[Samba] winbind and getent again
Victor Mataré
matare at lih.rwth-aachen.de
Wed Nov 2 15:56:41 MDT 2011
On Wednesday, 02.11.2011 13:04:00 Gaiseric Vandal wrote:
> Does it work if you explicitly state a domain user?
> e.g
> getent passwd "TRUSTEDOMAIN\someuser"
Ok, that actually does work. But...
>
> I have the same symptom on my system- I don't think it actually breaks
> anything.
I'm suspecting it breaks rpc.idmapd (NFS4). However NFS4 has always been kind
of complex and fragile, so it might in fact have some other cause. Anyways,
rpc.idmapd maps all domain groups to nobody, so it must be having some trouble
with them. Can anybody confirm that rpc.idmapd correctly resolves domain
groups from nss_winbind when getent group does not work?
>
> On 11/02/2011 12:26 PM, Victor Mataré wrote:
> > Hi everyone,
> >
> > I'm trying to use winbind as nsswitch module on a domain member against
> > a samba PDC, and it used to work fine with samba 3.4. But no
after
> > upgrading to 3.5.11, getent group/passwd don't show domain users/groups
> > anymore. However wbinfo -g and wbinfo -u work as expected. Also:
> >
> > # wbinfo -i matare
> > matare:*:50011:50000:Victor Mataré:/home/SGI/matare:/bin/false
> > # wbinfo -U 50011
> > S-1-5-21-154097467-3372353439-1977514440-3032
> > # wbinfo -G 50000
> > S-1-5-21-154097467-3372353439-1977514440-513
> > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-3032
> > SGI\matare 1
> > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-513
> > SGI\Domain Users 2
> >
> > But getent passwd/group shows only local users. My smb.conf on the
> > member looks like this: [global]
> >
> > workgroup = SGI
> > server string = Auerhahn
> > security = domain
> > password server = BUSSARD GIRLITZ
> > log file = /var/log/samba/log.%m
> > log level = 2 winbind:10
> > max log size = 50
> > winbind expand groups = 4
> > winbind neste
groups = yes
> > winbind enum groups = yes
> > winbind enum users = yes
> > idmap uid = 50000-500000
> > idmap gid = 50000-500000
> > winbind use default domain = yes
> > idmap config SGI:range = 50000-500000
> >
> > I really don't see the problem the nss_winbind module might be having:
> >
> > # strace -e trace=file getent group
> > execve("/usr/bin/getent", ["getent", "group"], [/* 40 vars */]) = 0
> > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> > directory) open("/etc/ld.so.cache", O_RDONLY) = 3
> > open("/lib64/libc.so.6", O_RDONLY) = 3
> > open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3
> > open("/etc/nsswitch.conf", O_RDONLY) = 3
> > open("/etc/ld.so.cache", O_RDONLY) = 3
> > open("/lib64/libnss_files.so.2", O_RDONLY) = 3
> > open("/etc/group", O_RDONLY|O_CLOEXEC) = 3
> > root:x:0:root
> > bin:x:1:root,bin,daemon
> > [... prints local UNIX groups ...]
> > postgres:x:70:
> > open("/etc/ld.so.cache", O_RDONLY) = 4
> > open("/lib64/libnss_winbind.so.2", O_RDONLY) = 4
> > lstat("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size at 96, ...}) = 0
> > lstat("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) > > 0
> > lstat("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750,
> > st_size at 96, ...}) = 0
> > lstat("/var/cache/samba/winbindd_privileged/pipe",
> > {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
> >
> > And that's it. I also can't make out any error message in the logs, not
> > even with log level 10. On the PDC and BDC, getent group works
> > perfectly (also both via nss_winbind). Seriously, I'm out of ideas. Any
> > pointer is greatly appreciated.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 487 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba/attachments/20111102/c40a7bf7/attachment.pgp>
More information about the samba
mailing list