[...]
this-is-the_group-I-want
[...]
yet_another_group
----------------------------------------------------------
The "#" that appears in the middle of the group list is a bit strange.
There is no such group in my Active Directory.

----------------------------------------------------------
smb.conf excerpt:
[global]
 netbios name = MYSERVERNAME
 security = ads
 realm = my.realm.here
 password server = fqdn.of.my.password.server.here
 workgroup = MYWORKGROUP
 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
SO_RCVBUF=4096 [This belongs to the line above]
 encrypt passwords = true
 client use spnego = yes
 passdb backend = smbpasswd guest
 wins support = no
 wins server = ser.ver.ip.one ser.ver.ip.two ser.ver.ip.three
ser.ver.ip.four [This belongs to the line above]
 os level = 0
 domain master = no
 local master = no
 preferred master = no
 ANNOUNCE VERSION = 5.2
 name resolve order = lmhosts host wins bcast
 dns proxy = no
 preserve case = yes
 short preserve case = yes
 unix password sync = false
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .[This belongs to the line above]
 max log size = 1000
 obey pam restrictions = yes
 winbind use default domain = yes
 winbind nested groups = yes
 idmap uid = 10000-10000000
 idmap gid = 10000-10000000
 template shell = /bin/bash
 unix charset = iso-8859-15
 display charset = iso-8859-15
 dos charset = 850
----------------------------------------------------------

Please let me know how to fix this, it's really irritating as it works for
some, but not all users that are members of said group.

Kind Regards,
Stefan Baur
Received on Sun Jun 10 2007 - 14:47:10 MDT