[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
rowlandpenny at googlemail.com
Wed Apr 15 14:21:50 MDT 2015
On 15/04/15 21:01, Adam Tauno Williams wrote:
> Quoting Rowland Penny <rowlandpenny at googlemail.com>:
>> On 14/04/15 20:59, Adam Tauno Williams wrote:
>>> On Tue, 2015-04-14 at 15:20 +0100, Rowland Penny wrote:
>>>> On 14/04/15 14:59, Adam Tauno Williams wrote:
>>>>> On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote:
>>>>>> Hi! I'm trying to add a member to be used as fileserver,
>>>>>> following the
>>>>>> guides at:
>>>>>> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>>>>> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>>>>> The AD server has been in use for month, but I can't get user
>>>>>> information from the new member. The new member was joined to the
>>>>>> directory, and nsswitch was configured. Running 'id username'
>>>>>> 'No such user'.
>>>>>> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and
>>>>>> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo
>>>>>> But, when I try 'id username', or 'wbinfo -i username', it fails
>>>>>> $ wbinfo -i username
>>>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> Could not get info for user username
>>>>>> $ wbinfo -n username
>>>>>> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1)
>>>>>> And using '--sid-to-uid' I got the UID:
>>>>>> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118
>>>>>> 10000 Servers · Web Development in Python & Java · DevOps · Big Data
>>>>> I am experiencing much the same issue; wbinfo -u/-g works but getent
>>>>> passwd/group only contains a very partial user list and querying a
>>>>> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although
>>>>> otherwise the domain is functional and there are active workstations.
>>>>> Did you every identify a solution?
>>>> It should work, it sounds like a mis-configuration somewhere, can you
>>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>>> /etc/krb5.conf from the member server.
>>> "wbinfo -u" lists 415 lines
>>> "getent passwd" returns 93 lines
>>> A host configured to use nslcd and LDAP directory returns 560 lines for
>>> "getent passwd".
>>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>>> [root at barbel profiles]# wbinfo -i cleslie
>>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
>> Is this the smb.conf from the AD DC or the member server ?
>> If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
>> It should only be on the DC.
> Removed that, it has no effect.
> [root at test123 ~]# wbinfo -i steve
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user steve
> [root at test123 ~]# id steve
> id: steve: No such user
> [root at test123 ~]# wbinfo -u | grep steve
>> wbinfo connects to the AD DC differently to the way getent does, so
>> the fact that another machine lists the users, shows that the backend
>> is setup correctly (unless nlscd is creating the IDs on the fly).
>> winbind relies on the uidNumber & gidNumber attributes being in
>> smb.conf and the attributes being inside the range you set in
>> smb.conf '100-400000' (by the way, you do know that this could pull
>> in some of the local system users).
> I'm aware of the overlap issues, this is an ancient site, all those
> ids are managed.
>> What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
> passwd: files winbind
> group: files winbind
>> What is in /etc/krb5.conf ?
>> what kerberos have you got installed ? (don't know if this makes any
>> difference, but would be good to know)
> Kerberos works.
> [root at test123 ~]# kinit adam at MICORE.US
> Password for adam at MICORE.US:
> [root at test123 ~]#
> [root at test123 ~]# kinit Administrator at MICORE.US
> Password for Administrator at MICORE.US:
> Warning: Your password will expire in 147 days on Wed Sep 9 21:13:23
> [root at test123 ~
>> Does /etc/resolv.conf point to the samba4 AD DC ?
>> Can you 'kinit' as Administrator ?
>> and as a normal user?
> See above.
>> finally, why 'whitemice' ???
> Long story. :)
Just had a thought, you say you set up the member server following this :
When did you follow this ? I added a part about a missing pam config
file at the beginning of this month, the file is missing from the debian
sernet packages, I wonder if the centos variant of the same file is also
missing from the sernet centos packages ? without the file the sernet
debian packages don't seem to work as member server.
More information about the samba