Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: [Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
548 views
Skip to first unread message
Adam Tauno Williams
Apr 14, 2015, 10:08:14 AM4/14/15
to
On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote:
> Hi! I'm trying to add a member to be used as fileserver, following the
> guides at:
> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
> The AD server has been in use for month, but I can't get user
> information from the new member. The new member was joined to the
> directory, and nsswitch was configured. Running 'id username' returns
> 'No such user'.
> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and 'wbinfo
> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo
> --ping-dc'
> But, when I try 'id username', or 'wbinfo -i username', it fails with
> WBC_ERR_DOMAIN_NOT_FOUND
> $ wbinfo -i username
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user username
> $ wbinfo -n username
> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1)
> And using '--sid-to-uid' I got the UID:
> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118
> 10000 Servers · Web Development in Python & Java · DevOps · Big Data
I am experiencing much the same issue; wbinfo -u/-g works but getent
passwd/group only contains a very partial user list and querying a
specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
otherwise the domain is functional and there are active workstations.
Did you every identify a solution?
--
Adam Tauno Williams <mailto:awil...@whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
> Hi! I'm trying to add a member to be used as fileserver, following the
> guides at:
> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
> The AD server has been in use for month, but I can't get user
> information from the new member. The new member was joined to the
> directory, and nsswitch was configured. Running 'id username' returns
> 'No such user'.
> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and 'wbinfo
> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo
> --ping-dc'
> But, when I try 'id username', or 'wbinfo -i username', it fails with
> WBC_ERR_DOMAIN_NOT_FOUND
> $ wbinfo -i username
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user username
> $ wbinfo -n username
> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1)
> And using '--sid-to-uid' I got the UID:
> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118
> 10000 Servers · Web Development in Python & Java · DevOps · Big Data
I am experiencing much the same issue; wbinfo -u/-g works but getent
passwd/group only contains a very partial user list and querying a
specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
otherwise the domain is functional and there are active workstations.
Did you every identify a solution?
--
Adam Tauno Williams <mailto:awil...@whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Apr 14, 2015, 10:22:01 AM4/14/15
to
post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
/etc/krb5.conf from the member server.
Rowland
Adam Tauno Williams
Apr 14, 2015, 4:08:20 PM4/14/15
to
"getent passwd" returns 93 lines
A host configured to use nslcd and LDAP directory returns 560 lines for
"getent passwd".
Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
sernet-samba-4.0.21-7.el6.x86_64
[root@barbel profiles]# wbinfo -i cleslie
failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
/etc/samba/smb.conf
###################
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 4000001-4999999
idmap config BACKBONE:backend = ad
idmap config BACKBONE:schema_mode = rfc2307
idmap config BACKBONE:range = 100-400000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
winbind expand groups = 4
winbind normalize names = Yes
domain master = no
local master = no
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
--
Adam Tauno Williams <mailto:awil...@whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
Rowland Penny
Apr 14, 2015, 4:51:14 PM4/14/15
to
If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
It should only be on the DC.
wbinfo connects to the AD DC differently to the way getent does, so the
fact that another machine lists the users, shows that the backend is
setup correctly (unless nlscd is creating the IDs on the fly). winbind
relies on the uidNumber & gidNumber attributes being in smb.conf and the
attributes being inside the range you set in smb.conf '100-400000' (by
the way, you do know that this could pull in some of the local system
users).
What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
What is in /etc/krb5.conf ?
what kerberos have you got installed ? (don't know if this makes any
difference, but would be good to know)
Does /etc/resolv.conf point to the samba4 AD DC ?
Can you 'kinit' as Administrator ?
and as a normal user?
finally, why 'whitemice' ???
Rowland
Adam Tauno Williams
Apr 15, 2015, 4:03:32 PM4/15/15
to
Quoting Rowland Penny <rowlan...@googlemail.com>:
> Is this the smb.conf from the AD DC or the member server ?
> If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
> It should only be on the DC.
Removed that, it has no effect.
