Hi,
I have setup a Fedora Core 5 box running SAMBA (security = ADS), KRBv5 and SQUID with NTLM authentication. Using various guide on google I have managed to join the linux box to Windows 2003 Active directory. I did this so that I am able to use Squid to restrict certain Active directory groups from accessing the internet.
I have managed to get the ACL's in squid working fine and have tested them against different ADS groups. The problem (I think) is with winbind.
For instance I created two new ADS groups called Proxyboys and Internet on the Windows 2003 PDC. Next I created four users jack, tom, dick, harry and joined them by pair respectively to Proxyboys and Internet. I setup Squid to allow Internet group full access to the internet and Proxyboys to have no access to the internet. When I did this it worked fine. Using wbinfo -r I can see the respective group ID's of these users. In all their cases they showed with
Next I removed Harry from Internet. I restarted smb and winbind services and did a wbinfo -r harry This command still shows Harry as being of Internet group. I restarted PDC and my linux box but there is no change. I went ahead and added Harry to Proxyboys group so that he does not have internet access. Restarted smb, winbind and squid and used a XP client machine to login as Harry. PROBLEM: Harry still has internet access. I think the REASON for this is what I described above. Any group membership changes I make to users on Active Directory do not seem to replicate to the linux box.
To summarise:
1. If I add a new user or goup to Active Directory, restart winbind and use wbinfo -g or wbinfo -u, the new user or group can be seen in the list.
2. If I change an existing user's group membership, restart winbind and use wbinfo -r on the user, the user's group ID's DO NOT CHANGE. They remain the same as if the user's group membership never changed.
3. getent passwd lists users and group ID's and these are incorrect
4. getent group lists groups, the group ID and its members and this is correct.
Any help in getting this resolved will be much appreciated as I am doing this in a test environment for my degree project. I apologise if I am being vague and for not posting any .conf files but please let me know what you need. Thank you in advance
winbind and getting Active Directory Group information
Linear Mode
