Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] wbinfo -i -> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
4,937 views
Skip to first unread message
Jeff Dickens
Nov 17, 2015, 6:20:03 PM11/17/15
to
Created a new thread because I screwed up and top-posted.
So I am still stuck. For reference here is the smb.conf on the member
server:
root@florence:~# more /etc/samba/smb.conf
[global]
netbios name = FLORENCE
security = ADS
workgroup = IOL
realm = IOL.SEAMANPAPER.COM <http://iol.seamanpaper.com/>
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# idmap config used for your domain.
# Choose one of the following backends fitting to your
# requirements and add the corresponding configuration.
# idmap config ad
# - idmap config rid
# - idmap config autorid
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IOL:backend = ad
idmap config IOL:schema_mode = rfc2307
idmap config IOL:range = 1000000-9999999
winbind nss info = rfc2307
[home]
path=/home/
read only = No
I increased the range because it seems like the DC is using IDs above
1,000,000. This is on the DC:
root@athens:~# wbinfo -u
administrator
test1
krbtgt
guest
root@athens:~# wbinfo -i administrator
administrator:*:0:100::/home/IOL/administrator:/bin/false
root@athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root@athens:~#
And on the member server:
root@florence:~# wbinfo -u
administrator
test1
krbtgt
guest
root@florence:~# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~#
Also:
root@florence:~# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
root@florence:~# wbinfo -n administrator
S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
Thought it might have something to do with the fact that the Kerberos user
tools were not installed -but I set them up and no change.
root@florence:~# kinit admini...@IOL.SEAMANPAPER.COM
Password for admini...@IOL.SEAMANPAPER.COM:
root@florence:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@IOL.SEAMANPAPER.COM
Valid starting Expires Service principal
11/17/2015 17:20:51 11/18/2015 03:20:51 krbtgt/
IOL.SEAMA...@IOL.SEAMANPAPER.COM
renew until 11/18/2015 17:19:59
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~# !smbc
smbcontrol all reload-config
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~#
I found a note about a missing link to libnss_winbind.so.2.. fixed that and
no difference.
So it can list the users but not get the IDs... So it seems to have some
kind of authentication issue.
I've been all through the wiki and can't find anything else that seems
relevant.
--
* Jeff Dickens*
IT Manager 978-632-1513
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
So I am still stuck. For reference here is the smb.conf on the member
server:
root@florence:~# more /etc/samba/smb.conf
[global]
netbios name = FLORENCE
security = ADS
workgroup = IOL
realm = IOL.SEAMANPAPER.COM <http://iol.seamanpaper.com/>
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
# idmap config used for your domain.
# Choose one of the following backends fitting to your
# requirements and add the corresponding configuration.
# idmap config ad
# - idmap config rid
# - idmap config autorid
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IOL:backend = ad
idmap config IOL:schema_mode = rfc2307
idmap config IOL:range = 1000000-9999999
winbind nss info = rfc2307
[home]
path=/home/
read only = No
I increased the range because it seems like the DC is using IDs above
1,000,000. This is on the DC:
root@athens:~# wbinfo -u
administrator
test1
krbtgt
guest
root@athens:~# wbinfo -i administrator
administrator:*:0:100::/home/IOL/administrator:/bin/false
root@athens:~# wbinfo -i test1
test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
root@athens:~#
And on the member server:
root@florence:~# wbinfo -u
administrator
test1
krbtgt
guest
root@florence:~# wbinfo -i administrator
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user administrator
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~#
Also:
root@florence:~# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
root@florence:~# wbinfo -n administrator
S-1-5-21-870066441-3049097475-1009130827-500 SID_USER (1)
Thought it might have something to do with the fact that the Kerberos user
tools were not installed -but I set them up and no change.
root@florence:~# kinit admini...@IOL.SEAMANPAPER.COM
Password for admini...@IOL.SEAMANPAPER.COM:
root@florence:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@IOL.SEAMANPAPER.COM
Valid starting Expires Service principal
11/17/2015 17:20:51 11/18/2015 03:20:51 krbtgt/
IOL.SEAMA...@IOL.SEAMANPAPER.COM
renew until 11/18/2015 17:19:59
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~# !smbc
smbcontrol all reload-config
root@florence:~# wbinfo -i test1
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test1
root@florence:~#
I found a note about a missing link to libnss_winbind.so.2.. fixed that and
no difference.
So it can list the users but not get the IDs... So it seems to have some
kind of authentication issue.
I've been all through the wiki and can't find anything else that seems
relevant.
--
* Jeff Dickens*
IT Manager 978-632-1513
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Michael Adam
Nov 20, 2015, 2:30:03 AM11/20/15
to
Hi Jeff,
That should be irrelevant.