[root@test123 ~]# wbinfo -i steve
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user steve
[root@test123 ~]# id steve
id: steve: No such user
[root@test123 ~]# wbinfo -u | grep steve
steve
> wbinfo connects to the AD DC differently to the way getent does, so
> the fact that another machine lists the users, shows that the
> backend is setup correctly (unless nlscd is creating the IDs on the
> fly). winbind relies on the uidNumber & gidNumber attributes being
> in smb.conf and the attributes being inside the range you set in
> smb.conf '100-400000' (by the way, you do know that this could pull
> in some of the local system users).
I'm aware of the overlap issues, this is an ancient site, all those
ids are managed.
> What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
passwd: files winbind
group: files winbind
> What is in /etc/krb5.conf ?
> what kerberos have you got installed ? (don't know if this makes any
> difference, but would be good to know)
Kerberos works.
[root@test123 ~]# kinit ad...@MICORE.US
Password for ad...@MICORE.US:
[root@test123 ~]#
[root@test123 ~]# kinit Admini...@MICORE.US
Password for Admini...@MICORE.US:
Warning: Your password will expire in 147 days on Wed Sep 9 21:13:23 2015
[root@test123 ~
> Does /etc/resolv.conf point to the samba4 AD DC ?
Yes.
> Can you 'kinit' as Administrator ?
> and as a normal user?
See above.
> finally, why 'whitemice' ???
Long story. :)
Rowland Penny
Apr 15, 2015, 4:23:56 PM4/15/15
to
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
When did you follow this ? I added a part about a missing pam config
file at the beginning of this month, the file is missing from the debian
sernet packages, I wonder if the centos variant of the same file is also
missing from the sernet centos packages ? without the file the sernet
debian packages don't seem to work as member server.
Rowland
Adam Tauno Williams
Apr 15, 2015, 4:28:30 PM4/15/15
to
Quoting Adam Tauno Williams <awil...@whitemice.org>:
>>>> It should work, it sounds like a mis-configuration somewhere, can you
>>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>>> /etc/krb5.conf from the member server.
>>> "wbinfo -u" lists 415 lines
>>> "getent passwd" returns 93 lines
>>> A host configured to use nslcd and LDAP directory returns 560 lines for
>>> "getent passwd".
>>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>>> sernet-samba-4.0.21-7.el6.x86_64
>>> [root@barbel profiles]# wbinfo -i cleslie
>>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Is this the smb.conf from the AD DC or the member server ?
>> If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
>> It should only be on the DC.
>
> Removed that, it has no effect.
>
> [root@test123 ~]# wbinfo -i steve
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user steve
> [root@test123 ~]# id steve
> id: steve: No such user
> [root@test123 ~]# wbinfo -u | grep steve
> steve
Here is a debug level 10 from winbind when making the wbinfo -i request
>>>> It should work, it sounds like a mis-configuration somewhere, can you
>>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>>> /etc/krb5.conf from the member server.
>>> "wbinfo -u" lists 415 lines
>>> "getent passwd" returns 93 lines
>>> A host configured to use nslcd and LDAP directory returns 560 lines for
>>> "getent passwd".
>>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>>> sernet-samba-4.0.21-7.el6.x86_64
>>> [root@barbel profiles]# wbinfo -i cleslie
>>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Is this the smb.conf from the AD DC or the member server ?
>> If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
>> It should only be on the DC.
>
> Removed that, it has no effect.
