[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
Rowland Penny
rowlandpenny at googlemail.com
Thu Apr 16 04:27:05 MDT 2015
On 15/04/15 21:26, Adam Tauno Williams wrote:
> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>>>>> It should work, it sounds like a mis-configuration somewhere, can you
>>>>> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and
>>>>> /etc/krb5.conf from the member server.
>>>> "wbinfo -u" lists 415 lines
>>>> "getent passwd" returns 93 lines
>>>> A host configured to use nslcd and LDAP directory returns 560 lines
>>>> for
>>>> "getent passwd".
>>>> Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all
>>>> sernet-samba-4.0.21-7.el6.x86_64
>>>> [root at barbel profiles]# wbinfo -i cleslie
>>>> failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE
>>> Is this the smb.conf from the AD DC or the member server ?
>>> If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes
>>> It should only be on the DC.
>>
>> Removed that, it has no effect.
>>
>> [root at test123 ~]# wbinfo -i steve
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user steve
>> [root at test123 ~]# id steve
>> id: steve: No such user
>> [root at test123 ~]# wbinfo -u | grep steve
>> steve
>
> Here is a debug level 10 from winbind when making the wbinfo -i request
>
> 2015/04/15 16:22:19.609439, 5, pid=9576, effective(0, 0), real(0, 0)]
> ../source3/libads/ldap.c:270(ads_try_connect)
> ads_try_connect: sending CLDAP request to 192.168.1.79 (realm:
> micore.us)
> [2015/04/15 16:22:19.613245, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
> &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX
> command : LOGON_SAM_LOGON_RESPONSE_EX (23)
> sbz : 0x0000 (0)
> server_type : 0x000003fc (1020)
> 0: NBT_SERVER_PDC
> 1: NBT_SERVER_GC
> 1: NBT_SERVER_LDAP
> 1: NBT_SERVER_DS
> 1: NBT_SERVER_KDC
> 1: NBT_SERVER_TIMESERV
> 1: NBT_SERVER_CLOSEST
> 1: NBT_SERVER_WRITABLE
> 1: NBT_SERVER_GOOD_TIMESERV
> 0: NBT_SERVER_NDNC
> 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6
> 0: NBT_SERVER_FULL_SECRET_DOMAIN_6
> 0: NBT_SERVER_ADS_WEB_SERVICE
> 0: NBT_SERVER_HAS_DNS_NAME
> 0: NBT_SERVER_IS_DEFAULT_NC
> 0: NBT_SERVER_FOREST_ROOT
> domain_uuid : abebb63d-5fea-41fa-a061-36136b10964f
> forest : 'micore.us'
> dns_domain : 'micore.us'
> pdc_dns_name : 'larkin28.micore.us'
> domain_name : 'BACKBONE'
> pdc_name : 'LARKIN28'
> user_name : ''
> server_site : 'Default-First-Site-Name'
> client_site : 'Default-First-Site-Name'
> sockaddr_size : 0x00 (0)
> sockaddr: struct nbt_sockaddr
> sockaddr_family : 0x00000000 (0)
> pdc_ip : (null)
> remaining : DATA_BLOB length=0
> next_closest_site : NULL
> nt_version : 0x00000005 (5)
> 1: NETLOGON_NT_VERSION_1
> 0: NETLOGON_NT_VERSION_5
> 1: NETLOGON_NT_VERSION_5EX
> 0: NETLOGON_NT_VERSION_5EX_WITH_IP
> 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE
> 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL
> 0: NETLOGON_NT_VERSION_PDC
> 0: NETLOGON_NT_VERSION_IP
> 0: NETLOGON_NT_VERSION_LOCAL
> 0: NETLOGON_NT_VERSION_GC
> lmnt_token : 0xffff (65535)
> lm20_token : 0xffff (65535)
> [2015/04/15 16:22:19.614906, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sitename_cache.c:70(sitename_store)
> sitename_store: realm = [BACKBONE], sitename =
> [Default-First-Site-Name], expire = [2085923199]
> [2015/04/15 16:22:19.615117, 10, pid=9576, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
> Did not store value for AD_SITENAME/DOMAIN/BACKBONE, we already got it
> [2015/04/15 16:22:19.615196, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sitename_cache.c:70(sitename_store)
> sitename_store: realm = [micore.us], sitename =
> [Default-First-Site-Name], expire = [2085923199]
> [2015/04/15 16:22:19.615275, 10, pid=9576, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
> Did not store value for AD_SITENAME/DOMAIN/MICORE.US, we already got it
> [2015/04/15 16:22:19.615373, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:680(ads_connect)
> Successfully contacted LDAP server 192.168.1.79
> [2015/04/15 16:22:19.615457, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:70(ldap_open_with_timeout)
> Opening connection to LDAP server 'larkin28.micore.us:389', timeout
> 15 seconds
> [2015/04/15 16:22:19.616733, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:118(ldap_open_with_timeout)
> Connected to LDAP server 'larkin28.micore.us:389'
> [2015/04/15 16:22:19.616830, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:723(ads_connect)
> Connected to LDAP server larkin28.micore.us
