[Samba] nsswitch/libnss_winbind.so.2
Rowland Penny
rowlandpenny at googlemail.com
Mon Jun 22 06:53:55 MDT 2015
On 22/06/15 13:19, Marc Rechte wrote:
>
>
> Le 22/06/2015 13:23, Rowland Penny a écrit :
>> On 22/06/15 11:59, Marc Rechté wrote:
>>> Sorry I forgot the /etc/samba/smb.conf:
>>>
>>> [global]
>>>
>>> workgroup = STUDELEC-SA
>>> server string = Samba Server Version %v
>>>
>>> ; netbios name = MYSERVER
>>>
>>> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
>>> ; hosts allow = 127. 192.168.12. 192.168.13.
>>>
>>> ; max protocol = SMB2
>>>
>>> # log files split per-machine:
>>> log file = /var/log/samba/smb.log
>>> # maximum size of 50KB per log file, then rotate:
>>> max log size = 50
>>>
>>> log level = winbind:9
>>> # ----------------------- Domain Members Options
>>> ------------------------
>>>
>>> security = ADS
>>> realm = STUDELEC-SA.COM
>>> server role = member server
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>>
>>> idmap config *:backend = tdb
>>> idmap config *:range = 2000-9999
>>> idmap config STUDELEC-SA:backend = ad
>>> idmap config STUDELEC-SA:schema_mode = rfc2307
>>> idmap config STUDELEC-SA:range = 10000-99999
>>>
>>> winbind nss info = rfc2307
>>> winbind trusted domains only = no
>>> winbind use default domain = yes
>>> winbind enum users = yes
>>> winbind enum groups = yes
>>> winbind refresh tickets = Yes
>>> winbind expand groups = 4
>>> winbind normalize names = Yes
>>> domain master = no
>>> local master = no
>>> vfs objects = acl_xattr
>>> map acl inherit = Yes
>>> store dos attributes = Yes
>>>
>>>
>>>
>>> OK, issuing this command:
>>>
>>> $ getent passwd tunix
>>>
>>> Produces in /var/log/log.wb-STUDELEC-SA:
>>>
>>> 2015/06/22 12:32:37.473115, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 20
>>> [2015/06/22 12:32:37.473241, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 20
>>> [2015/06/22 12:32:37.473278, 3]
>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>> [27699]: list trusted domains
>>> [2015/06/22 12:32:37.473301, 3]
>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>> ads: trusted_domains
>>> [2015/06/22 12:32:37.474261, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 20
>>> [2015/06/22 12:34:23.262925, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 59
>>> [2015/06/22 12:34:23.263078, 3]
>>> ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>>> msrpc_name_to_sid: name=STUDELEC-SA\TUNIX
>>> [2015/06/22 12:34:23.263178, 3]
>>> ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>>> name_to_sid [rpc] STUDELEC-SA\TUNIX for domain STUDELEC-SA
>>> [2015/06/22 12:34:23.267421, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 59
>>> [2015/06/22 12:34:23.267684, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 59
>>> [2015/06/22 12:34:23.267767, 3]
>>> ../source3/winbindd/winbindd_ads.c:605(query_user)
>>> ads: query_user
>>> [2015/06/22 12:34:23.329798, 3]
>>> ../source3/winbindd/winbindd_ads.c:730(query_user)
>>> ads query_user gave tunix
>>> [2015/06/22 12:34:23.329862, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 59
>>> [2015/06/22 12:34:23.330027, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 59
>>> [2015/06/22 12:34:23.330068, 3]
>>> ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>> msrpc_sid_to_name: S-1-5-21-497920593-2320919703-1315762108-513
>>> for domain STUDELEC-SA
>>> [2015/06/22 12:34:23.331468, 5]
>>> ../source3/winbindd/winbindd_msrpc.c:320(msrpc_sid_to_name)
>>> Mapped sid to [STUDELEC-SA]\[Utilisateurs du domaine]
>>> [2015/06/22 12:34:23.331501, 5]
>>> ../source3/winbindd/winbindd_cache.c:1184(resolve_username_to_alias)
>>> resolve_username_to_alias: backend query returned
>>> NT_STATUS_INVALID_PARAMETER
>>> [2015/06/22 12:34:23.331528, 5]
>>> ../source3/winbindd/winbindd_msrpc.c:328(msrpc_sid_to_name)
>>> returning mapped name -- Utilisateurs_du_domaine
