[Samba] winbind/idmap issue on samba4 member server

?icro MEGAS micromegas at mail333.com
Mon Oct 20 08:52:40 MDT 2014


Hello list,

I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated.

Scenario:
=========
I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only.
I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is serving the
[profiles], [home] and [printer] stuff shares. For setting up the member server, I relied on
"https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf".
I also am using NIS extensions on my AD according the wiki tutorials. Through ADUC tool I modified the security group "Domain Users":
I did choose tab [UNIX Attribute] and there I assigned the NIS domain = MYDOM and the GID=10000 to that group.

Issue:
======
My membersrv1 (172.19.100.3) fails to resolve mappings! See output below...

----OUTPUT ON DC1-----------------------------------------------------------------------------------------------------
root at DC1:~$ getent passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
[...lots of local accounts here...]
MYDOM\Administrator:*:0:10000::/home/MYDOM/Administrator:/bin/false
MYDOM\Guest:*:3000011:3000012::/home/MYDOM/Guest:/bin/false
MYDOM\krbtgt:*:3000021:10000::/home/MYDOM/krbtgt:/bin/false
MYDOM\john:*:3000020:10000:John Doe:/home/MYDOM/john:/bin/false
MYDOM\george:*:3000022:10000:George Miller:/home/MYDOM/george:/bin/false
MYDOM\richard:*:3000023:10000:Richard Smitty:/home/MYDOM/richard:/bin/false
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
MYDOM\testuser3:*:3000027:10000:Test User 3:/home/MYDOM/testuser3:/bin/false
MYDOM\testuser2:*:3000032:10000:Test User 2:/home/MYDOM/testuser2:/bin/false

root at DC1:~$ wbinfo -u

Administrator
Guest
krbtgt
john
george
richard
testuser1
testuser3
testuser2

root at DC1:~$ wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

root at dc1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)

root at dc1:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030

root at dc1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030

root at dc1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1

root at dc1:~$ wbinfo -r testuser1
10000

root at dc1:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false

root at dc1:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:

root at dc1:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND

root at dc1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
        winbind separator = \
        winbind cache time = 0
        winbind reconnect delay = 0
        winbind request timeout = 0
        winbind max clients = 0
        winbind enum users = No
        winbind enum groups = No
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = No
        winbind expand groups = 0
        winbind nss info =
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No
        winbind rpc only = No
        winbind max domain connections = 0
        winbindd socket directory = /var/run/samba/winbindd
        winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
        winbind sealed pipes = Yes
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns

----OUTPUT ON DC2-----------------------------------------------------------------------------------------------------

root at dc2:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)

root at dc2:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030

root at dc2:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030

root at dc2:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1

root at dc2:~$ wbinfo -r testuser1
10000

root at dc2:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false

root at dc2:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:

root at dc2:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND

root at dc2:~$ samba-tool testparm --suppress-prompt -v |grep winbind
        winbind separator = \
        winbind cache time = 0
        winbind reconnect delay = 0
        winbind request timeout = 0
        winbind max clients = 0
        winbind enum users = No
        winbind enum groups = No
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = No
        winbind expand groups = 0
        winbind nss info =
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No
        winbind rpc only = No
        winbind max domain connections = 0
        winbindd socket directory = /var/run/samba/winbindd
        winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
        winbind sealed pipes = Yes
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns

----OUTPUT ON MEMBERSRV1----------------------------------------------------------------------------------------------

root at membersrv1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)

root at membersrv1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2040615909-1719611856-576149365-1114 to gid

root at membersrv1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1

root at membersrv1:~$ wbinfo -r testuser1
10000
70002

root at membersrv1:~$ wbinfo --uid-info=3000030
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000030

root at membersrv1:~$ wbinfo --uid-info=10000
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10000

root at membersrv1:~$ wbinfo --gid-info=10000
domain users:x:10000:

root at membersrv1:~$ wbinfo -P
checking the NETLOGON dc connection to "dc1.mydom.example.com" succeeded

root at membersrv1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
        winbind separator = \
        winbind cache time = 0
        winbind reconnect delay = 0
        winbind request timeout = 0
        winbind max clients = 0
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind trusted domains only = No
        winbind nested groups = No
        winbind expand groups = 0
        winbind nss info = rfc2307
        winbind refresh tickets = No
        winbind offline logon = No
        winbind normalize names = No
        winbind rpc only = No
        winbind max domain connections = 0
        winbindd socket directory = /var/run/samba/winbindd
        winbindd privileged socket directory = /var/lib/samba/winbindd_privileged
        winbind sealed pipes = Yes
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns

root at membersrv1:/lib64$ ls -lh

lrwxrwxrwx 1 root root 32 Aug 26 23:10 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.13.so
lrwxrwxrwx 1 root root 39 Okt 17 15:11 libnss_winbind.so -> /lib/x86_64-linux-gnu/libnss_winbind.so
lrwxrwxrwx 1 root root 24 Okt 17 15:11 libnss_winbind.so.2 -> /lib64/libnss_winbind.so

root at membersrv1:/lib64$ head -n15 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind

root at membersrv1:~ cat /etc/samba/smb.conf:

[global]
        netbios name = MEMBERSRV1
        workgroup = MYDOM
        security = ADS
        realm = MYDOM.EXAMPLE.COM
        encrypt passwords = yes

        idmap config MYDOM:backend = ad
        idmap config MYDOM:schema_mode = rfc2307
        idmap config MYDOM:range = 500-40000

        idmap config *:backend = tdb
        idmap config *:range = 70001-80000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes

        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork

[printers]
        path = /var/spool/samba
        printable = yes
        printing = CUPS

[print$]
        path = /srv/samba4_data/printer_drivers
        comment = Printer Drivers
        writeable = yes

[home]
     path = /srv/samba4_data/home/
     read only = No

[profiles]
     path = /srv/samba4_data/profiles/
     read only = no

=============================================================================

I did modify of course the file membersrv1:/etc/nsswitch.conf and linked the files on /lib64 on the same way I did for DC1 and DC2
according the wiki tutorial. I joined the member server successfully with "net ads join -U administrator" to DC1. 

I also realized and am confused about the output of "wbinfo -g" on the member server. The output is not exactly the same as on
DC1 output for example. I also want to add, when I run "getent passwd" or "getent group" on that member server, I get only displayed my local account, no AD accounts at all!

Detailled log files, with debug level = 10:
===========================================
http://www.file-upload.net/download-9714752/log.wb-MYDOM.html
http://www.file-upload.net/download-9714750/log.winbindd.html
http://www.file-upload.net/download-9714751/log.winbindd-dc-connect.html
http://www.file-upload.net/download-9714753/log.winbindd-idmap.html

Thanks a lot in advance to everyone for assistance.

Mirco


More information about the samba mailing list