[Samba] AD integration: "getent passwd" can't see *new* users,but "wbinfo -u" can

Fernando Ruza fernandor at sescam.jccm.es
Thu Jul 19 14:56:01 GMT 2007


Did you solve it ?? I have a similar problem. wbinfo -u give me a user,
however when a look for it with getent passwd it doesn't appear. With
other users everything is correct.

Thanks,

Fernando.


El lun, 12-02-2007 a las 01:17 -0500, Noah Dain escribió:
> I have two different systems (on different networks) showing this
> behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
> 3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
> via winbind, with nss using winbind.  At some point in time (which is
> unknown to me), the samba server stopped seeing new users, groups,
> machines which are added to AD.
> 
> scenario:
> I add a new user to AD, say "smbtest".  I then look for the user with
> "wbinfo -u", and it shows up.  However, it does not show up with
> "getent passwd" (same for groups, "getent group").  If I try to map a
> share to a drive letter, it goes something like this:
> 
> C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
> 
> System error 1326 has occurred.
> 
> 
> Logon failure: unknown user name or bad password.
> 
> (The same results occur for existing shares, so it's not from lack of
> a home directory)
> 
> Of particular interest is log.winbindd-idmap.  Whenever I try to
> connect as the user smbtest to their home directory or another share,
> this is logged here several times:
> 
> [2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
>   rid_idmap_get_id_from_sid: no suitable range available for sid:
> S-1-5-21-4050315045-3251428658-993335031-3123
> 
> "wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
> "smbtest" as expected.
> "wbinfo -n smbtest" returns that sid.
> Other users/sids work.
> 
> other stuff I've tried / observed:
> 
> "net ads testjoin" looks good.
> kerberos looks good.
> There are no local accounts within the idmap uid/gid range.
> "/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
> I've restarted samba and winbindd, and the whole machine went down for
> a reboot, but I'm still getting the same behavior.
> 
> -- only config files below --
> smb.conf:
> 
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN
>         server string = samba server
>         interfaces = eth0
>         bind interfaces only = Yes
>         security = ADS
>         allow trusted domains = No
>         obey pam restrictions = Yes
>         pam password change = Yes
>         log level = 2 winbind:3 passdb:2 auth:2
>         log file = /var/log/samba/%m.log
>         socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         dns proxy = No
>         wins server = DC1
>         idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
>         idmap uid = 1000-60000
>         idmap gid = 1000-60000
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind separator = /
>         winbind use default domain = Yes
>         winbind nested groups = Yes
>         hosts allow = 192.168.1.0/255.255.255.0, 127.
>         hosts deny = 0.0.0.0/0.0.0.0
> 
> [homes]
>         comment = Home Directory
>         path = /home/%U
>         read only = No
>         create mask = 0640
>         directory mask = 0750
>         browseable = No
> 
> /end smb.conf
> 
> /etc/nsswitch.conf:
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
> hosts:          files dns mdns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> 
> /end nsswitch.conf
> 
> -- 
> Noah Dain
> "The beatings will continue, until moral improves" - the Management
-- 
Fernando Ruza (fernandor at sescam.jccm.es)
Dto. Informatica
Hospital Univesitario de Guadalajara
Tfl: 949 209 215
     661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.6.14.3 & ext3)
-------------------------------------------------------------------
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.


More information about the samba mailing list