[Samba] new users not seen with getent passwd

Rowland Penny rowlandpenny at googlemail.com
Thu Nov 6 06:32:29 MST 2014


On 06/11/14 12:48, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am 06.11.2014 um 12:10 schrieb Rowland Penny:
>> On 06/11/14 10:48, Stefan Kania wrote: Hi Rowland,
>>
>> Am 06.11.2014 um 11:06 schrieb Rowland Penny:
>>>>> On 06/11/14 09:22, Stefan Kania wrote: Hello,
>>>>>
>>>>> I migrated a samba3 with openLDAP to Samba 4 (sernet package
>>>>> 4.13). I can see all migrated users on all DCs and
>>>>> fileservers with "wbinfo -u" and "getent passwd" and all
>>>>> informations for a single user with "getent passwd
>>>>> <username>" and "wbinfo -i <username>".
>>>>>
>>>>> Now, after migration, if I create a new user, I can see the
>>>>> new user in the list of "wbinfo -u" on all systems. BUT I can
>>>>> only see the information with "wbinfo -u <newuser>" and
>>>>> "getent passwd <newuser> on the two DCs but not on the
>>>>> fileserver. The new user also not appears in the list when in
>>>>> use "getent passwd" on the fileserver. If I do a "getent
>>>>> passwd <newuser>" I get a empty line.
>>>>>
>>>>>> OK, how are you creating the new users ?
>> Either on the commandline with "samba-tool user create <newuser>"
>> or over the RSAT from a windows-machine.
>>
>>> Nothing strange there.
>>>>>> Also, lets see if I understand what you are saying: If you
>>>>>> run 'wbinfo -u' on ANY Linux machine in the domain, you get
>>>>>> a list of domain users, amongst which is your new user.
>> Yes
>>
>>>>>> If you run 'wbinfo -u <newuser>' on the DC, you get the
>>>>>> users info.
>> yes "wbinfo -i <newuser>" gets me the userinfos on any DC
>>
>>>>>> If you run 'wbinfo -u <newuser>' on the fileserver, you
>>>>>> get nothing.
>> Yes here I get nothing with "wbinfo -i <newuser>" only the
>> errormessage
>>
>>
>>>>>> Have you added 'winbind' to the passwd & group lines in
>>>>>> /etc/nssswitch.conf
>> Yes, otherwise I would not seen any user with "getent passwd"
>>
>>> Well, I had to ask :-)
> Thats right :-)
>>>>>> What OS is your DC running on, can you please post the
>>>>>> smb.conf from your DC.
>> It a Debian 7 with the new SerNet Package 4.13
>>
>> here is the smb.conf from a DC:
>>
>> ------- [global] workgroup = NTD realm = egf.ntd netbios name =
>> SVL-V-AD1 server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes dns forwarder = 192.168.0.248 wins
>> support = yes local master = yes load printers = no printing = bsd
>> printcap name = /dev/null disable spoolss = yes
>>
>> -------
>>
>>
>>> This is strange, the join must be correct or you wouldn't be able
>>> to see the original users.
> The whole behavior is strange.
>>> Try comparing users with:
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb "cn=old user"
>>> and:
>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb "cn=new user"
> what is nano ;-)))
>
>>> Are they virtually the same ?
> Here is an old user:
> - ---------------
> # record 1
> dn: CN=gehu,OU=Benutzer,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: gehu
> instanceType: 4
> whenCreated: 20141027112510.0Z
> whenChanged: 20141030093651.0Z
> displayName:: R2VvcmcgSMO8c2tlbg==
> uSNCreated: 3506
> uSNChanged: 3506
> name: gehu
> objectGUID: 6419b9d9-cdce-4c7f-8c99-04fabe8e7720
> userAccountControl: 512
> codePage: 0
> countryCode: 0
> homeDirectory: \\ds-wv\home
> homeDrive: Z:
> scriptPath: logonad1.cmd
> logonHours:: ////////////////////////////
> pwdLastSet: 130251724800000000
> primaryGroupID: 512
> profilePath: \\ds-wv\profiles\gehu\.smbprofile
> objectSid: S-1-5-21-4153561203-1678314553-2660673789-3000
> accountExpires: 9223372036854775807
> sAMAccountName: gehu
> sAMAccountType: 805306368
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=egf,DC=ntd
> msSFU30NisDomain: ntd
> uidNumber: 1000
> gidNumber: 2001
> unixHomeDirectory: /home/gehu
> loginShell: /bin/bash
> memberOf: CN=vertrieb,OU=Gruppen,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
> memberOf: CN=etechnik,OU=Gruppen,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
