[Samba] new users not seen with getent passwd

Rowland Penny rowlandpenny at googlemail.com
Fri Nov 7 01:36:11 MST 2014


On 06/11/14 23:38, ray klassen wrote:
>
> I also did a classic upgrade and I couldn't see new users on a system setup with winbind-nss until I went into ADUC and added "unix attributes." my simple domain name showed up as an nis domain and I had to manually set shell to /bin/false and pick their default group. (domain users)
>
> And then they showed up fine with 'getent passwd -etc'. I imagine that if I hadn't done that they would be handled by winbind idmap and put in a database. (although I've never done much with that -- all my servers we ldap/samba only until samba4)

Hi Ray,
The OP was using the winbind 'rid' backend and he hadn't made his range 
large enough, whilst you must have been using the 'ad' backend if all 
you did was add the rfc2307 attributes via ADUC.

Rowland

>   
>
>       On Thursday, 6 November 2014, 5:33, Rowland Penny <rowlandpenny at googlemail.com> wrote:
>     
>
>   On 06/11/14 12:48, Stefan Kania wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Am 06.11.2014 um 12:10 schrieb Rowland Penny:
>>> On 06/11/14 10:48, Stefan Kania wrote: Hi Rowland,
>>>
>>> Am 06.11.2014 um 11:06 schrieb Rowland Penny:
>>>>>> On 06/11/14 09:22, Stefan Kania wrote: Hello,
>>>>>>
>>>>>> I migrated a samba3 with openLDAP to Samba 4 (sernet package
>>>>>> 4.13). I can see all migrated users on all DCs and
>>>>>> fileservers with "wbinfo -u" and "getent passwd" and all
>>>>>> informations for a single user with "getent passwd
>>>>>> <username>" and "wbinfo -i <username>".
>>>>>>
>>>>>> Now, after migration, if I create a new user, I can see the
>>>>>> new user in the list of "wbinfo -u" on all systems. BUT I can
>>>>>> only see the information with "wbinfo -u <newuser>" and
>>>>>> "getent passwd <newuser> on the two DCs but not on the
>>>>>> fileserver. The new user also not appears in the list when in
>>>>>> use "getent passwd" on the fileserver. If I do a "getent
>>>>>> passwd <newuser>" I get a empty line.
>>>>>>
>>>>>>> OK, how are you creating the new users ?
>>> Either on the commandline with "samba-tool user create <newuser>"
>>> or over the RSAT from a windows-machine.
>>>
>>>> Nothing strange there.
>>>>>>> Also, lets see if I understand what you are saying: If you
>>>>>>> run 'wbinfo -u' on ANY Linux machine in the domain, you get
>>>>>>> a list of domain users, amongst which is your new user.
>>> Yes
>>>
>>>>>>> If you run 'wbinfo -u <newuser>' on the DC, you get the
>>>>>>> users info.
>>> yes "wbinfo -i <newuser>" gets me the userinfos on any DC
>>>
>>>>>>> If you run 'wbinfo -u <newuser>' on the fileserver, you
>>>>>>> get nothing.
>>> Yes here I get nothing with "wbinfo -i <newuser>" only the
>>> errormessage
>>>
>>>
>>>>>>> Have you added 'winbind' to the passwd & group lines in
>>>>>>> /etc/nssswitch.conf
>>> Yes, otherwise I would not seen any user with "getent passwd"
>>>
>>>> Well, I had to ask :-)
>> Thats right :-)
>>>>>>> What OS is your DC running on, can you please post the
>>>>>>> smb.conf from your DC.
>>> It a Debian 7 with the new SerNet Package 4.13
>>>
>>> here is the smb.conf from a DC:
>>>
>>> ------- [global] workgroup = NTD realm = egf.ntd netbios name =
>>> SVL-V-AD1 server role = active directory domain controller
>>> idmap_ldb:use rfc2307 = yes dns forwarder = 192.168.0.248 wins
>>> support = yes local master = yes load printers = no printing = bsd
>>> printcap name = /dev/null disable spoolss = yes
>>>
>>> -------
>>>
>>>
>>>> This is strange, the join must be correct or you wouldn't be able
>>>> to see the original users.
>> The whole behavior is strange.
>>>> Try comparing users with:
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb "cn=old user"
>>>> and:
>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb "cn=new user"
>> what is nano ;-)))
>>
>>>> Are they virtually the same ?
>> Here is an old user:
>> - ---------------
>> # record 1
>> dn: CN=gehu,OU=Benutzer,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: gehu
>> instanceType: 4
>> whenCreated: 20141027112510.0Z
>> whenChanged: 20141030093651.0Z
>> displayName:: R2VvcmcgSMO8c2tlbg==
>> uSNCreated: 3506
>> uSNChanged: 3506
>> name: gehu
>> objectGUID: 6419b9d9-cdce-4c7f-8c99-04fabe8e7720
>> userAccountControl: 512
>> codePage: 0
>> countryCode: 0
>> homeDirectory: \\ds-wv\home
>> homeDrive: Z:
>> scriptPath: logonad1.cmd
>> logonHours:: ////////////////////////////
>> pwdLastSet: 130251724800000000
>> primaryGroupID: 512
>> profilePath: \\ds-wv\profiles\gehu\.smbprofile
