wbinfo -u works, getent passwd fails, winbind in nsswitch.conf

[da...@i-55.com]

I am running samba-3.0.2-6.3E on RHES 3.

I am trying to get Winbind running, and am having some difficulty.
Basically, I can login using a very small subset of my AD users, but
not the rest. I can 'winbind -u' and see all of my AD users, but a
'getent passwd' shows only local users. I do have winbind configured
in my /etc/nsswitch:

# cat /etc/nsswitch.conf
...
passwd: files winbind
shadow: files
group: files winbind
...

Winbind seems happy:

# wbinfo -t
checking the trust secret via RPC calls succeeded

I can auth as my own account:

# wbinfo -a me%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -u shows gobs of users:

# wbinfo -u | tail -5
user1
user2
user3
user4
user5

(User names have been replaced to protect the guilty.)

But 'getent passwd' shows only local accounts:

# getent passwd > /tmp/x ; diff /tmp/x /etc/passwd
#

Ah!

'getent group' shows some AD groups, but not many:

# getent group | tail -2
ADgroup1:x:10011:user1,user2,user3
ADgroup2:x:10012:user4,user5,user6,user7

'wbinfo -g' shows many more.

I can su using my AD account:

# su - me
me$

But most other accounts fail:

# su - user1
su: user user1 does not exist

Yet that user exists:

# wbinfo -u | grep user1
user1

Confusing!

I noticed some home directories on the Linux box had uid/gid instead
of username/groupname. So I think the accounts were working and
suddenly were not. I have rebooted the box as well as restarted
Winbind.

Not sure what is left.

Any ideas?

My smb.conf:

# cat /etc/samba/smb.conf
[global]
netbios name = myserv
workgroup = myworkgroup
realm = myworkgroup.com
security = ADS
winbind separator = -
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/false
winbind use default domain = yes

[da...@i-55.com]

On Wed, 16 Jun 2004 08:49:59 -0500, da...@i-55.com wrote:

>I am running samba-3.0.2-6.3E on RHES 3.
>
>I am trying to get Winbind running, and am having some difficulty.
>Basically, I can login using a very small subset of my AD users, but
>not the rest. I can 'winbind -u' and see all of my AD users, but a
>'getent passwd' shows only local users. I do have winbind configured
>in my /etc/nsswitch:
>
># cat /etc/nsswitch.conf
>...
>passwd: files winbind
>shadow: files
>group: files winbind
>...

I have narrowed this down. I know *a* fix, but not the best fix. So in
/var/log/messages I see this:

Jun 14 07:02:22 serv winbindd[1091]:
tdb(/var/cache/samba/winbindd_idmap.tdb): rec_read bad magic
0x42424242 at offset=4316

Looks like a bad winbindd_idmap.tdb. So I do this:

# /etc/rc.d/init.d/winbind stop
rm -f /var/cache/samba/winbindd_idmap.tdb
# /etc/rc.d/init.d/winbind start
# getent passwd
...
[I see local and AD accounts.]

Great! Unfortunately, now my IDs are off in /home, so I have to chown
everything. So this isn't a great solution, but it does point in the
right direction.

How did this file get corrupted? And what can I do to fix it if this
happens again without having to re-chown everything?

[MaWi]

I think there are two options. the first solution is to backup the tdb-file
and recover it, if it is corrupt. the second is to use the ldap-backend and
store the idmapping in a separate organizational unit. So the idmapping will
be stored permanently in LDAP and you can delete the winbindd_idmap.tdb
everytime it is corrupted.

<da...@i-55.com> schrieb im Newsbeitrag
news:puq0d0d4l9j68onc3...@4ax.com...