[Samba] Winbind trouble. Wbinfo see's users, "getent passwd" doesn't

dj at 4ict.com dj at 4ict.com
Wed Jul 24 12:13:03 GMT 2002

On Wed, 24 Jul 2002, Colin Davis wrote:

> Our workstations are authenticating off of the domain, which has a Primary
> Domain Controller of HOTT-Main. I want to create several shared folders that
> any one can write to, for dumping files, but also several directories that
> are user-specific.
> This means that I need to import the NT4 domain list. I'm using winbind to
> try to do this, but having some trouble.
> I set up both Samba and Winbind, but I don't think that winbind is working
> correctly, and I'm trying to figure out what I missed.
> when I do a "wbinfo -u"
> I get a list get a list of domain users, but "getent passwd" it just lists
> the unix users, and not the NT users.
> What adds to my confusion is that the groups (including the domain groups!)
> can be listed with "getent group"

If you get the users using wbinfo but not using getent then there is
something wrong with the nis part of winbind. Winbind itself
(smb.conf,...) is working.

> Do you have any suggestions on why this might be happening? Could it be
> because I'm using shadow passwords?

No, the use of shadow passwords or not should not matter. For the linux
system it is a extra way to find users, not changing the exsisting one.

> (I'm having a hard time figuring out what is wrong, and it's starting  to
> become tempting to just write a perl script to parse the "wbinfo -u" info,
> and put it into the /etc/passwd file, but that seems unnecessarily messy)

There should be no need of this.

> My smb.conf looks like the following
> [global]
>         password server = *
>         wins server = {ip address of wins server}
>         remote announce = {ip address of wins server}
>         winbind uid = 10000-20000
>         security = domain
>         encrypt passwords = Yes
>         winbind separator = +
>         template shell = /bin/bash
>         server string = Fileshare
>         workgroup = DOMAINNAME
>         winbind gid = 10000-20000
>         winbind enum groups = yes
>         netbios name = Files
>         winbind enum users = yes
> {shares go here}

Looks ok and probably is because wbinfo works.

> /etc/nsswitch.conf contains
> passwd:     files windbind
> shadow:     files  nisplus
> group:      files winbind

Also ok, checked it with a working wibind system

> /etc/pam.d/login looks like
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
> session    required     /lib/security/pam_stack.so service=system-auth
> session    optional     /lib/security/pam_console.so
> account   sufficient /lib/security/pam_winbind.so
> session   required   /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0022
> finally, /etc/pam.d/samba
> #%PAM-1.0
> auth       required     pam_securetty.so
> auth       required     pam_nologin.so
> auth       sufficient   pam_winbind.so
> auth       required     pam_pwdb.so use_first_pass shadow nullok
> account    required     pam_winbind.so  service=system-auth
> session    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth

For the getent part not working PAM is not involved, so it shouldn't
matter. But the account line in /etc/pam.d/samba is wrong. Either only
pam.winbind.so or pam_stack.so service=system-auth.

I could make out from your mail what Linux distro you are using and how
you installed samba. But it looks like there is something wrong with
winbind nss library.

Check if both
are present on your system.


Tim Verhoeven
                                Linux & Open Source Specialist
GSM : 0496 / 693 453                          + e-business solutions
Email : dj at 4ict.com                           + consulting
URL : www.sin.khk.be/~dj/                     + Server consolidation

More information about the samba mailing list