[Samba] getent not working (again)

Horchler, Joerg joerg.horchler at coremedia.com
Fri Apr 21 10:06:02 GMT 2006


Hi all, 

after I searched the internet about a week now I can't find an answer to my
problem: 

The company I work for is using a Windows 2003 Domain using the Windows
Services for UNIX (SFU) and NIS. We are using two Domain Controllers that
are hosting the ADS. 

Now I want to use Samba and NFS to implement a file server for our mixed
client enviroment: There will be Linux, HP UNIX, Solaris, AIX and Windows
clients accessing this server. The Linux/UNIX clients will  use NFS (no
problem). The Windows clients will use Samba. 

=====================================
I compiled Samba 3.0.22 with: 

./configure \
--with-ldap \
--with-ads \
--with-pam \
--with-quotas \
--with-acl-support \
--with-aio-support \
--with-sendfile-support \
--with-winbind \
--with-shared-modules=idmap_ad

The last option was the only way to get idmap_ad compiled and installed. I
need this to use 'idmap backend = ad'

=====================================

After installation I copied libnss_winbind.so and libnss_wins.so to /lib and
run ldconfig

[root at io source]# ldconfig -v | grep libnss
        libnss_winbind.so.2 -> libnss_winbind.so
        libnss_wins.so.2 -> libnss_wins.so
[root at io source]#

=====================================

My smb.conf is

[root at io source]# cat /usr/local/samba/lib/smb.conf
[global]
        unix charset = UTF8
        display charset = UTF8
        workgroup = XYZ
        realm = ABC.COM
        server string = linux fileserver %h (Samba %v)
        security = ADS
        auth methods = winbind
        allow trusted domains = No
        lanman auth = No
        log level = 0 smb:1 auth:1 winbind:1 idmap:1 acls:1
        log file = /var/log/samba/%m.log
        disable netbios = Yes
        reset on zero vc = Yes
        deadtime = 10
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        wins server = a.b.c.d, a.b.c.e
        ldap ssl = no
        pid directory = /var/run
        idmap backend = ad
        idmap uid = 100-100000
        idmap gid = 100-100000
        winbind use default domain = Yes
        winbind nested groups = Yes
        winbind nss info = sfu
        acl group control = Yes
        acl map full control = No
        inherit owner = Yes
        ea support = Yes
        map acl inherit = Yes
        use sendfile = Yes
        hide special files = Yes
        map readonly = permissions
        strict locking = No
        dos filemode = Yes
[root at io source]# 

I configured no shares at the moment. Could that be a problem?

=====================================

My /etc/krb5.conf

[root at io source]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ABC.COM

[realms]
 ABC.COM = {
  default_domain = abc.com
 }

[domain_realm]
 .abc.com = ABC.COM
 abc.com = ABC.COM

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
[root at io source]#

=====================================

My /etc/nsswitch.conf

[root at io source]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
[...]

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files ldap nis dns
hosts:      files dns wins

[...]

=====================================

Then I joined the domain successfully:

[root at io source]# 
net ads join -Uruth "Servers"

[root at io source]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root at io source]#

[root at io source]# net ads info
LDAP server: a.b.c.d
LDAP server name: uranus
Realm: ABC.COM
Bind Path: dc=ABC,dc=COM
LDAP port: 389
Server time: Fri, 21 Apr 2006 11:59:54 CEST
KDC server: a.b.c.d
Server time offset: 55
[root at io source]#

=====================================

After starting nmbd, smbd and winbindd I can successfully list my domain
users and group with wbinfo. But when I try to get a list via getent it
doesn't work. 

[root at io source]# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin
pegasus:x:100:500:tog-pegasus OpenPegasus WBEM/CIM
services:/var/lib/Pegasus:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
[root at io source]#

=====================================

I have lots of messages of this in winbindd.log:

[2006/04/21 12:01:13, 1] sam/idmap_ad.c:ad_idmap_get_id_from_sid(329)
  ad_idmap_get_id_from_sid: ads_pull_uint32: could not read attribute
'msSFU30GidNumber'
[2006/04/21 12:01:13, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(92)
  error getting group id for sid
S-1-5-21-1663660479-371685239-1594628879-513

But I think thats not the problem because in winbindd_idmap.tdb are all
users with correct mappings that have the field msSFU30GidNumber.