> [2015/04/15 16:22:19.616903, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:222(ads_closest_dc)
> ads_closest_dc: NBT_SERVER_CLOSEST flag set
> [2015/04/15 16:22:19.617083, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libsmb/namequery.c:86(saf_store)
> saf_store: domain = [BACKBONE], server = [larkin28.micore.us],
> expire = [1429130239]
> [2015/04/15 16:22:19.617169, 10, pid=9576, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
> Did not store value for SAF/DOMAIN/BACKBONE, we already got it
> [2015/04/15 16:22:19.617268, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libsmb/namequery.c:86(saf_store)
> saf_store: domain = [micore.us], server = [larkin28.micore.us],
> expire = [1429130239]
> [2015/04/15 16:22:19.617377, 10, pid=9576, effective(0, 0), real(0,
> 0), class=tdb] ../source3/lib/gencache.c:275(gencache_set_data_blob)
> Did not store value for SAF/DOMAIN/MICORE.US, we already got it
> [2015/04/15 16:22:19.623553, 4, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap.c:3002(ads_current_time)
> KDC time offset is 0 seconds
> [2015/04/15 16:22:19.624101, 4, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sasl.c:1312(ads_sasl_bind)
> Found SASL mechanism GSS-SPNEGO
> [2015/04/15 16:22:19.625174, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> [2015/04/15 16:22:19.625274, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> [2015/04/15 16:22:19.625345, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sasl.c:963(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> [2015/04/15 16:22:19.625415, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/sasl.c:972(ads_sasl_spnego_bind)
> ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> [2015/04/15 16:22:19.625600, 3, pid=9576, effective(0, 0), real(0,
> 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Thu, 16 Apr 2015 02:22:19 EDT
> [2015/04/15 16:22:19.625695, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../lib/krb5_wrap/krb5_samba.c:533(ads_krb5_mk_req)
> ads_krb5_mk_req: Ticket (ldap/larkin28.micore.us at MICORE.US) in
> ccache (MEMORY:winbind_ccache) is valid until: (Thu, 16 Apr 2015
> 02:22:19 EDT - 1429165339)
> [2015/04/15 16:22:19.625841, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../lib/krb5_wrap/krb5_samba.c:776(get_krb5_smb_session_key)
> Got KRB5 session key of length 16
> [2015/04/15 16:22:19.633477, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_schema.c:231(ads_check_posix_schema_mapping)
> ads_check_posix_schema_mapping for schema mode: 3
> [2015/04/15 16:22:19.725986, 5, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for
> (|(attributeId=1.3.6.1.1.1.1.0)(attributeId=1.3.6.1.1.1.1.1)(attributeId=1.3.6.1.1.1.1.3)(attributeId=1.3.6.1.1.1.1.4)(attributeId=1.3.6.1.1.1.1.2)(attributeId=0.9.2342.19200300.100.1.1))
> in <CN=Schema,CN=Configuration,DC=micore,DC=us> gave 6 replies
> OID 1.3.6.1.1.1.1.0 has name: uidNumber
> OID 1.3.6.1.1.1.1.1 has name: gidNumber
> OID 0.9.2342.19200300.100.1.1 has name: uid
> OID 1.3.6.1.1.1.1.3 has name: unixHomeDirectory
> OID 1.3.6.1.1.1.1.2 has name: gecos
> OID 1.3.6.1.1.1.1.4 has name: loginShell
> [2015/04/15 16:22:19.870445, 5, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
> Search for (uid=steve) in <dc=MICORE,dc=US> gave 0 replies
> [2015/04/15 16:22:19.870701, 5, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
> resolve_alias_to_username: backend query returned
> NT_STATUS_OBJECT_NAME_NOT_FOUND
> [2015/04/15 16:22:19.871341, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'BACKBONE'
> name : *
> name : 'STEVE'
> flags : 0x00000008 (8)
> [2015/04/15 16:22:19.918433, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
> result : NT_STATUS_OK
> [2015/04/15 16:22:19.918869, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> in: struct wbint_QueryUser
> sid : *
> sid :
> S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
> [2015/04/15 16:22:20.124117, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'steve'
> full_name : *
> full_name : 'steve'
> homedir : *
> homedir : '/home/steve'
> shell : *
> shell : '/bin/ksh'
> primary_gid : 0x00000000000000e6 (230)
> user_sid :
> S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
> group_sid :
> S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
> result : NT_STATUS_OK
> [2015/04/15 16:22:20.124742, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/wb_sids2xids.c:109(wb_sids2xids_send)
> SID 0: S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406
> [2015/04/15 16:22:20.124897, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406]:
> value=[203:U]
