Here the sample: user "test", group "Proxy Users" # wbinfo -n test S-1-5-21-3832759173-1639904910-2887728559-1113 User (1) # wbinfo -n "Proxy Users" S-1-5-21-3832759173-1639904910-2887728559-1118 Domain Group (2) Looking if user "test" in group "Proxy Users" using wbinfo: # wbinfo --user-sids=S-1-5-21-3832759173-1639904910-2887728559-1113 S-1-5-21-3832759173-1639904910-2887728559-513 S-1-5-32-545 S-1-5-21-3832759173-1639904910-2887728559-1118 Yes, user in the group and this is a last group in the list Now check user/password using ntlm_auth: # ntlm_auth --helper-protocol=squid-2.5-basic test password OK All working. Now adding group membership check: # ntlm_auth --helper-protocol=squid-2.5-basic --require-membership- of="DOMAIN+Proxy Users" test password ERR Fail ! Here the log.winbindd: [2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134) User has SID: S-1-5-21-3832759173-1639904910-2887728559-1113 [2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134) User has SID: S-1-5-21-3832759173-1639904910-2887728559-513 [2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134) User has SID: S-1-5-21-3832759173-1639904910-2887728559-135995120 [2004/08/22 12:11:54, 10] nsswitch/winbindd_pam.c:check_info3_in_group(134) User has SID: S-1-5-21-3832759173-1639904910-2887728559-135995136 [2004/08/22 12:11:54, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(293) User test is not in the required group (S-1-5-21-3832759173-1639904910-2887728 559-1118), so plaintext authentication is rejected And here the solution :-) --- winbindd_pam.c.old Thu Aug 19 17:39:12 2004 +++ winbindd_pam.c Fri Sep 3 14:24:12 2004 @@ -107,11 +107,11 @@ for (i = 0; i < info3->num_groups2; i++) { sid_copy(&all_sids[j], &(info3->dom_sid.sid)); - if (!sid_append_rid(&all_sids[j], info3->gids[j].g_rid)) { + if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) { DEBUG(3,("could not append additional group rid 0x%x\n", - info3->gids[j].g_rid)); + info3->gids[i].g_rid)); return NT_STATUS_INVALID_PARAMETER; } j++; We get array gids[] overrun in some conditions (that why weird values in log).
(In reply to comment #0) Fixed in 3.0.7: o Dimitri van der Spek <dwspek@aboveit.nl> * Use the correct counter when copying group rids from the user_info3 struct in pam_winbind. 2Samba team: please pay more attention to database !
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.