[Samba] Winbind issues with UID and GID mappings
john
john at gallaghernet.com
Fri May 6 20:50:42 GMT 2005
Btw, I have read just about all of the help and conf files on this issue. The
nscd is NOT running.
>From the docs:
Same problem as the one above. Your system is likely running nscd, the name
service caching daemon. Shut it down, do not restart it! You will find your
problem resolved.
My config looks like this:
[global]
workgroup = CORP
server string = Linman
printcap name = /etc/printcap
load printers = yes
cups options = raw
password Server = hqdc1.corp.ciosystems.com
encrypt passwords = yes
wins server = hqdc1.corp.ciosystems.com
dns proxy = no
winbind separator = +
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
winbind use default domain = yes
password server = hqdc1.corp.ciosystems.com
realm = CORP.CIOSYSTEMS.COM
[homes]
comment = Home Directories
browseable = yes
writable = yes
Nsswitch.conf:
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files wins dnsprotocols: files winbind
services: files winbind
netgroup: files winbind
automount: files winbind
Hosts:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
10.200.200.15 linman.corp.ciosystems.com linman
10.200.200.1 hqdc1.corp.ciosystems.com hqdc1
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_winbind.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_mkhomedir.so
cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session optional pam_console.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
# pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
cat /etc/pam.d/gdm
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
# Added to the above default
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
> -----Original Message-----
> From: samba-bounces+john=gallaghernet.com at lists.samba.org
> [mailto:samba-bounces+john=gallaghernet.com at lists.samba.org]
> On Behalf Of john
> Sent: Friday, May 06, 2005 11:50 AM
> To: samba at lists.samba.org
> Subject: [Samba] Winbind issues with UID and GID mappings
>
> I am having issues integrating a FC3 system with AD running
> on W2k3. I can not
> figure out why the user ID mappings and Group ID mappings are
> going stale. This
> is a generic FC3 install with all of the latest updates.
>
> login as: jgallagh
> Sent username "jgallagh"
> jgallagh at linman's password:
> Last login: Fri May 6 08:14:23 2005 from 192.168.168.2
> id: cannot find name for group ID 16777216
> [jgallagh at linman ~]$ whoami
> jgallagh
> [jgallagh at linman ~]$ whoami
> jgallagh
> [jgallagh at linman ~]$ ssh bill at localhost
> You don't exist, go away!
> [jgallagh at linman ~]$ ssh jgallagh at localhost
> You don't exist, go away!
> [jgallagh at linman ~]$ whoami
> whoami: cannot find username for UID 16777221
> [jgallagh at linman ~]$
>
>
> This is the log from this morning, I could not log into the
> system until I ran
> both the getent passwd and getent group commands. Then all
> worked fine, however
> this will only last maybe 5 minutes. Even when logged into
> the system after 5
> minutes, I run whoami the system complains that it does not
> know who I am and it
> always complains that it does not have the mappings for the
> group ID. I believe
> this is a winbind error....
>
>
> login as: root
> Sent username "root"
> root at linman's password:
> Last login: Thu May 5 22:55:44 2005 from 192.168.168.2
> [root at linman ~]# ls -al /home/CORP/
> total 60
> drwxrwxrwx 5 root root 4096 May 5 23:19 .
> drwxr-xr-x 4 root root 4096 May 5 08:18 ..
> drwxr-xr-x 3 bill 16777216 4096 May 5 22:16 bill
> -rw-r--r-- 1 root root 4256 May 5 23:27 foo
> -rw-r--r-- 1 root root 2800 May 5 23:26 foo2
> drwxr-xr-x 3 jgallagh 16777216 4096 May 5 23:18 jgallagh
> drwxr-xr-x 12 mgill 16777216 4096 May 5 15:50 mgill
> [root at linman ~]# tail -f /var/log/messages
>
> May 6 11:35:51 linman sshd[4472]: Invalid user jgallagh from
> ::ffff:192.168.168.2
> May 6 11:35:57 linman sshd[4472]: Failed password for
> invalid user jgallagh
> from ::ffff:192.168.168.2 port 2235
> May 6 11:36:19 linman sshd[4475]: Accepted password for root from
> ::ffff:192.168.168.2 port 2236
> May 6 11:36:48 linman sshd[4472]: Failed password for
> invalid user jgallagh
> from ::ffff:192.168.168.2 port 2235
> May 6 11:36:54 linman sshd[4472]: Failed password for
> invalid user jgallagh
> from ::ffff:192.168.168.2 port 2235
>
> [root at linman ~]# getent group
> root:x:0:root
> bin:x:1:root,bin,daemon
> daemon:x:2:root,bin,daemon
> sys:x:3:root,bin,adm
> adm:x:4:root,adm,daemon
> tty:x:5:
> disk:x:6:root
> lp:x:7:daemon,lp
> mem:x:8:
> kmem:x:9:
> wheel:x:10:root
> mail:x:12:mail
> news:x:13:news
> uucp:x:14:uucp
> man:x:15:
> games:x:20:
> gopher:x:30:
> dip:x:40:
> ftp:x:50:
> lock:x:54:
> nobody:x:99:
> users:x:100:
> dbus:x:81:
> floppy:x:19:
> vcsa:x:69:
> nscd:x:28:
> rpm:x:37:
> haldaemon:x:68:
> utmp:x:22:
> netdump:x:34:
> slocate:x:21:
> sshd:x:74:
> rpc:x:32:
> rpcuser:x:29:
> nfsnobody:x:65534:
> mailnull:x:47:
> smmsp:x:51:
> pcap:x:77:
> xfs:x:43:
> ntp:x:38:
> gdm:x:42:
> jgallagher:x:500:
