[Samba] AD integration: "getent passwd" can't see *new* users,
but "wbinfo -u" can
Noah Dain
noahdain at gmail.com
Sun Jul 29 18:52:43 GMT 2007
On 7/19/07, Fernando Ruza <fernandor at sescam.jccm.es> wrote:
> Did you solve it ?? I have a similar problem. wbinfo -u give me a user,
> however when a look for it with getent passwd it doesn't appear. With
> other users everything is correct.
>
> Thanks,
>
> Fernando.
iirc, it was idiocy on my part. All i had to do was change the 'idmap
backend' to:
idmap backend = rid:DOMAIN=10000-60000, rid:BUILTIN=1000-9999
and things started working again.
>
>
> El lun, 12-02-2007 a las 01:17 -0500, Noah Dain escribió:
> > I have two different systems (on different networks) showing this
> > behavior. Both are running Ubuntu Dapper/606.1 LTS with samba version
> > 3.0.22 and windows 2003 sp1 servers (not R2). AD integration is done
> > via winbind, with nss using winbind. At some point in time (which is
> > unknown to me), the samba server stopped seeing new users, groups,
> > machines which are added to AD.
> >
> > scenario:
> > I add a new user to AD, say "smbtest". I then look for the user with
> > "wbinfo -u", and it shows up. However, it does not show up with
> > "getent passwd" (same for groups, "getent group"). If I try to map a
> > share to a drive letter, it goes something like this:
> >
> > C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
> >
> > System error 1326 has occurred.
> >
> >
> > Logon failure: unknown user name or bad password.
> >
> > (The same results occur for existing shares, so it's not from lack of
> > a home directory)
> >
> > Of particular interest is log.winbindd-idmap. Whenever I try to
> > connect as the user smbtest to their home directory or another share,
> > this is logged here several times:
> >
> > [2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
> > rid_idmap_get_id_from_sid: no suitable range available for sid:
> > S-1-5-21-4050315045-3251428658-993335031-3123
> >
> > "wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
> > "smbtest" as expected.
> > "wbinfo -n smbtest" returns that sid.
> > Other users/sids work.
> >
> > other stuff I've tried / observed:
> >
> > "net ads testjoin" looks good.
> > kerberos looks good.
> > There are no local accounts within the idmap uid/gid range.
> > "/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
> > I've restarted samba and winbindd, and the whole machine went down for
> > a reboot, but I'm still getting the same behavior.
> >
> > -- only config files below --
> > smb.conf:
> >
> > [global]
> > workgroup = DOMAIN
> > realm = DOMAIN
> > server string = samba server
> > interfaces = eth0
> > bind interfaces only = Yes
> > security = ADS
> > allow trusted domains = No
> > obey pam restrictions = Yes
> > pam password change = Yes
> > log level = 2 winbind:3 passdb:2 auth:2
> > log file = /var/log/samba/%m.log
> > socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > load printers = No
> > dns proxy = No
> > wins server = DC1
> > idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
> > idmap uid = 1000-60000
> > idmap gid = 1000-60000
> > template homedir = /home/%U
> > template shell = /bin/bash
> > winbind separator = /
> > winbind use default domain = Yes
> > winbind nested groups = Yes
> > hosts allow = 192.168.1.0/255.255.255.0, 127.
> > hosts deny = 0.0.0.0/0.0.0.0
> >
> > [homes]
> > comment = Home Directory
> > path = /home/%U
> > read only = No
> > create mask = 0640
> > directory mask = 0750
> > browseable = No
> >
> > /end smb.conf
> >
> > /etc/nsswitch.conf:
> >
> > passwd: compat winbind
> > group: compat winbind
> > shadow: compat winbind
> > hosts: files dns mdns
> > networks: files
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> > netgroup: nis
> >
> > /end nsswitch.conf
> >
> > --
> > Noah Dain
> > "The beatings will continue, until moral improves" - the Management
> --
> Fernando Ruza (fernandor at sescam.jccm.es)
> Dto. Informatica
> Hospital Univesitario de Guadalajara
> Tfl: 949 209 215
> 661 123 845
> Linux user: #273644 (http://counter.li.org)
> Debian Sid (Kernel 2.6.14.3 & ext3)
> -------------------------------------------------------------------
> Por favor, NO utilice formatos de archivo propietarios para el
> intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
> cualquier otro que no obligue a utilizar un programa de un fabricante
> concreto. Gracias.
>
--
Noah Dain
"The beatings will continue, until morale improves" - the Management
More information about the samba
mailing list