> [2015/04/15 16:22:20.125024, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406]:
> id=[203], endptr=[:U]
> [2015/04/15 16:22:20.125185, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid)
> find_lookup_domain_from_sid(S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513)
> [2015/04/15 16:22:20.125326, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid)
> calling find_our_domain
> [2015/04/15 16:22:20.125420, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupSid: struct wbint_LookupSid
> in: struct wbint_LookupSid
> sid : *
> sid :
> S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
> [2015/04/15 16:22:20.139329, 1, pid=9576, effective(0, 0), real(0,
> 0)] ../librpc/ndr/ndr.c:333(ndr_print_function_debug)
> wbint_LookupSid: struct wbint_LookupSid
> out: struct wbint_LookupSid
> type : *
> type : SID_NAME_DOM_GRP (2)
> domain : *
> domain : *
> domain : 'BACKBONE'
> name : *
> name : *
> name : 'Domain_Users'
> result : NT_STATUS_OK
> [2015/04/15 16:22:20.139720, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/wb_sids2xids.c:109(wb_sids2xids_send)
> SID 0: S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513
> [2015/04/15 16:22:20.139826, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:56(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513]:
> value=[-1:N]
> [2015/04/15 16:22:20.139900, 10, pid=9576, effective(0, 0), real(0,
> 0)] ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-513]:
> id=[4294967295], endptr=[:N]
> [2015/04/15 16:22:20.140053, 5, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
> Could not convert sid S-1-5-21-***REPLACE-DDOMAINSID-WITHTHIS*-1406:
> NT_STATUS_NONE_MAPPED
> [2015/04/15 16:22:20.140166, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
> wb_request_done[9584:GETPWNAM]: NT_STATUS_NONE_MAPPED
> [2015/04/15 16:22:20.142258, 10, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd.c:816(winbind_client_response_written)
> winbind_client_response_written[9584:GETPWNAM]: delivered response
> to client
> [2015/04/15 16:22:20.142450, 6, pid=9576, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd.c:918(winbind_client_request_read)
>
>
>
OK, this was bugging me, so I set up Centos 6.6 in a VM (by the way,
this wasn't easy, who decided it was a good idea to introduce the 'URL'
option ? )
I then installed the sernet samba packages, set up smb.conf:
[global]
workgroup = EXAMPLE
security = ADS
realm = EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : range = 10000-999999
idmap config EXAMPLE : schema_mode = rfc2307
printcap name = cups
cups options = raw
usershare allow guests = yes
domain master = no
local master = no
map to guest = bad user
username map = /etc/samba/user.map
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
Created the user.map file
!root = EXAMPLE\Administrator EXAMPLE\administrator Administrator
administrator
changed /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
changed /etc/default/sernet-samba to allow samba to start.
joined the domain
[root at centos6 ~]# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- EXAMPLE
Joined 'CENTOS6' to dns domain 'example.com'
alter /etc/nsswitch.conf
Change:
passwd: files
shadow: files
group: files
To:
passwd: files winbind
shadow: files
group: files winbind
start the three daemons
service sernet-samba-nmbd start
service sernet-samba-smbd start
service sernet-samba-winbindd start
Only problem was that 'nmbd' wouldn't start!
Apr 16 09:04:57 centos6 nmbd[13351]: [2015/04/16 09:04:57.586200, 0]
../lib/util/pidfile.c:117(pidfile_create)
Apr 16 09:04:57 centos6 nmbd[13351]: ERROR: can't open
/var/run/samba/nmbd.pid: Error was Permission denied
Quick check in /var/log/audit/audit.log proved what I thought, selinux
wasn't allowing 'nmbd' to write its PID, why it allows 'smbd' to write
its PID but not 'nmbd', beats me.
Put selinux into permissive mode and 'nmbd' now starts, I now ran
'getent passwd' and got all my domain users.
Further checking on one user.
[root at centos6 ~]# id rowland
uid=10000(rowland) gid=10000(domain_users)
groups=10000(domain_users),10001(administration),10002(domain_admins),2001(BUILTIN\users),2000(BUILTIN\administrators)
[root at centos6 ~]# wbinfo -i rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
[root at centos6 ~]# wbinfo -n rowland
S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-1106 SID_USER (1)
[root at centos6 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
So, it seems that it does work if you turn off selinux.
Rowland
More information about the samba
mailing list