[Samba] wbinfo messed up (was Re: Anyone try 'ssh server" and get "Password for DOMAIN\USER:>>")

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jun 25 16:04:16 MDT 2010 


If wbinfo -s and wbinfo -n both show the same uid-sid mappings then 
winbind itself should be ok

# wbinfo -n jsmith
S-1-5-21-xxxx-xxxx-xxxx-1234 User (1)


# wbinfo -s S-1-5-21-xxxx-xxxx-xxxx-1234
MYDOMAIN\jsmith 1
#

Does "getent passwd" and "getent group" return "Windows" users?
Does "id MYDOMAIN\jsmith"

If not you may be missing the libnss_winbind or nss_winbind file in 
/usr/lib (or /usr/local/lib) depending on OS and where samba was installed.

The group thing is weird.  "wbinfo -g" shows more groups than "net rpc 
group list"  But "wbinfo -g" shows groups from trusted domains and the 
BUILTIN domain.  I would check the results of "net groupmap list."  Make 
sure that Domain Users and Domain Administrators are mapped.





On 06/25/2010 03:59 PM, Linda W wrote:
> Gaiseric Vandal wrote:
>> IS the Samba server the PDC?  Do you have local unix accounts on it?
> (yes, yes)..
>> I might be wrong  but couldn't you modify /etc/nsswitch.conf to use
>>
>>     passwd:         files winbind
>>     group:          files winbind
>>
>> instead?
>
>
> -----------
>
> I tried this -- but then I couldn't log in at all!
> I'm thinking my winbind is screwy -- that may be all or part of the 
> problem.
> Symptoms:
>
>> wbinfo -u  shows: lindaw  (my user name)
>
> wbinfo -n lindaw returns:  (expected)
>  S-1-5-21-33333-77777-33333-80026 SID_USER (1)
>
>  BUT:
> wbinfo -i lindaw"    says:     "Could not get info for user lindaw"
>
> wbinfo --own-domain    returns: "BLISS"
> wbinfo --ping-dc    returns: "checking the NETLOGON dc connection 
> succeeded"
>  BUT:
> wbinfo --dsgetdcname=BLISS returns:
>                    "Could not find dc for BLISS"
> wbinfo -m
>  BUILTIN
>  BLISS
> wbinfo -m
> wbinfo --sid-aliases=S-1-5-21-33333-77777-33333-80026
> 80026
>
> wbinfo --user-sids=S-1-5-21-33333-77777-33333-80026
> Could not get group SIDs for user SID S-1-5-21-33333-77777-33333-80026
>
> ---
> So It has partial information, but can't give info on me, can't verify
> passwords, can't give groups, but maps user id's...
>
> It DOESN'T show the same groups as "net rpc groups list" -- it shows
> a *fraction* of what the net command shows -
> net rpc groups list shows 20 groups, wbinfo -g shows 8.
>
> Should these be close?  or the same?
> How can they be out of sync and if they should be the same, how
> do I resync them?
> Net groups shows the correct listing.
>
>
>
>
>
>
>>
>> On 06/25/2010 01:12 AM, L. A. Walsh wrote:
>>> I'm trying to use 'ssh' as a domain user from a workstation into my
>>> server.
>>>
>>> When I ssh as a non-domain user, it doesn't tack on a domain (or 
>>> workstation)
>>> name, so it just works, but when I log in from from my Samba domain,
>>> it tacks it on (and the linux security stuff doesn't like "domain\" 
>>> either.
>>>
>>> Should the pam_winbind module be able to authenticate this type of 
>>> user name against the domain?
>>>
>>> If not, is there a module that does?
>>>
>>> thanks,
>>> linda
>>>
>>
>

More information about the samba mailing list