[Samba] getent & winbindd on FreeBSD 5.4

Doug Sampson dougs at dawnsign.com
Thu Sep 15 23:44:26 GMT 2005

I'm trying to get a FreeBSD 5.4 server to join a NT4 domain as a member
domain server using winbindd. I've compiled Samba with WinBIND support, ACL
Support, Syslog support, UTMP support, SMB PAM module, and with installed
POPT library.

I've reviewed Chapter 20 of TOSHARG and implemented a good portion of it
into our smb.conf file but am having trouble making the 'getent' command
work. Running Samba The 'getent' command is found in

I can join the domain fine and execute 'wbinfo -u' with the expected domain
user listing as well as with the 'wbinfo -g' command. However when I attempt
to execute 'getent passwd' it shows only the local user accounts. Executing
'getent group' also produces only the local groups.

It seems the getent command that comes with the linux_base port on FreeBSD
5.4 may or may not be working. I am unable to verify it though. Doing a
'tdbdump winbind_cache.tdb' reveals that the users are being enumerated but
without a corresponding *nix user id. I don't know if the tdbsam is supposed
to reveal such information. TOSHARG states that for getent to work, the
nsswitch.conf must be properly configured. Mine is as follows:

# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
hosts: files winbind wins dns
networks: files
shells: files

NSSwitch depends on PAM modules for authentications so here's my login file:

# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
# PAM configuration for the "login" service

# auth
auth		sufficient	pam_winbind.so
auth		sufficient	pam_unix.so		use_first_pass
auth		required	pam_stack.so	service=system-auth
auth		required	pam_nologin.so	no_warn
auth		sufficient	pam_self.so		no_warn
auth		include	system

# account
account	sufficient	pam_winbind.so
account	required	pam_stack.so	service=system-auth
account	include	system

# session
session	required	pam_stack.so	service=system-auth	
session	include	system

# password
password	required	pam_stack.so	service=system-auth	
password	include	system

# smb.conf
        workgroup = DSP
        server string = Samba Server
        security = DOMAIN
        passdb backend = tdbsam
        log file = /var/log/samba/log.%m
        max log size = 50
        os level = 33
        local master = No
        dns proxy = No
        wins server =
        idmap uid = 15000-20000
        idmap gid = 15000-20000
        template homedir = /usr/home/%D/%U
        template shell = /bin/bash
        winbind separator = +
        hosts allow = 192.168.1., 192.168.2., 127.

        comment = Home Directories
        read only = No
        browseable = No

        comment = Production Data
        path = /data
        valid users = @DSP+PRODUCTION
        read only = No
        create mask = 0765

The odd thing is- there's no /etc/pam.d/samba file even though I specified
that the PAM samba module be installed. Is my PAM whacked?

Also, I am unsure if I need to map users to NT account using a text file
similar to /etc/smb/smbusers or some file similar to that? When I execute
'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
  Unable to open/create TDB passwd
[2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
  pdb_getsampwrid: Unable to open TDB rid database!

log.wb-DSP shows this:
[2005/09/15 16:17:24, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
  rpc_pipe_bind failed

I'm a newb so would appreciate any advice!


More information about the samba mailing list