=====================================

The last thing I tried was to to a strace: 

[root at io samba]# strace getent passwd
execve("/usr/bin/getent", ["getent", "passwd"], [/* 23 vars */]) = 0
uname({sys="Linux", node="io.coremedia.com", ...}) = 0
brk(0)                                  = 0x9c66000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=37645, ...}) = 0
old_mmap(NULL, 37645, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f27000
close(3)                                = 0
open("/lib/tls/libc.so.6", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20o-\000"..., 512)
= 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1454546, ...}) = 0
old_mmap(0x2c2000, 1219772, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x2c2000
old_mmap(0x3e6000, 16384, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x124000) = 0x3e6000
old_mmap(0x3ea000, 7356, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3ea000
close(3)                                = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0xb7f26000
mprotect(0x3e6000, 4096, PROT_READ)     = 0
mprotect(0x2be000, 4096, PROT_READ)     = 0
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f26aa0, limit:1048575,
seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1,
seg_not_present:0, useable:1}) = 0
munmap(0xb7f27000, 37645)               = 0
brk(0)                                  = 0x9c66000
brk(0x9c87000)                          = 0x9c87000
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=48513056, ...}) = 0
mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d26000
close(3)                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1652, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7d25000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1652
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7d25000, 4096)                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=37645, ...}) = 0
old_mmap(NULL, 37645, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7d1c000
close(3)                                = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\20\33\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=45889, ...}) = 0
old_mmap(NULL, 41608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x4b2000
old_mmap(0x4bb000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8000) = 0x4bb000
close(3)                                = 0
munmap(0xb7d1c000, 37645)               = 0
open("/etc/passwd", O_RDONLY)           = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
fstat64(3, {st_mode=S_IFREG|0644, st_size=1546, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7d25000
_llseek(3, 0, [0], SEEK_CUR)            = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1546
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7d24000
write(1, "root:x:0:0:root:/root:/bin/bash\n",
32root:x:0:0:root:/root:/bin/bash
) = 32
write(1, "bin:x:1:1:bin:/bin:/sbin/nologin"...,
33bin:x:1:1:bin:/bin:/sbin/nologin
) = 33
write(1, "daemon:x:2:2:daemon:/sbin:/sbin/"...,
40daemon:x:2:2:daemon:/sbin:/sbin/nologin
) = 40
write(1, "adm:x:3:4:adm:/var/adm:/sbin/nol"...,
37adm:x:3:4:adm:/var/adm:/sbin/nologin
) = 37
write(1, "lp:x:4:7:lp:/var/spool/lpd:/sbin"...,
41lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
) = 41
write(1, "sync:x:5:0:sync:/sbin:/bin/sync\n",
32sync:x:5:0:sync:/sbin:/bin/sync
) = 32
write(1, "shutdown:x:6:0:shutdown:/sbin:/s"...,
45shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
) = 45
write(1, "halt:x:7:0:halt:/sbin:/sbin/halt"...,
33halt:x:7:0:halt:/sbin:/sbin/halt
) = 33
write(1, "mail:x:8:12:mail:/var/spool/mail"...,
47mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
) = 47
write(1, "news:x:9:13:news:/etc/news:\n", 28news:x:9:13:news:/etc/news:
) = 28
write(1, "uucp:x:10:14:uucp:/var/spool/uuc"...,
48uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
) = 48
write(1, "operator:x:11:0:operator:/root:/"...,
45operator:x:11:0:operator:/root:/sbin/nologin
) = 45
write(1, "games:x:12:100:games:/usr/games:"...,
46games:x:12:100:games:/usr/games:/sbin/nologin
) = 46
write(1, "gopher:x:13:30:gopher:/var/gophe"...,
48gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
) = 48
write(1, "ftp:x:14:50:FTP User:/var/ftp:/s"..., 44ftp:x:14:50:FTP
User:/var/ftp:/sbin/nologin
) = 44
write(1, "nobody:x:99:99:Nobody:/:/sbin/no"...,
38nobody:x:99:99:Nobody:/:/sbin/nologin
) = 38
write(1, "dbus:x:81:81:System message bus:"..., 48dbus:x:81:81:System
message bus:/:/sbin/nologin
) = 48
write(1, "vcsa:x:69:69:virtual console mem"..., 61vcsa:x:69:69:virtual
console memory owner:/dev:/sbin/nologin
) = 61
write(1, "rpm:x:37:37::/var/lib/rpm:/sbin/"...,
40rpm:x:37:37::/var/lib/rpm:/sbin/nologin
) = 40
write(1, "haldaemon:x:68:68:HAL daemon:/:/"..., 45haldaemon:x:68:68:HAL
daemon:/:/sbin/nologin
) = 45
write(1, "netdump:x:34:34:Network Crash Du"..., 61netdump:x:34:34:Network
Crash Dump user:/var/crash:/bin/bash
