[Samba] AD integration: "getent passwd" can't see *new* users,
but "wbinfo -u" can
Noah Dain
noahdain at gmail.com
Mon Feb 12 06:17:59 GMT 2007
I have two different systems (on different networks) showing this
behavior. Both are running Ubuntu Dapper/606.1 LTS with samba version
3.0.22 and windows 2003 sp1 servers (not R2). AD integration is done
via winbind, with nss using winbind. At some point in time (which is
unknown to me), the samba server stopped seeing new users, groups,
machines which are added to AD.
scenario:
I add a new user to AD, say "smbtest". I then look for the user with
"wbinfo -u", and it shows up. However, it does not show up with
"getent passwd" (same for groups, "getent group"). If I try to map a
share to a drive letter, it goes something like this:
C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
(The same results occur for existing shares, so it's not from lack of
a home directory)
Of particular interest is log.winbindd-idmap. Whenever I try to
connect as the user smbtest to their home directory or another share,
this is logged here several times:
[2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
rid_idmap_get_id_from_sid: no suitable range available for sid:
S-1-5-21-4050315045-3251428658-993335031-3123
"wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
"smbtest" as expected.
"wbinfo -n smbtest" returns that sid.
Other users/sids work.
other stuff I've tried / observed:
"net ads testjoin" looks good.
kerberos looks good.
There are no local accounts within the idmap uid/gid range.
"/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
I've restarted samba and winbindd, and the whole machine went down for
a reboot, but I'm still getting the same behavior.
-- only config files below --
smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN
server string = samba server
interfaces = eth0
bind interfaces only = Yes
security = ADS
allow trusted domains = No
obey pam restrictions = Yes
pam password change = Yes
log level = 2 winbind:3 passdb:2 auth:2
log file = /var/log/samba/%m.log
socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
dns proxy = No
wins server = DC1
idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
idmap uid = 1000-60000
idmap gid = 1000-60000
template homedir = /home/%U
template shell = /bin/bash
winbind separator = /
winbind use default domain = Yes
winbind nested groups = Yes
hosts allow = 192.168.1.0/255.255.255.0, 127.
hosts deny = 0.0.0.0/0.0.0.0
[homes]
comment = Home Directory
path = /home/%U
read only = No
create mask = 0640
directory mask = 0750
browseable = No
/end smb.conf
/etc/nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files dns mdns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
/end nsswitch.conf
--
Noah Dain
"The beatings will continue, until moral improves" - the Management
More information about the samba
mailing list