>>> [2015/06/22 12:34:23.331563, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 59
>>> [2015/06/22 12:34:23.331698, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 59
>>> [2015/06/22 12:34:23.332704, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 59
>>> [2015/06/22 12:37:37.501433, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 20
>>> [2015/06/22 12:37:37.501560, 3]
>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>> [27699]: list trusted domains
>>> [2015/06/22 12:37:37.501598, 3]
>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>> ads: trusted_domains
>>> [2015/06/22 12:37:37.503225, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 20
>>> [2015/06/22 12:42:37.505184, 4]
>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>> child daemon request 20
>>> [2015/06/22 12:42:37.505292, 3]
>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>> [27699]: list trusted domains
>>> [2015/06/22 12:42:37.505325, 3]
>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>> ads: trusted_domains
>>> [2015/06/22 12:42:37.506940, 4]
>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>> Finished processing child request 20
>>>
>>>
>>>
>>> Le 22/06/2015 09:56, Rowland Penny a écrit :
>>>> On 22/06/15 07:38, Marc Rechté wrote:
>>>>> Hello,
>>>>>
>>>>> Trying to set up an AD member server, I am stuck on nsswitch not
>>>>> working.
>>>>>
>>>>> wbinfo -u returns the list of domain users, but getent passwd <some
>>>>> user> always fails (exit 2)
>>>>>
>>>>> /etc/nsswitch.conf
>>>>> passwd: files winbind
>>>>> shadow: files winbind
>>>>> group: files winbind
>>>>>
>>>>> $ ls -l /usr/lib64/libnss_w*
>>>>> lrwxrwxrwx 1 root root 19 23 févr. 14:39
>>>>> /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2
>>>>> -rwxr-xr-x 1 root root 19224 23 févr. 14:40
>>>>> /usr/lib64/libnss_winbind.so.2
>>>>> lrwxrwxrwx 1 root root 16 23 févr. 14:39 /usr/lib64/libnss_wins.so
>>>>> -> libnss_wins.so.2
>>>>> -rwxr-xr-x 1 root root 10976 23 févr. 14:40
>>>>> /usr/lib64/libnss_wins.so.2
>>>>>
>>>>> System is Fedora 21 64-bit with up to date packages
>>>>>
>>>>> Thanks
>>>>>
>>>>
>>>> I think you are going to have to give us a bit more info, just telling
>>>> us it doesn't work, isn't enough.
>>>>
>>>> smb.conf, anything in the logs etc
>>>>
>>>> Rowland
>>>>
>>>
>>>
>>>
>>>
>>
>> OK, every thing looks correct in smb.conf, though you don't need:
>>
>> server role = member server
>> winbind trusted domains only = no
>>
>> So I suppose the next question is, what is the member server joined to ?
>>
>> If it is a Samba4 AD DC, then have you given your users a gidNumber
>> attribute and have you given 'Domain Users' (at least) a gidNumber
>> attribute ? These numbers need to be inside the range set in your
>> smb.conf '10000-99999', anything outside these numbers will be ignored.
>>
>> If it is a windows AD DC, then is IDMU installed, if it is, then
>> uidNumbers, gidNumbers as above.
>>
>> Rowland
>
> Server is MS Windows 2000
>
> What is IDMU ?
IDMU = Identity Management for UNIX, but because you are using windows
2000 (why???) it will be called 'Services for UNIX' or SFU
> We have made sure NIS Extension is installed and that "tunix" uid/gid
> have been set to 10000/10000. But others users (groups) have not been
> set, especially "Domain Users" (Utilisateurs_du_domaine in my log).
> Setting its GID value in UNIX Tab solved the issue !
Ah, it sounds like you have created a group called 'tunix' in AD, if you
have, please remove it, you shouldn't have personal groups in AD. You
*must* give 'Domain Users' a gidNumber, winbind will not work without
it, try using the 10000 you have removed from the tunix group.
Rowland
>
> May be the Wiki could stress on that particular point.
>
>
> Thanks for your help.
>
> Marc
More information about the samba
mailing list