[Samba] Interdomain Trust, wbinfo works on both servers, getent doesn't work on one server

Robert Fraser rab.fraser at gmail.com
Thu Jul 17 01:06:48 GMT 2008 

Hi

I have a problem with an interdomain trust where on the PDC for DomainA,
everything works perfectly.  getent returns local and DomainB usernames.

On the PDC for DomainB, it's DomainB works fine, but getent only returns
local usernames and groups, it doesn't return the usernames or groups for
DomainA.  wbinfo -u and wbinfo -g work fine and return all DomainA's
usernames and groups.

This means that I can set permissions for DomainB staff on DomainA, and they
can successfully map shares and access files on DomainA.

I can't set permissions for DomainA staff on DomainB, and DomainA staff
cannot access DomainB using their own username and password :-(

I initially tried with a single WINS server on PDCA, then local WINS servers
with static pointers to the other Domain and PDC.  The behaviour was the
same as above for both configurations of WINS.

Given that wbinfo is working, is there a misconfiguration or a corrupted
database somewhere that is stopping getent working?


ServerA (PDC for DomainA)

Ubuntu 6.06 LTS

/etc/samba/smb.conf
#======================= Global Settings =======================
[global]
  workgroup = DOMAINA
  wins support = yes
  netbios name = SERVERA
  host msdfs = yes
  time server = yes

#### Networking ####
   interfaces = 127.0.0.0/8 192.168.2.1
   bind interfaces only = true
   name resolve order = wins bcast hosts
####### Authentication #######
;   security = user
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
########## Domains ###########
  domain logons = yes
  logon drive = M:
  logon path = \\%N\profiles\%U
  logon script = %U.cmd
  domain master = yes
  preferred master = yes

  enable privileges = yes

  #
  # Winbind
  #
  idmap uid = 10000-20000
  idmap gid = 10000-20000
  template shell = /bin/bash


ServerB (PDC for DomainB)

Ubuntu 8.04 LTS

#======================= Global Settings =======================
[global]
  workgroup = DOMAINB
  time server = yes
  netbios name = SERVERB
#### Networking ####
   interfaces = 127.0.0.0/8 192.168.3.0/24
   bind interfaces only = true
  wins support = no
 wins server = 192.168.2.1
name resolve order = wins bcast hosts

####### Authentication #######
;   security = user
  encrypt passwords = true
  passdb backend = tdbsam
  obey pam restrictions = yes
  unix password sync = yes
########## Domains ###########
  domain logons = yes
  logon drive = M:
  logon path = \\%N\profiles\%U
  logon script = %U.cmd
  domain master = yes
  preferred master = yes

  enable privileges = yes

  host msdfs = yes

  # Winbind
  #
  idmap uid = 30000-40000
  idmap gid = 30000-40000
  template shell = /bin/bash
  winbind enum users = yes
  winbind enum groups = yes


ServerB's /var/log/samba/log.winbindd log shows

[2008/07/17 12:12:18, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [10049]: ping
[2008/07/17 12:15:44, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10059]: request interface version
[2008/07/17 12:15:44, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10059]: request location of privileged pipe
[2008/07/17 12:15:44, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273)
  [10059]: getgroups root
[2008/07/17 12:15:44, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(477)
  [ 6180]: gid to sid 0
[2008/07/17 12:15:45, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10061]: request interface version
[2008/07/17 12:15:45, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10061]: request location of privileged pipe
[2008/07/17 12:15:45, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273)
  [10061]: getgroups root
[2008/07/17 12:16:09, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10075]: request interface version
[2008/07/17 12:16:09, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10075]: request location of privileged pipe
[2008/07/17 12:16:09, 3]
nsswitch/winbindd_user.c:winbindd_setpwent_internal(445)
  [10075]: setpwent
[2008/07/17 12:16:09, 3] nsswitch/winbindd_user.c:winbindd_getpwent(636)
  [10075]: getpwent
[2008/07/17 12:16:09, 3] nsswitch/winbindd_rpc.c:query_user_list(46)
  rpc: query_user_list
[2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
  error getting user id for sid
S-1-5-21-2824201121-3407686785-855272569-1010
[2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)
  could not lookup domain user user1
[2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
  error getting user id for sid S-1-5-21-2824201121-3407686785-855272569-501
[2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)
  could not lookup domain user user2
etc etc through all the users

There are quite a few of these as I suppose individual DomainA users try to
access ServerB:

  [20557]: getpwnam user3
[2008/07/16 11:54:09, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20557]: getpwnam USER3
[2008/07/16 11:54:09, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [20557]: ping
[2008/07/16 11:54:10, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [20558]: request interface version
[2008/07/16 11:54:10, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [20558]: request location of privileged pipe
[2008/07/16 11:54:10, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1685)
  [20558]: pam auth crap domain: [DOMAINA] user: user3
[2008/07/16 11:54:10, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [20558]: request interface version
[2008/07/16 11:54:10, 3]
nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [20558]: request location of privileged pipe
[2008/07/16 11:54:10, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20558]: getpwnam domaina\user3
[2008/07/16 11:54:10, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20558]: getpwnam DOMAINA\user3
[2008/07/16 11:54:10, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20558]: getpwnam DOMAINA\USER3
[2008/07/16 11:54:10, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20558]: getpwnam user3
[2008/07/16 11:54:10, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346)
  [20558]: getpwnam USER3


I can supply any other logs if required

Thanks for any help or pointers.
Rob

More information about the samba mailing list