) = 61
write(1, "nscd:x:28:28:NSCD Daemon:/:/sbin"..., 41nscd:x:28:28:NSCD
Daemon:/:/sbin/nologin
) = 41
write(1, "sshd:x:74:74:Privilege-separated"...,
67sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
) = 67
write(1, "rpc:x:32:32:Portmapper RPC user:"..., 48rpc:x:32:32:Portmapper RPC
user:/:/sbin/nologin
) = 48
write(1, "mailnull:x:47:47::/var/spool/mqu"...,
50mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
) = 50
write(1, "smmsp:x:51:51::/var/spool/mqueue"...,
47smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
) = 47
write(1, "rpcuser:x:29:29:RPC Service User"..., 60rpcuser:x:29:29:RPC
Service User:/var/lib/nfs:/sbin/nologin
) = 60
write(1, "nfsnobody:x:65534:65534:Anonymou"...,
70nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
) = 70
write(1, "pcap:x:77:77::/var/arpwatch:/sbi"...,
42pcap:x:77:77::/var/arpwatch:/sbin/nologin
) = 42
write(1, "xfs:x:43:43:X Font Server:/etc/X"..., 52xfs:x:43:43:X Font
Server:/etc/X11/fs:/sbin/nologin
) = 52
write(1, "pegasus:x:100:500:tog-pegasus Op"...,
91pegasus:x:100:500:tog-pegasus OpenPegasus WBEM/CIM
services:/var/lib/Pegasus:/sbin/nologin
) = 91
write(1, "postfix:x:89:89::/var/spool/post"...,
50postfix:x:89:89::/var/spool/postfix:/sbin/nologin
) = 50
write(1, "ntp:x:38:38::/etc/ntp:/sbin/nolo"...,
36ntp:x:38:38::/etc/ntp:/sbin/nologin
) = 36
read(3, "", 4096)                       = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=37645, ...}) = 0
old_mmap(NULL, 37645, PROT_READ, MAP_PRIVATE, 4, 0) = 0xb7d1a000
close(4)                                = 0
open("/lib/libnss_winbind.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0008\20\0"..., 512) =
512
fstat64(4, {st_mode=S_IFREG|0755, st_size=19545, ...}) = 0
old_mmap(NULL, 27516, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0)
= 0x593000
old_mmap(0x597000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 4, 0x3000) = 0x597000
old_mmap(0x598000, 7036, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x598000
close(4)                                = 0
munmap(0xb7d1a000, 37645)               = 0
getpid()                                = 2782
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl64(4, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/tmp/.winbindd/pipe"}, 110) = 0
select(5, [4], NULL, NULL, {0, 0})      = 0 (Timeout)
write(4, ",\7\0\0\0\0\0\0\336\n\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0"..., 1836)
= 1836
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "\24\5\0\0\2\0\0\0\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300)
= 1300
select(5, [4], NULL, NULL, {0, 0})      = 0 (Timeout)
write(4, ",\7\0\0%\0\0\0\336\n\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1836)
= 1836
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "C\5\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300)
= 1300
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "/usr/local/samba/var/locks/winbi"..., 47) = 47
lstat64("/usr/local/samba/var/locks/winbindd_privileged",
{st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/usr/local/samba/var/locks/winbindd_privileged/pipe",
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 5
fcntl64(5, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
fcntl64(5, F_GETFD)                     = 0
fcntl64(5, F_SETFD, FD_CLOEXEC)         = 0
connect(5, {sa_family=AF_FILE,
path="/usr/local/samba/var/locks/winbindd_privileged/pipe"}, 110) = 0
close(4)                                = 0
select(6, [5], NULL, NULL, {0, 0})      = 0 (Timeout)
write(5, ",\7\0\0\6\0\0\0\336\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1836)
= 1836
select(6, [5], NULL, NULL, {5, 0})      = 1 (in [5], left {5, 0})
read(5, "\24\5\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300)
= 1300
select(6, [5], NULL, NULL, {0, 0})      = 0 (Timeout)
write(5, ",\7\0\0\10\0\0\0\336\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1836)
= 1836
select(6, [5], NULL, NULL, {5, 0})      = 1 (in [5], left {4, 162000})
read(5, "\24\5\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300)
= 1300
close(3)                                = 0
munmap(0xb7d25000, 4096)                = 0
select(6, [5], NULL, NULL, {0, 0})      = 0 (Timeout)
write(5, ",\7\0\0\7\0\0\0\336\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1836)
= 1836
select(6, [5], NULL, NULL, {5, 0})      = 1 (in [5], left {5, 0})
read(5, "\24\5\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300)
= 1300
munmap(0xb7d24000, 4096)                = 0
exit_group(0)                           = ?
Process 2782 detached
[root at io samba]#

As I can see getent talks to winbindd via its sockets: 

connect(5, {sa_family=AF_FILE,
path="/usr/local/samba/var/locks/winbindd_privileged/pipe"}, 110) = 0

But why the hell isn't it able to list the users??


Can anyone with a running configuration help me? Any ideas?

Thanks
Jörg Horchler


More information about the samba mailing list