[Samba] getent and wbinfo not returning expected results?

Fri Sep 16 19:57:10 GMT 2005

On Friday 16 September 2005 13:35, Mike Partyka wrote:
> On Sep 16, 2005, at 2:11 PM, John H Terpstra wrote:
> > On Friday 16 September 2005 12:14, Doug Sampson wrote:
> >>> I did and this did address the wbinfo -u OR -g output but the getent
> >>> passwd OR group, is still only listing the local users and groups
> >>
> >> <sigh> According to the Samba docs, it's either the NSS switch or
> >> the PAM
> >> modules or both that appear to be preventing the enumeration of
> >> users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples'
> >> books.
> >> Check page 228 section 12 in 'Samba-3 by Examples' and you will
> >> see what I
> >> am referring to.
> >
> > If 'wbinfo -u' returns the domain user list, but 'getent passwd'
> > does not,
> > this means that NSS is not working. It has nothing to do with PAM.
> >
> >> I'm using FreeBSD and their NSS libraries are different from
> >> Linux's and
> >> I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1
> >> whereas
> >> there are numerous references to libnss_winbind.so.2 in TOSHARG
> >> which is
> >> based on Linux. I fear FreeBSD's GCC compiler is either older and/or
> >> different than Linux's. What distro are you using?
> >
> > Have you joined the Samba server to the domain?
> > What do 'net rpc info' and 'net ads info' report?
>
> net rpc info returns nothing
>
> net ads info, returns:
>
>      msp1intmx01:~ # net ads info
>      LDAP server: 71.4.126.89
>      LDAP server name: msp1intmx02
>      Realm: DOMAIN.COM
>      Bind Path: dc=DOMAIN,dc=COM
>      LDAP port: 389
>      Server time: Fri, 16 Sep 2005 14:17:38 GMT
>      KDC server: 71.4.126.89
>      Server time offset: 0
>
> I didn't think i was using ldap to store the idmap values for users,
> i thought the smb.conf setting idmap backend=idmap_rid

ADS uses LDAP. The user and group account info when Samba is an ADS domain 
member is obtained from the LDAP service that is part of ADS. The IDMAP 
backend defines how the user and group SIDs are handled. The idmap_rid tool 
uses the value of the relative identifier (RID) part of the user SID as the 
UID. The RID can have any value from 1000 up to 4294967295. Typically the RID 
is allocated sequentially starting at 1000, but this appears not always to be 
the case.

>
> > Is winbindd running?
>
> Yes
>
> > Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
>
> No, i did not see that step in any of the documentation i have used.

For months I asked for review and feedback from Samba mailing list users. All 
feedback that I received was adopted. Samba is user supported software. The 
more people who provide documentation feedback, the better to documentation 
becomes.

> I did this and restarted winbind but it seemed to have no effect.
>
> > Did you locate this in the /lib or the /usr/lib directory?
>
> in the /lib directory only

It needs to be in the same directory that the other nss_*.so* files are in.

The version number may need to be .1 or .2 - I am not sure.

>
> > What error logs are you seeing in /var/adm/messages?
>
> I am seeing a number of messages like this:
>
>      Sep 16 14:21:17 msp1intmx01 winbindd[23202]:
> rid_idmap_get_id_from_sid: rid: 1157 (UID: 1657) too high
>      for mapping of domain: JUMPNODE (500-1000)

The system accounts will use values of 500-1000, user acconts always above 
999. i.e.: starting at 1000.

>
> Which i assume is related to the fact that i changed the
> idmap_backend setting earlier this morning in the smb.conf file.

If you change the settings you must delete the winbind_idmap.tdb and 
winbind_cache.tdb files before restarting smbd and winbind.

> Here is what it currently set to:
>
>     idmap backend = idmap_rid:JUMPNODE=500-1000
>     idmap uid = 500-1000
>     idmap gid = 500-1000
>

The upper-bound of the uid and gid ranges are much too low. Follow the 
examples I gave in the book.

> This morning the idmap_backend had a range of 500-5000 but then i ran
> winbindd -i -d3 and i saw winbind complaining about the range being
> set too high, and i adjusted it down. Is there someplace i need to
> clear the old values from? I have since restarted winbind several
> times but that does not seem to be sufficient.

Remove the winbind*tdb files and restart winbindd.

- John T.