> HelpServicesGroup:x:16777220:SUPPORT_388945a0
> TelnetClients:x:16777221:
> Domain Computers:x:16777219:
> Domain Controllers:x:16777218:
> Schema Admins:x:16777222:Administrator
> Enterprise Admins:x:16777223:Administrator
> Cert Publishers:x:16777224:
> Domain Admins:x:16777225:Administrator
> Domain Users:x:16777216:
> Domain Guests:x:16777217:
> Group Policy Creator Owners:x:16777226:Administrator
> RAS and IAS Servers:x:16777227:HQDC1$
> DnsAdmins:x:16777228:
> DnsUpdateProxy:x:16777229:
> DHCP Users:x:16777230:
> DHCP Administrators:x:16777231:
> BUILTIN+System Operators:x:16777232:
> BUILTIN+Replicators:x:16777233:
> BUILTIN+Guests:x:16777234:
> BUILTIN+Power Users:x:16777235:
> BUILTIN+Print Operators:x:16777236:
> BUILTIN+Administrators:x:16777237:
> BUILTIN+Account Operators:x:16777238:
> BUILTIN+Backup Operators:x:16777239:
> BUILTIN+Users:x:16777240:
> [root at linman ~]# getent passwd
> root:x:0:0:root:/root:/bin/bash
> bin:x:1:1:bin:/bin:/sbin/nologin
> daemon:x:2:2:daemon:/sbin:/sbin/nologin
> adm:x:3:4:adm:/var/adm:/sbin/nologin
> lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
> sync:x:5:0:sync:/sbin:/bin/sync
> shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
> halt:x:7:0:halt:/sbin:/sbin/halt
> mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
> news:x:9:13:news:/etc/news:
> uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
> operator:x:11:0:operator:/root:/sbin/nologin
> games:x:12:100:games:/usr/games:/sbin/nologin
> gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
> ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
> nobody:x:99:99:Nobody:/:/sbin/nologin
> dbus:x:81:81:System message bus:/:/sbin/nologin
> vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
> nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
> rpm:x:37:37::/var/lib/rpm:/sbin/nologin
> haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
> netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
> sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
> rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
> rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
> nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
> mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
> smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
> pcap:x:77:77::/var/arpwatch:/sbin/nologin
> xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
> ntp:x:38:38::/etc/ntp:/sbin/nologin
> gdm:x:42:42::/var/gdm:/sbin/nologin
> jgallagher:x:500:500:John Gallagher:/home/jgallagher:/bin/bash
> administrator:*:16777216:16777216:Administrator:/home/CORP/adm
> inistrator:/bin/ba
> sh
> guest:*:16777217:16777217:Guest:/home/CORP/guest:/bin/bash
> support_388945a0:*:16777218:16777216:SUPPORT_388945a0:/home/CO
> RP/support_388945a
> 0:/bin/bash
> hqdc1$:*:16777219:16777218:HQDC1:/home/CORP/hqdc1_:/bin/bash
> krbtgt:*:16777220:16777216:krbtgt:/home/CORP/krbtgt:/bin/bash
> jgallagh:*:16777221:16777216:John E.
> Gallagher:/home/CORP/jgallagh:/bin/bash
> mgill:*:16777222:16777216:Mike Gill:/home/CORP/mgill:/bin/bash
> linman$:*:16777223:16777219:linman:/home/CORP/linman_:/bin/bash
> bill:*:16777224:16777216:Bill Tester:/home/CORP/bill:/bin/bash
>
> /var/log/secure
> May 6 11:37:12 linman sshd[4511]: Accepted password for jgallagh from
> ::ffff:192.168.168.2 port 2245
>
> /var/log/messages
>
> May 6 11:35:54 linman unix_chkpwd[4474]: check pass; user unknown
> May 6 11:35:54 linman sshd(pam_unix)[4472]: authentication
> failure; logname=
> uid=0 euid=0 tty=ssh ruser= rhost=192.168.168.2
> May 6 11:35:54 linman pam_winbind[4472]: request failed:
> Wrong Password, PAM
> error was 7, NT error was NT_STATUS_WRONG_PASSWORD
> May 6 11:35:54 linman pam_winbind[4472]: user `jgallagh'
> denied access
> (incorrect password or invalid membership)
> May 6 11:36:19 linman sshd(pam_unix)[4477]: session opened
> for user root by
> root(uid=0)
> May 6 11:36:45 linman pam_winbind[4472]: request failed:
> Wrong Password, PAM
> error was 7, NT error was NT_STATUS_WRONG_PASSWORD
> May 6 11:36:45 linman pam_winbind[4472]: user `jgallagh'
> denied access
> (incorrect password or invalid membership)
> May 6 11:36:51 linman pam_winbind[4472]: request failed:
> Wrong Password, PAM
> error was 7, NT error was NT_STATUS_WRONG_PASSWORD
> May 6 11:36:51 linman pam_winbind[4472]: user `jgallagh'
> denied access
> (incorrect password or invalid membership)
> May 6 11:36:55 linman sshd(pam_unix)[4472]: 2 more
> authentication failures;
> logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.168.2
> user=jgallagh
> May 6 11:37:12 linman sshd(pam_unix)[4511]: authentication
> failure; logname=
> uid=0 euid=0 tty=ssh ruser= rhost=192.168.168.2 user=jgallagh
> May 6 11:37:12 linman pam_winbind[4511]: user 'jgallagh'
> granted access
> May 6 11:37:12 linman pam_winbind[4511]: user 'jgallagh'
> granted access
> May 6 11:37:12 linman sshd(pam_unix)[4513]: session opened
> for user jgallagh by
> (uid=0)
> [root at linman ~]#
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list