>> objectSid: S-1-5-21-4153561203-1678314553-2660673789-3000
>> accountExpires: 9223372036854775807
>> sAMAccountName: gehu
>> sAMAccountType: 805306368
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=egf,DC=ntd
>> msSFU30NisDomain: ntd
>> uidNumber: 1000
>> gidNumber: 2001
>> unixHomeDirectory: /home/gehu
>> loginShell: /bin/bash
>> memberOf: CN=vertrieb,OU=Gruppen,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
>> memberOf: CN=etechnik,OU=Gruppen,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
>> memberOf: CN=ntcad,OU=Gruppen,OU=Werk,OU=egf,DC=egf,DC=ntd
>> memberOf: CN=Domain Users,CN=Users,DC=egf,DC=ntd
>> distinguishedName: CN=gehu,OU=Benutzer,OU=Vertrieb,OU=egf,DC=egf,DC=ntd
>> - ---------------
>> here a new one
>>
>> - ---------------
>> dn: CN=ktom,CN=Users,DC=egf,DC=ntd
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: ktom
>> instanceType: 4
>> whenCreated: 20141106080926.0Z
>> uSNCreated: 3924
>> name: ktom
>> objectGUID: 6e9fc028-64bb-4c9c-bcc3-31671d43b8ce
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-4153561203-1678314553-2660673789-102270
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: ktom
>> sAMAccountType: 805306368
>> userPrincipalName: ktom at egf.ntd
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=egf,DC=ntd
>> pwdLastSet: 130597349660000000
>> userAccountControl: 512
>> whenChanged: 20141106120920.0Z
>> uSNChanged: 3935
>> distinguishedName: CN=ktom,CN=Users,DC=egf,DC=ntd
>> - --------------
>> The main differece is that the old user has the two attributes
>> "uidNumber" and "gidNumber" those are from the old samba3 I think. But
>> I think these to attributes dosn't matter at all, because winbind on
>> the fileserver will generate the uid over the RID.
>> But I tried what's happend wenn I add these to attributes to the
>> user-object. It's still the same, now result with "wbinfo -i"
>>
>> Stefan
>>
>>
>>>> Rowland
>>>>>>> Rowland
>>>>>> If I do a "wbinfo -i <newuser>" I get the following:
>>>>>> --------- root at SVL-V-5:~# wbinfo -i ntd\\stka failed to call
>>>>>> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for
>>>>>> user ntd\stka --------- For an migrated user I see the
>>>>>> following: --------- root at SVL-V-5:~# wbinfo -i ntd\\bila
>>>>>> NTD\bila:*:103216:100513:bila:/home/NTD/bila:/bin/bash
>>>>>> ---------
>>>>>>
>>>>>> Here is the global-part of smb.conf of the fileserver:
>>>>>> ---------- [global] workgroup = NTD realm = EGF.NTD security
>>>>>> = ADS wins server = 192.168.0.230 registry shares = Yes
>>>>>> template shell = /bin/bash winbind enum users = Yes winbind
>>>>>> enum groups = Yes winbind refresh tickets = Yes idmap config
>>>>>> ntd : backend = rid idmap config ntd : range = 100000-199999
>>>>>> idmap config * : range = 1000000-1999999 idmap config * :
>>>>>> backend = tdb map acl inherit = Yes store dos attributes =
>>>>>> Yes vfs objects = acl_xattr
>>>>>>
>>>>>> ----------
>>>>>>
>>>>>> A "chown <newuser> <file> is also not possible. With existing
>>>>>> users it works.
>>>>>>
>>>>>>
>>>>>> I tried to clear the cache with "net cache flush" and
>>>>>> nothing changed.
>>>>>>
>>>>>> What can I do next?
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Stefan
>>>>>>
>>> -- Stefan Kania Landweg 13 25693 St. Michaelisdonn
>>>
>>>
>>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie
>>> ihre E-Mail. Weiter Informationen unter http://www.gnupg.org
>>>
>>> Mein Schlüssel liegt auf
>>>
>>> hkp://subkeys.pgp.net
>>>
>>>
>> - -- 
>> Stefan Kania
>> Landweg 13
>> 25693 St. Michaelisdonn
>>
>>
>> Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
>> E-Mail. Weiter Informationen unter http://www.gnupg.org
>>
>> Mein Schlüssel liegt auf
>>
>> hkp://subkeys.pgp.net
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1
>>
>> iEYEARECAAYFAlRbbjkACgkQ2JOGcNAHDTaf4ACgvBT1VnfaQTrlEtsu6D6GQhh7
>> PcMAn2P8bAnio4t9MpkBRpl3wFPvRG1u
>> =5emk
>> -----END PGP SIGNATURE-----
> OK, I think that I know what the problem is, 'think' being the operative
> word. Your new user has the RID '102270' and the range set in smb.conf
> is 'idmap config ntd : range = 100000-199999'. Now when winbind is used
> with the 'rid' backend, the users ID number is calculated by:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> The 'BASE_RID' is 1000 unless you set it in smb.conf, so your users rid
> will be:
>
> ID = 102270 - 1000 + 100000
> ID =  201270
>
> Now any ID that is outside the range that is set in smb.conf (in your
> case 100000-199999) is ignored, your new users ID is larger than 199999
>
> Try alter the range numbers in smb.conf.
>
> Rowland
>



More information about the samba mailing list