> memberOf: CN=ntcad,OU=Gruppen,OU=Werk,OU=egf,DC=egf,DC=ntd
> memberOf: CN=Domain Users,CN=Users,DC=egf,DC=ntd
> distinguishedName: CN=gehu,OU=Benutzer,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
> - ---------------
> here a new one
>
> - ---------------
> dn: CN=ktom,CN=Users,DC=egf,DC=ntd
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: ktom
> instanceType: 4
> whenCreated: 20141106080926.0Z
> uSNCreated: 3924
> name: ktom
> objectGUID: 6e9fc028-64bb-4c9c-bcc3-31671d43b8ce
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-4153561203-1678314553-2660673789-102270
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: ktom
> sAMAccountType: 805306368
> userPrincipalName: ktom at egf.ntd
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=egf,DC=ntd
> pwdLastSet: 130597349660000000
> userAccountControl: 512
> whenChanged: 20141106120920.0Z
> uSNChanged: 3935
> distinguishedName: CN=ktom,CN=Users,DC=egf,DC=ntd
> - --------------
> The main differece is that the old user has the two attributes
> "uidNumber" and "gidNumber" those are from the old samba3 I think. But
> I think these to attributes dosn't matter at all, because winbind on
> the fileserver will generate the uid over the RID.
> But I tried what's happend wenn I add these to attributes to the
> user-object. It's still the same, now result with "wbinfo -i"
>
> Stefan
>
>
>>> Rowland
>>
>>>>>> Rowland
>>>>> If I do a "wbinfo -i <newuser>" I get the following:
>>>>> --------- root at SVL-V-5:~# wbinfo -i ntd\\stka failed to call
>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for
>>>>> user ntd\stka --------- For an migrated user I see the
>>>>> following: --------- root at SVL-V-5:~# wbinfo -i ntd\\bila
>>>>> NTD\bila:*:103216:100513:bila:/home/NTD/bila:/bin/bash
>>>>> ---------
>>>>>
>>>>> Here is the global-part of smb.conf of the fileserver:
>>>>> ---------- [global] workgroup = NTD realm = EGF.NTD security
>>>>> = ADS wins server = 192.168.0.230 registry shares = Yes
>>>>> template shell = /bin/bash winbind enum users = Yes winbind
>>>>> enum groups = Yes winbind refresh tickets = Yes idmap config
>>>>> ntd : backend = rid idmap config ntd : range = 100000-199999
>>>>> idmap config * : range = 1000000-1999999 idmap config * :
>>>>> backend = tdb map acl inherit = Yes store dos attributes =
>>>>> Yes vfs objects = acl_xattr
>>>>>
>>>>> ----------
>>>>>
>>>>> A "chown <newuser> <file> is also not possible. With existing
>>>>> users it works.
>>>>>
>>>>>
>>>>> I tried to clear the cache with "net cache flush" and
>>>>> nothing changed.
>>>>>
>>>>> What can I do next?
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> Stefan
>>>>>
>> -- Stefan Kania Landweg 13 25693 St. Michaelisdonn
>>
>>
>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie
>> ihre E-Mail. Weiter Informationen unter http://www.gnupg.org
>>
>> Mein Schlüssel liegt auf
>>
>> hkp://subkeys.pgp.net
>>
>>
> - -- 
> Stefan Kania
> Landweg 13
> 25693 St. Michaelisdonn
>
>
> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
> E-Mail. Weiter Informationen unter http://www.gnupg.org
>
> Mein Schlüssel liegt auf
>
> hkp://subkeys.pgp.net
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlRbbjkACgkQ2JOGcNAHDTaf4ACgvBT1VnfaQTrlEtsu6D6GQhh7
> PcMAn2P8bAnio4t9MpkBRpl3wFPvRG1u
> =5emk
> -----END PGP SIGNATURE-----
OK, I think that I know what the problem is, 'think' being the operative 
word. Your new user has the RID '102270' and the range set in smb.conf 
is 'idmap config ntd : range = 100000-199999'. Now when winbind is used 
with the 'rid' backend, the users ID number is calculated by:

ID = RID - BASE_RID + LOW_RANGE_ID

The 'BASE_RID' is 1000 unless you set it in smb.conf, so your users rid 
will be:

ID = 102270 - 1000 + 100000
ID =  201270

Now any ID that is outside the range that is set in smb.conf (in your 
case 100000-199999) is ignored, your new users ID is larger than 199999

Try alter the range numbers in smb.conf.

Rowland



More information about the samba mailing list