>
> [root@test123 ~]# wbinfo -i steve
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user steve
> [root@test123 ~]# id steve
> id: steve: No such user
> [root@test123 ~]# wbinfo -u | grep steve
> steve
2015/04/15 16:22:19.609439, 5, pid=9576, effective(0, 0), real(0, 0)]
../source3/libads/ldap.c:270(ads_try_connect)
ads_try_connect: sending CLDAP request to 192.168.1.79 (realm: micore.us)
[2015/04/15 16:22:19.613245, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
&response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
command : LOGON_SAM_LOGON_RESPONSE_EX (23)
sbz : 0x0000 (0)
server_type : 0x000003fc (1020)
0: NBT_SERVER_PDC
1: NBT_SERVER_GC
1: NBT_SERVER_LDAP
1: NBT_SERVER_DS
1: NBT_SERVER_KDC
1: NBT_SERVER_TIMESERV
1: NBT_SERVER_CLOSEST
1: NBT_SERVER_WRITABLE
1: NBT_SERVER_GOOD_TIMESERV
0: NBT_SERVER_NDNC
0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
0: NBT_SERVER_FULL_SECRET_DOMAIN_6
0: NBT_SERVER_ADS_WEB_SERVICE
0: NBT_SERVER_HAS_DNS_NAME
0: NBT_SERVER_IS_DEFAULT_NC
0: NBT_SERVER_FOREST_ROOT
domain_uuid : abebb63d-5fea-41fa-a061-36136b10964f
forest : 'micore.us'
dns_domain : 'micore.us'
pdc_dns_name : 'larkin28.micore.us'
domain_name : 'BACKBONE'
pdc_name : 'LARKIN28'
user_name : ''
server_site : 'Default-First-Site-Name'
client_site : 'Default-First-Site-Name'
sockaddr_size : 0x00 (0)
sockaddr: struct nbt_sockaddr
sockaddr_family : 0x00000000 (0)
pdc_ip : (null)
remaining : DATA_BLOB length=0
next_closest_site : NULL
nt_version : 0x00000005 (5)
1: NETLOGON_NT_VERSION_1
0: NETLOGON_NT_VERSION_5
1: NETLOGON_NT_VERSION_5EX
0: NETLOGON_NT_VERSION_5EX_WITH_IP
0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
0: NETLOGON_NT_VERSION_PDC
0: NETLOGON_NT_VERSION_IP
0: NETLOGON_NT_VERSION_LOCAL
0: NETLOGON_NT_VERSION_GC
lmnt_token : 0xffff (65535)
lm20_token : 0xffff (65535)
[2015/04/15 16:22:19.614906, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sitename_cache.c:70(sitename_store)
sitename_store: realm = [BACKBONE], sitename =
[Default-First-Site-Name], expire = [2085923199]
[2015/04/15 16:22:19.615117, 10, pid=9576, effective(0, 0), real(0,
0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
Did not store value for AD_SITENAME/DOMAIN/BACKBONE, we already got it
[2015/04/15 16:22:19.615196, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sitename_cache.c:70(sitename_store)
sitename_store: realm = [micore.us], sitename =
[Default-First-Site-Name], expire = [2085923199]
[2015/04/15 16:22:19.615275, 10, pid=9576, effective(0, 0), real(0,
0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
Did not store value for AD_SITENAME/DOMAIN/MICORE.US, we already got it
[2015/04/15 16:22:19.615373, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:680(ads_connect)
Successfully contacted LDAP server 192.168.1.79
[2015/04/15 16:22:19.615457, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:70(ldap_open_with_timeout)
Opening connection to LDAP server 'larkin28.micore.us:389', timeout
15 seconds
[2015/04/15 16:22:19.616733, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:118(ldap_open_with_timeout)
Connected to LDAP server 'larkin28.micore.us:389'
[2015/04/15 16:22:19.616830, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:723(ads_connect)
Connected to LDAP server larkin28.micore.us
[2015/04/15 16:22:19.616903, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:222(ads_closest_dc)
ads_closest_dc: NBT_SERVER_CLOSEST flag set
[2015/04/15 16:22:19.617083, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libsmb/namequery.c:86(saf_store)
saf_store: domain = [BACKBONE], server = [larkin28.micore.us],
expire = [1429130239]
[2015/04/15 16:22:19.617169, 10, pid=9576, effective(0, 0), real(0,
0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
Did not store value for SAF/DOMAIN/BACKBONE, we already got it
[2015/04/15 16:22:19.617268, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libsmb/namequery.c:86(saf_store)
saf_store: domain = [micore.us], server = [larkin28.micore.us],
expire = [1429130239]
[2015/04/15 16:22:19.617377, 10, pid=9576, effective(0, 0), real(0,
0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
Did not store value for SAF/DOMAIN/MICORE.US, we already got it
[2015/04/15 16:22:19.623553, 4, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap.c:3002(ads_current_time)
KDC time offset is 0 seconds
[2015/04/15 16:22:19.624101, 4, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:1312(ads_sasl_bind)
Found SASL mechanism GSS-SPNEGO
[2015/04/15 16:22:19.625174, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2015/04/15 16:22:19.625274, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2015/04/15 16:22:19.625345, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2015/04/15 16:22:19.625415, 3, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/sasl.c:972(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name =
not_defined_in_RFC4178@please_ignore
[2015/04/15 16:22:19.625600, 3, pid=9576, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
