Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Samba 4.1.4 nsswitch/winbind issues
9 views
Skip to first unread message
Doug Meredith
Feb 15, 2014, 10:50:02 AM2/15/14
to
The two domain controllers (Debian) and the member server (CentOS) are all
running Samba 4.1.4 from the sernet packages. The member server I am
testing from was fully patched as of this morning.
Things that work:
- wbinfo -u
- wbifno -g
- getent group {ad_group}
Things that don't work:
- getent passwd {any_ad_user}
- getent group
- getent passwd
I jacked up the winbindd debug level to 9, and did some testing.
# wbinfo -n doug
S-1-5-21-1317801521-1647347728-1419337603-1104 SID_USER (1)
# wbinfo -S S-1-5-21-1317801521-1647347728-1419337603-1104
20001
This is the correct UID that is set in AD (RFC-2307).
# getent passwd doug
This gives no output and returns a status of 2. The winbindd log file
indicates " Could not convert sid
S-1-5-21-1317801521-1647347728-1419337603-1104: NT_STATUS_NONE_MAPPED".
I've done quite a bit of googling with no luck. I'm stumped on where to go
next. Any help would be appreciated.
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
running Samba 4.1.4 from the sernet packages. The member server I am
testing from was fully patched as of this morning.
Things that work:
- wbinfo -u
- wbifno -g
- getent group {ad_group}
Things that don't work:
- getent passwd {any_ad_user}
- getent group
- getent passwd
I jacked up the winbindd debug level to 9, and did some testing.
# wbinfo -n doug
S-1-5-21-1317801521-1647347728-1419337603-1104 SID_USER (1)
# wbinfo -S S-1-5-21-1317801521-1647347728-1419337603-1104
20001
This is the correct UID that is set in AD (RFC-2307).
# getent passwd doug
This gives no output and returns a status of 2. The winbindd log file
indicates " Could not convert sid
S-1-5-21-1317801521-1647347728-1419337603-1104: NT_STATUS_NONE_MAPPED".
I've done quite a bit of googling with no luck. I'm stumped on where to go
next. Any help would be appreciated.
Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
Feb 15, 2014, 12:50:02 PM2/15/14
to
On Sat, 2014-02-15 at 11:42 -0400, Doug Meredith wrote:
> The member server I am
> testing from was fully patched as of this morning.
> The member server I am
> testing from was fully patched as of this morning.
> Any help would be appreciated.
I'm afraid that without smb.conf on your member server we've no chance.
Cheers,
Steve
Doug Meredith
Feb 15, 2014, 1:50:01 PM2/15/14
to
Thanks, Steve. Here is the smb.com:
[global]
workgroup = DSTRC
security = ADS
realm = DSTRC.ORG
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config DSTRC:backend = ad
idmap config DSTRC:schema_mode = rfc2307
idmap config DSTRC:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
--
Doug Meredith
(506) 854-7997 ext. 801
http://www.skyridge.com
[global]
workgroup = DSTRC
security = ADS
realm = DSTRC.ORG
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config DSTRC:backend = ad
idmap config DSTRC:schema_mode = rfc2307
idmap config DSTRC:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
Doug Meredith
(506) 854-7997 ext. 801
http://www.skyridge.com
steve
Feb 16, 2014, 7:00:01 AM2/16/14
to
On Sat, 2014-02-15 at 14:46 -0400, Doug Meredith wrote:
> Thanks, Steve. Here is the smb.com:
>
> [global]
>
> workgroup = DSTRC
> security = ADS
> realm = DSTRC.ORG
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config DSTRC:backend = ad
> idmap config DSTRC:schema_mode = rfc2307
> idmap config DSTRC:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
Hi
> Thanks, Steve. Here is the smb.com:
>
> [global]
>
> workgroup = DSTRC
> security = ADS
> realm = DSTRC.ORG
> encrypt passwords = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config DSTRC:backend = ad
> idmap config DSTRC:schema_mode = rfc2307
> idmap config DSTRC:range = 500-40000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
OK.
getent group does not work, so that's expected.
- cat /etc/krb5.conf
- Is the machine joined to the domain?
- what does klist -ke /etc/krb5.keytab look like?
- cat /etc/nsswitch.conf
- is winbindd running, not crashed (ps it)?
