[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 15 14:21:50 MDT 2015 

On 15/04/15 21:01, Adam Tauno Williams wrote:
> Quoting Rowland Penny <rowlandpenny at googlemail.com>:
>
>> On 14/04/15 20:59, Adam Tauno Williams wrote:
>>> On Tue, 2015-04-14 at 15:20 +0100, Rowland Penny wrote:
>>>> On 14/04/15 14:59, Adam Tauno Williams wrote:
>>>>> On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote:
>>>>>> Hi! I'm trying to add a member to be used as fileserver, 
>>>>>> following the
>>>>>> guides at:
>>>>>> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>>> The AD server has been in use for month, but I can't get user
>>>>>> information from the new member. The new member was joined to the
>>>>>> directory, and nsswitch was configured. Running 'id username' 
>>>>>> returns
>>>>>> 'No such user'.
>>>>>> Running 'wbinfo -u' and  'wbinfo -g', 'wbinfo -n username' and 
>>>>>> 'wbinfo
>>>>>> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo
>>>>>> --ping-dc'
>>>>>> But, when I try 'id username', or 'wbinfo -i username', it fails 
>>>>>> with
>>>>>> WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> $ wbinfo -i username
>>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not get info for user username
>>>>>> $ wbinfo -n username
>>>>>> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1)
>>>>>> And using '--sid-to-uid' I got the UID:
>>>>>> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118
>>>>>> 10000 Servers · Web Development in Python & Java · DevOps · Big Data
>>>>> I am experiencing much the same issue; wbinfo -u/-g works but getent
>>>>> passwd/group only contains a very partial user list and querying a
>>>>> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
>>>>> otherwise the domain is functional and there are active workstations.
>>>>> Did you every identify a solution?
>>>> It should work, it sounds like a mis-configuration somewhere, can you
>>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>>> /etc/krb5.conf from the member server.
>>> "wbinfo -u" lists 415 lines
>>> "getent passwd" returns 93 lines
>>> A host configured to use nslcd and LDAP directory returns 560 lines for
>>> "getent passwd".
>>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>>> sernet-samba-4.0.21-7.el6.x86_64
>>> [root at barbel profiles]# wbinfo -i cleslie
>>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Is this the smb.conf from the AD DC or the member server ?
>> If it is the later, you don't need this :  idmap_ldb:use rfc2307 = yes
>> It should only be on the DC.
>
> Removed that, it has no effect.
>
> [root at test123 ~]# wbinfo -i steve
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user steve
> [root at test123 ~]# id steve
> id: steve: No such user
> [root at test123 ~]# wbinfo -u | grep steve
> steve
>
>> wbinfo connects to the AD DC differently to the way getent does, so 
>> the fact that another machine lists the users, shows that the backend 
>> is setup correctly (unless nlscd is creating the IDs on the fly). 
>> winbind relies on the uidNumber & gidNumber attributes being in 
>> smb.conf and the attributes being inside the range you set in 
>> smb.conf '100-400000' (by the way, you do know that this could pull 
>> in some of the local system users).
>
> I'm aware of the overlap issues, this is an ancient site, all those 
> ids are managed.
>
>> What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
>
> passwd:     files winbind
> group:      files winbind
>
>> What is in /etc/krb5.conf ?
>> what kerberos have you got installed ? (don't know if this makes any 
>> difference, but would be good to know)
>
> Kerberos works.
>
> [root at test123 ~]# kinit adam at MICORE.US
> Password for adam at MICORE.US:
> [root at test123 ~]#
>
> [root at test123 ~]# kinit Administrator at MICORE.US
> Password for Administrator at MICORE.US:
> Warning: Your password will expire in 147 days on Wed Sep  9 21:13:23 
> 2015
> [root at test123 ~
>
>> Does /etc/resolv.conf point to the samba4 AD DC ?
>
> Yes.
>
>> Can you 'kinit' as Administrator ?
>> and as a normal user?
>
> See above.
>
>> finally, why 'whitemice' ???
>
> Long story. :)
>

Just had a thought, you say you set up the member server following this :

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

When did you follow this ? I added a part about a missing pam config 
file at the beginning of this month, the file is missing from the debian 
sernet packages, I wonder if the centos variant of the same file is also 
missing from the sernet centos packages ? without the file the sernet 
debian packages don't seem to work as member server.

Rowland

More information about the samba mailing list