[Samba] AD integration: "getent passwd" can't see *new* users, but "wbinfo -u" can

Noah Dain noahdain at gmail.com
Sun Jul 29 18:52:43 GMT 2007


On 7/19/07, Fernando Ruza <fernandor at sescam.jccm.es> wrote:
> Did you solve it ?? I have a similar problem. wbinfo -u give me a user,
> however when a look for it with getent passwd it doesn't appear. With
> other users everything is correct.
>
> Thanks,
>
> Fernando.

iirc, it was idiocy on my part.  All i had to do was change the 'idmap
backend' to:

idmap backend = rid:DOMAIN=10000-60000, rid:BUILTIN=1000-9999

and things started working again.
>
>
> El lun, 12-02-2007 a las 01:17 -0500, Noah Dain escribió:
> > I have two different systems (on different networks) showing this
> > behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
> > 3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
> > via winbind, with nss using winbind.  At some point in time (which is
> > unknown to me), the samba server stopped seeing new users, groups,
> > machines which are added to AD.
> >
> > scenario:
> > I add a new user to AD, say "smbtest".  I then look for the user with
> > "wbinfo -u", and it shows up.  However, it does not show up with
> > "getent passwd" (same for groups, "getent group").  If I try to map a
> > share to a drive letter, it goes something like this:
> >
> > C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
> >
> > System error 1326 has occurred.
> >
> >
> > Logon failure: unknown user name or bad password.
> >
> > (The same results occur for existing shares, so it's not from lack of
> > a home directory)
> >
> > Of particular interest is log.winbindd-idmap.  Whenever I try to
> > connect as the user smbtest to their home directory or another share,
> > this is logged here several times:
> >
> > [2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
> >   rid_idmap_get_id_from_sid: no suitable range available for sid:
> > S-1-5-21-4050315045-3251428658-993335031-3123
> >
> > "wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
> > "smbtest" as expected.
> > "wbinfo -n smbtest" returns that sid.
> > Other users/sids work.
> >
> > other stuff I've tried / observed:
> >
> > "net ads testjoin" looks good.
> > kerberos looks good.
> > There are no local accounts within the idmap uid/gid range.
> > "/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
> > I've restarted samba and winbindd, and the whole machine went down for
> > a reboot, but I'm still getting the same behavior.
> >
> > -- only config files below --
> > smb.conf:
> >
> > [global]
> >         workgroup = DOMAIN
> >         realm = DOMAIN
> >         server string = samba server
> >         interfaces = eth0
> >         bind interfaces only = Yes
> >         security = ADS
> >         allow trusted domains = No
> >         obey pam restrictions = Yes
> >         pam password change = Yes
> >         log level = 2 winbind:3 passdb:2 auth:2
> >         log file = /var/log/samba/%m.log
> >         socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >         load printers = No
> >         dns proxy = No
> >         wins server = DC1
> >         idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
> >         idmap uid = 1000-60000
> >         idmap gid = 1000-60000
> >         template homedir = /home/%U
> >         template shell = /bin/bash
> >         winbind separator = /
> >         winbind use default domain = Yes
> >         winbind nested groups = Yes
> >         hosts allow = 192.168.1.0/255.255.255.0, 127.
> >         hosts deny = 0.0.0.0/0.0.0.0
> >
> > [homes]
> >         comment = Home Directory
> >         path = /home/%U
> >         read only = No
> >         create mask = 0640
> >         directory mask = 0750
> >         browseable = No
> >
> > /end smb.conf
> >
> > /etc/nsswitch.conf:
> >
> > passwd:         compat winbind
> > group:          compat winbind
> > shadow:         compat winbind
> > hosts:          files dns mdns
> > networks:       files
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> > netgroup:       nis
> >
> > /end nsswitch.conf
> >
> > --
> > Noah Dain
> > "The beatings will continue, until moral improves" - the Management
> --
> Fernando Ruza (fernandor at sescam.jccm.es)
> Dto. Informatica
> Hospital Univesitario de Guadalajara
> Tfl: 949 209 215
>      661 123 845
> Linux user: #273644 (http://counter.li.org)
> Debian Sid (Kernel 2.6.14.3 & ext3)
> -------------------------------------------------------------------
> Por favor, NO utilice formatos de archivo propietarios para el
> intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
> cualquier otro que no obligue a utilizar un programa de un fabricante
> concreto. Gracias.
>


-- 
Noah Dain
"The beatings will continue, until morale improves" - the Management


More information about the samba mailing list