[Samba] winbind ADS getent passwd fails, getent passwd <username> works, getent group gives partial list

Jim Stalewski JStalewski at VisaLighting.com
Fri Jul 23 16:50:00 MDT 2010

I have the following configuration:

SuSE Linux Enterprise 11, X86_64
Packages installed with SLES11 or updated from SLES update repo:
Samba 3.2.7-11.20.1  
MIT Kerberos 5  1.6.3-133.33.1  
OpenLDAP 2.4.12-7.18.1
Cyrus SASL 2.1.22-182.20.1

Have one server set up joined to AD (Win2K3 R2) domain as a member
server, based primarily on scottlowe's blog instructions. Trying to get
a 2nd SLES11 X86_64 server to behave the same way as the first.

Using idmap backend ad with schema_mode rfc2307.  Winbind enum users and
enum groups both set to "yes".

Except for the server name, smb.conf, ldap.conf, nsswitch.conf and pam.d
configurations are all the same.  I am not running nscd.
I am starting nmb, smb and winbind.  Both servers are joined to AD.
Kerberos authentication appears to work fine on both (can kinit whatever
user I want in the realm.)  LDAP browse of AD works fine on both
servers, and the LDAP password defined in ldap.conf (and ldap.secret)
for the ldap bind users is the same on both.

On the first, working server:
wbinfo-u and wbinfo-g enumerate all AD users and groups.
getent passwd enumerates all local and all AD users.  Users without UID
already assigned get one assigned from the range for the idmap config
for the domain 
getent group enumerates all local and AD groups.  Groups without GID
already assigned get one assigned from the range for the idmap config
for the domain.

On the second server, set up exactly the same way as the first:  
Wbinfo -u and wbinfo -g both work - enumerate all AD users and AD
Getent passwd only enumerates local users
Getent passwd <username> enumerates the named AD user
Getent group enumerates local users plus a few AD groups from one OU.

I can sign on to the 2nd server using AD credentials, but cannot assign
ACL filesystem permissions to AD users or groups.

Have tried uninstalling, reinstalling, upgrading, downgrading, leave AD,
join AD, all sorts of things, to no avail.  Monkeyed around with
kerberos keytabs, ldap config, nsswitch config, krb5 config, samba
config, and have only succeeded to make things worse until I bring them
back in line with the configuration of the first server.

I need getent to enumerate AD users and groups so I can assign
filesystem ACLs

Did strace -ov getent passwd on both working and non-working systems.
Everything matches up until it tries to open a socket on
/tmp/.winbindd/pipe - on the working system it returns 0 and continues
on to open a socket on /var/lib/samba/winbindd_privileged/pipe and then
enumerate the users.  On the non-working system it returns -1
ECONNREFUSED and does not continue on to the privileged pipe.

Where should I be looking to resolve this issue?  If you would like me
to post any log entries or configuration files please let me know.

I have tried upgrading the 2nd server to the latest build, binaries
obtained from the OpenSUSE build service for SLES11 X86_64 but had no
luck.  The idmap setup has changed too much between 3.2.7 and 3.5.4 for
me to make much sense of it, and since we have a multi-domain forest,
losing the "idmap domains" directive seemed to make it a crap-shoot as
to what domain it tried to enumerate using wbinfo - and getent still
failed to enumerate anything.  I even tried the idmap_adex module, which
looked promising but appears to be on its way out for some reason, but
that didn't work for me either.  I just need to get what I know should
work, to work on more than one server...  I also tried a build of 3.4.3,
again from the OpenSUSE build service, with mixed results, before
falling back to 3.2.7.



This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. 
No employee or agent is authorized to conclude any binding agreement on behalf of Visa Lighting with another party by email without express written confirmation by an authorized representative of the Company.
Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

More information about the samba mailing list