expiration Thu, 16 Apr 2015 02:22:19 EDT
[2015/04/15 16:22:19.625695, 10, pid=9576, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:533(ads_krb5_mk_req)
ads_krb5_mk_req: Ticket (ldap/larkin28....@MICORE.US) in
ccache (MEMORY:winbind_ccache) is valid until: (Thu, 16 Apr 2015
02:22:19 EDT - 1429165339)
[2015/04/15 16:22:19.625841, 10, pid=9576, effective(0, 0), real(0,
0)] ../lib/krb5_wrap/krb5_samba.c:776(get_krb5_smb_session_key)
Got KRB5 session key of length 16
[2015/04/15 16:22:19.633477, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap_schema.c:231(ads_check_posix_schema_mapping)
ads_check_posix_schema_mapping for schema mode: 3
[2015/04/15 16:22:19.725986, 5, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
Search for
(|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1.2)(attributeId=0.9.2342.19200300.100.1.1)) in <CN=Schema,CN=Configuration,DC=micore,DC=us> gave 6
replies
OID 1.3.6.1.1.1.1.0 has name: uidNumber
OID 1.3.6.1.1.1.1.1 has name: gidNumber
OID 0.9.2342.19200300.100.1.1 has name: uid
OID 1.3.6.1.1.1.1.3 has name: unixHomeDirectory
OID 1.3.6.1.1.1.1.2 has name: gecos
OID 1.3.6.1.1.1.1.4 has name: loginShell
[2015/04/15 16:22:19.870445, 5, pid=9576, effective(0, 0), real(0,
0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
Search for (uid=steve) in <dc=MICORE,dc=US> gave 0 replies
[2015/04/15 16:22:19.870701, 5, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
resolve_alias_to_username: backend query returned
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2015/04/15 16:22:19.871341, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'BACKBONE'
name : *
name : 'STEVE'
flags : 0x00000008 (8)
[2015/04/15 16:22:19.918433, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
result : NT_STATUS_OK
[2015/04/15 16:22:19.918869, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
[2015/04/15 16:22:20.124117, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'steve'
full_name : *
full_name : 'steve'
homedir : *
homedir : '/home/steve'
shell : *
shell : '/bin/ksh'
primary_gid : 0x00000000000000e6 (230)
user_sid :
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
group_sid :
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
result : NT_STATUS_OK
[2015/04/15 16:22:20.124742, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/wb_sids2xids.c:109(wb_sids2xids_send)
SID 0: S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
[2015/04/15 16:22:20.124897, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406]:
value=[203:U]
[2015/04/15 16:22:20.125024, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406]:
id=[203], endptr=[:U]
[2015/04/15 16:22:20.125185, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
find_lookup_domain_from_sid(S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513)
[2015/04/15 16:22:20.125326, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid)
calling find_our_domain
[2015/04/15 16:22:20.125420, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
[2015/04/15 16:22:20.139329, 1, pid=9576, effective(0, 0), real(0,
0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'BACKBONE'
name : *
name : *
name : 'Domain_Users'
result : NT_STATUS_OK
[2015/04/15 16:22:20.139720, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/wb_sids2xids.c:109(wb_sids2xids_send)
SID 0: S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
[2015/04/15 16:22:20.139826, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513]:
value=[-1:N]
[2015/04/15 16:22:20.139900, 10, pid=9576, effective(0, 0), real(0,
0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513]:
id=[4294967295], endptr=[:N]
[2015/04/15 16:22:20.140053, 5, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid
S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406: NT_STATUS_NONE_MAPPED
[2015/04/15 16:22:20.140166, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
wb_request_done[9584:GETPWNAM]: NT_STATUS_NONE_MAPPED
[2015/04/15 16:22:20.142258, 10, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd.c:816(winbind_client_response_written)
winbind_client_response_written[9584:GETPWNAM]: delivered response to client
[2015/04/15 16:22:20.142450, 6, pid=9576, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd.c:918(winbind_client_request_read)
Rowland Penny
Apr 16, 2015, 6:28:45 AM4/16/15
to
this wasn't easy, who decided it was a good idea to introduce the 'URL'
option ? )
I then installed the sernet samba packages, set up smb.conf:
[global]
workgroup = EXAMPLE
security = ADS
realm = EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 10000-999999
idmap config EXAMPLE : schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
domain master = no
local master = no
map to guest = bad user
local master = no
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Created the user.map file
map acl inherit = Yes
store dos attributes = Yes
!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
administrator
changed /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
changed /etc/default/sernet-samba to allow samba to start.
