[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'

Adam Tauno Williams awilliam at whitemice.org
Wed Apr 15 14:01:26 MDT 2015 

Quoting Rowland Penny <rowlandpenny at googlemail.com>:

> On 14/04/15 20:59, Adam Tauno Williams wrote:
>> On Tue, 2015-04-14 at 15:20 +0100, Rowland Penny wrote:
>>> On 14/04/15 14:59, Adam Tauno Williams wrote:
>>>> On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote:
>>>>> Hi! I'm trying to add a member to be used as fileserver, following the
>>>>> guides at:
>>>>> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>> The AD server has been in use for month, but I can't get user
>>>>> information from the new member. The new member was joined to the
>>>>> directory, and nsswitch was configured. Running 'id username' returns
>>>>> 'No such user'.
>>>>> Running 'wbinfo -u' and  'wbinfo -g', 'wbinfo -n username' and 'wbinfo
>>>>> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo
>>>>> --ping-dc'
>>>>> But, when I try 'id username', or 'wbinfo -i username', it fails with
>>>>> WBC_ERR_DOMAIN_NOT_FOUND
>>>>> $ wbinfo -i username
>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>> Could not get info for user username
>>>>> $ wbinfo -n username
>>>>> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1)
>>>>> And using '--sid-to-uid' I got the UID:
>>>>> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118
>>>>> 10000 Servers · Web Development in Python & Java · DevOps · Big Data
>>>> I am experiencing much the same issue; wbinfo -u/-g works but getent
>>>> passwd/group only contains a very partial user list and querying a
>>>> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error.  Although
>>>> otherwise the domain is functional and there are active workstations.
>>>> Did you every identify a solution?
>>> It should work, it sounds like a mis-configuration somewhere, can you
>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>> /etc/krb5.conf from the member server.
>> "wbinfo -u" lists 415 lines
>> "getent passwd" returns 93 lines
>> A host configured to use nslcd and LDAP directory returns 560 lines for
>> "getent passwd".
>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>> sernet-samba-4.0.21-7.el6.x86_64
>> [root at barbel profiles]# wbinfo -i cleslie
>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
> Is this the smb.conf from the AD DC or the member server ?
> If it is the later, you don't need this :  idmap_ldb:use rfc2307 = yes
> It should only be on the DC.

Removed that, it has no effect.

[root at test123 ~]# wbinfo -i steve
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user steve
[root at test123 ~]# id steve
id: steve: No such user
[root at test123 ~]# wbinfo -u | grep steve
steve

> wbinfo connects to the AD DC differently to the way getent does, so  
> the fact that another machine lists the users, shows that the  
> backend is setup correctly (unless nlscd is creating the IDs on the  
> fly). winbind relies on the uidNumber & gidNumber attributes being  
> in smb.conf and the attributes being inside the range you set in  
> smb.conf '100-400000' (by the way, you do know that this could pull  
> in some of the local system users).

I'm aware of the overlap issues, this is an ancient site, all those  
ids are managed.

> What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ?


passwd:     files winbind
group:      files winbind

> What is in /etc/krb5.conf ?
> what kerberos have you got installed ? (don't know if this makes any  
> difference, but would be good to know)

Kerberos works.

[root at test123 ~]# kinit adam at MICORE.US
Password for adam at MICORE.US:
[root at test123 ~]#

[root at test123 ~]# kinit Administrator at MICORE.US
Password for Administrator at MICORE.US:
Warning: Your password will expire in 147 days on Wed Sep  9 21:13:23 2015
[root at test123 ~

> Does /etc/resolv.conf point to the samba4 AD DC ?

Yes.

> Can you 'kinit' as Administrator ?
> and as a normal user?

See above.

> finally, why 'whitemice' ???

Long story. :)

More information about the samba mailing list