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root@florence:~#
>
> I found a note about a missing link to libnss_winbind.so.2.. fixed that and
> no difference.
That should not make a difference for wbinfo either.
> So it can list the users but not get the IDs... So it seems to have some
> kind of authentication issue.
So it is important to understand that you have not
been testing just ID-Mapping but nsswitch-level integration.
With 'wbinfo -i test1' you test the functionality that would be
used by 'getent passwd test1' through nsswitch. These are highly
aggtregate commands that do a lot of different calls.
To understand if id-mapping is the problem, you can use wbinfo
like this:
# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
# net cache flush
# wbinfo -S S-1-5-21-870066441-3049097475-1009130827-1105
(or wbinfo --sid-to-uid FOO)
and check the result. If this fails, you should look into
/var/log/samba/log.winbindd-idmap for clues.
Note that 'net cache flush' will make sure that the idmap
request is not answered from the cache but winbindd will
go out to the server.
You may want to increase samba's debug level and redo the
test if there is no clue in there.
Cheers - Michael
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test1
> root@florence:~#
>
> I found a note about a missing link to libnss_winbind.so.2.. fixed that and
> no difference.
> So it can list the users but not get the IDs... So it seems to have some
> kind of authentication issue.
been testing just ID-Mapping but nsswitch-level integration.
With 'wbinfo -i test1' you test the functionality that would be
used by 'getent passwd test1' through nsswitch. These are highly
aggtregate commands that do a lot of different calls.
To understand if id-mapping is the problem, you can use wbinfo
like this:
# wbinfo -n test1
S-1-5-21-870066441-3049097475-1009130827-1105 SID_USER (1)
# wbinfo -S S-1-5-21-870066441-3049097475-1009130827-1105
(or wbinfo --sid-to-uid FOO)
and check the result. If this fails, you should look into
/var/log/samba/log.winbindd-idmap for clues.
Note that 'net cache flush' will make sure that the idmap
request is not answered from the cache but winbindd will
go out to the server.
You may want to increase samba's debug level and redo the
test if there is no clue in there.
Cheers - Michael
Andrey Repin
Nov 22, 2015, 5:10:03 AM11/22/15
to
Greetings, Jeff Dickens!
Here's the part of the problem. It appears to me the NSS link was first set up
with range under 3kk. With builtin and local UID/GID's going over 3kk.
With changing the range post factum, you've threaded on the reserved range.
> winbind nss info = rfc2307
> [home]
> path=/home/
> read only = No
> I increased the range because it seems like the DC is using IDs above
> 1,000,000.
You should use the same range the domain was provisioned with. Or NSS
initialized with.
If you are migrating the domain from Samba3, it may become rather complicated
to figure out the right range.
> This is on the DC:
> root@athens:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root@athens:~# wbinfo -i administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root@athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root@athens:~#
Note the artificially low UID and GID numbers. That doesn't look like the NSS
is in play.
Also, to the your previous example of 'wbinfo -i "domain users"'...
# wbinfo --group-info 'domain users'
domain users:x:513:
(The point being, 'domain users' is not a user, and -i only looking for users.)
--
With best regards,
Andrey Repin
Sunday, November 22, 2015 12:49:57
Sorry for my terrible english...
with range under 3kk. With builtin and local UID/GID's going over 3kk.
With changing the range post factum, you've threaded on the reserved range.
> winbind nss info = rfc2307
> [home]
> path=/home/
> read only = No
> I increased the range because it seems like the DC is using IDs above
> 1,000,000.
initialized with.
If you are migrating the domain from Samba3, it may become rather complicated
to figure out the right range.
> This is on the DC:
> root@athens:~# wbinfo -u
> administrator
> test1
> krbtgt
> guest
> root@athens:~# wbinfo -i administrator
> administrator:*:0:100::/home/IOL/administrator:/bin/false
> root@athens:~# wbinfo -i test1
> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
> root@athens:~#
is in play.
Also, to the your previous example of 'wbinfo -i "domain users"'...
# wbinfo --group-info 'domain users'
domain users:x:513:
(The point being, 'domain users' is not a user, and -i only looking for users.)
--
With best regards,
Andrey Repin
Sunday, November 22, 2015 12:49:57
Sorry for my terrible english...
Rowland Penny
Nov 22, 2015, 6:50:03 AM11/22/15
to
what you get and also winbind will *not* work on a domain member.
>
> Also, to the your previous example of 'wbinfo -i "domain users"'...
>
> # wbinfo --group-info 'domain users'
> domain users:x:513:
>
> (The point being, 'domain users' is not a user, and -i only looking for users.)
>
winbind 'ad' backend on a domain member.
Rowland
0 new messages