joined the domain
[root@centos6 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLE
Joined 'CENTOS6' to dns domain 'example.com'
alter /etc/nsswitch.conf
Change:
passwd: files
shadow: files
group: files
To:
passwd: files winbind
shadow: files
group: files winbind
start the three daemons
service sernet-samba-nmbd start
service sernet-samba-smbd start
service sernet-samba-winbindd start
Only problem was that 'nmbd' wouldn't start!
Apr 16 09:04:57 centos6 nmbd[13351]: [2015/04/16 09:04:57.586200, 0]
../lib/util/pidfile.c:117(pidfile_create)
Apr 16 09:04:57 centos6 nmbd[13351]: ERROR: can't open
/var/run/samba/nmbd.pid: Error was Permission denied
Quick check in /var/log/audit/audit.log proved what I thought, selinux
wasn't allowing 'nmbd' to write its PID, why it allows 'smbd' to write
its PID but not 'nmbd', beats me.
Put selinux into permissive mode and 'nmbd' now starts, I now ran
'getent passwd' and got all my domain users.
Further checking on one user.
[root@centos6 ~]# id rowland
uid=10000(rowland) gid=10000(domain_users)
groups=10000(domain_users),10001(administration),10002(domain_admins),2001(BUILTIN\users),2000(BUILTIN\administrators)
[root@centos6 ~]# wbinfo -i rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
[root@centos6 ~]# wbinfo -n rowland
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1106 SID_USER (1)
[root@centos6 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
So, it seems that it does work if you turn off selinux.
Rowland
Horacio G. de Oro
Apr 20, 2015, 5:28:22 AM4/20/15
to
On Tue, Apr 14, 2015 at 10:59 AM, Adam Tauno Williams
<awil...@whitemice.org> wrote:
>
> I am experiencing much the same issue; wbinfo -u/-g works but getent
> passwd/group only contains a very partial user list and querying a
> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
> otherwise the domain is functional and there are active workstations.
>
> Did you every identify a solution?
>
We solved that setting the GID of the AD users (setting the UIDs
<awil...@whitemice.org> wrote:
>
> I am experiencing much the same issue; wbinfo -u/-g works but getent
> passwd/group only contains a very partial user list and querying a
> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
> otherwise the domain is functional and there are active workstations.
>
> Did you every identify a solution?
>
didn't solved that... you need to set the GID too). See [1].
Just FYI: another BIG issue we have was modifications of groups requiring too
many time to propagate to fileservers (form minutes to hours). The only
workaround I've found to that issue is [2]. We are using Samba 4.1 now.
Regards,
Horacio
[1] https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC#Using_ADUC_to_set_Unix_Attributes_on_a_user_account
[2] https://lists.samba.org/archive/samba/2014-October/185604.html
--
Horacio G. de Oro
Email: hgd...@gmail.com
Web: http://www.data-tsunami.com/english/
Cel: +54 9 3572 525359
LinkedIn: https://www.linkedin.com/in/hgdeoro
Linux Sysadmin - Python/Java Web Developer - DevOps - Big Data
0 new messages