This is all the help I am allowed to offer on list.
Rowland Penny
Feb 16, 2014, 7:30:02 AM2/16/14
to
Rowland
steve
Feb 16, 2014, 7:50:01 AM2/16/14
to
passwd and getent passwd doug draw a blank.
Rowland Penny
Feb 16, 2014, 8:30:01 AM2/16/14
to
gidNumber?
I think that without a valid gidNumber in the users AD, then getent will
not display users.
Rowland
Doug Meredith
Feb 16, 2014, 9:30:01 AM2/16/14
to
>
>
>> OK, then does 'Domain Users' have a gidNumber and do his users have this
> gidNumber?
> I think that without a valid gidNumber in the users AD, then getent will
> not display users.
>
> Rowland
>
You nailed it Rowland. I went back and added GIDs for each and every group
>
>> OK, then does 'Domain Users' have a gidNumber and do his users have this
> gidNumber?
> I think that without a valid gidNumber in the users AD, then getent will
> not display users.
>
> Rowland
>
and eventually the problem was solved. Thank you very much, I was really
stuck on this. Now I'll be able to proceed with building my new file
server. Goodbye hideous D-Link NAS!
Steve, I very much appreciate your efforts and tips as well.
Doug
Michael Brown
Jun 4, 2014, 5:30:02 PM6/4/14
to
On 14-02-15 10:42 AM, Doug Meredith wrote:
> Things that don't work:
>
> - getent passwd {any_ad_user}
> - getent group
> - getent passwd
Exactly the problem I'm struggling with. (update: have solved since I
> Things that don't work:
>
> - getent passwd {any_ad_user}
> - getent group
> - getent passwd
started writing this!)
Centos/samba-3.6.9-168.el6_5.x86_64 and SciLinux/samba-3.6.3-78.el6.1.x86_64
Same symptoms, same things that work, same things that don't. I've
simplified my idmap configuration down to:
idmap config * : backend = tdb2
idmap config * : range = 1000000-1999999
idmap config NETDIRECT:backend = ad
idmap config NETDIRECT:schema_mode = rfc2307
idmap config NETDIRECT:range = 100-999999
I get in my log:
Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED
yet:
# wbinfo -n michael
S-1-5-21-2070472328-935435760-1634736958-11032 SID_USER (1)
# wbinfo -S S-1-5-21-2070472328-935435760-1634736958-11032
5016
which is within the configured range for the domain.
Near as I can tell I'm getting a complete user structure out of winbind:
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'michael'
full_name : NULL
homedir : *
homedir : '/net/nfshome/home/michael'
shell : *
shell : '/bin/bash'
primary_gid : 0x0000000000000fa0 (4000)
user_sid :
S-1-5-21-2070472328-935435760-1634736958-11032
group_sid :
S-1-5-21-2070472328-935435760-1634736958-513
result : NT_STATUS_OK
but:
[2014/06/04 16:17:53.793013, 10] winbindd/wb_sid2uid.c:56(wb_sid2uid_send)
idmap_cache_find_sid2uid found 5016
[2014/06/04 16:17:53.793144, 10] winbindd/wb_sid2gid.c:57(wb_sid2gid_send)
idmap_cache_find_sid2gid found -1
[2014/06/04 16:17:53.793254, 5]
winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-2070472328-935435760-1634736958-11032:
NT_STATUS_NONE_MAPPED
Damn. Now that I write that after cranking up the debug levels I wonder
if that line might be misleading. It was sid2gid that failed, but it
reported the user sid as unmappable.
Yes! It is misleading!
https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html
"Please note that primary group membership is currently always
calculated via the "primaryGroupID" LDAP attribute."
winbind (unlike the other similar nss providers) will convert the
primary Windows group to the primary Unix group. Thus, when using the ad
backend you must have a gidNumber attribute on 'Domain Users'.
All of a sudden it works:
# id michael
uid=5016(michael) gid=4001(domain users) groups=4001(domain
users),4000(staff)
I suspect you have the same problem.
M.
--
Michael Brown | `One of the main causes of the fall of
Systems Consultant | the Roman Empire was that, lacking zero,
Net Direct Inc. | they had no way to indicate successful
?: +1 519 883 1172 x5106 | termination of their C programs.' - Firth
0 new messages