[Samba] nsswitch/libnss_winbind.so.2

Marc Rechte mrechte at studelec-sa.com
Mon Jun 22 07:09:03 MDT 2015 


Le 22/06/2015 14:53, Rowland Penny a écrit :
> On 22/06/15 13:19, Marc Rechte wrote:
>>
>>
>> Le 22/06/2015 13:23, Rowland Penny a écrit :
>>> On 22/06/15 11:59, Marc Rechté wrote:
>>>> Sorry I forgot the /etc/samba/smb.conf:
>>>>
>>>> [global]
>>>>
>>>>     workgroup = STUDELEC-SA
>>>>     server string = Samba Server Version %v
>>>>
>>>> ;    netbios name = MYSERVER
>>>>
>>>> ;    interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
>>>> ;    hosts allow = 127. 192.168.12. 192.168.13.
>>>>
>>>> ;    max protocol = SMB2
>>>>
>>>>     # log files split per-machine:
>>>>     log file = /var/log/samba/smb.log
>>>>     # maximum size of 50KB per log file, then rotate:
>>>>     max log size = 50
>>>>
>>>>     log level = winbind:9
>>>> # ----------------------- Domain Members Options 
>>>> ------------------------
>>>>
>>>>    security = ADS
>>>>    realm = STUDELEC-SA.COM
>>>>    server role = member server
>>>>    dedicated keytab file = /etc/krb5.keytab
>>>>    kerberos method = secrets and keytab
>>>>
>>>>    idmap config *:backend = tdb
>>>>    idmap config *:range = 2000-9999
>>>>    idmap config STUDELEC-SA:backend = ad
>>>>    idmap config STUDELEC-SA:schema_mode = rfc2307
>>>>    idmap config STUDELEC-SA:range = 10000-99999
>>>>
>>>>    winbind nss info = rfc2307
>>>>    winbind trusted domains only = no
>>>>    winbind use default domain = yes
>>>>    winbind enum users  = yes
>>>>    winbind enum groups = yes
>>>>    winbind refresh tickets = Yes
>>>>    winbind expand groups = 4
>>>>    winbind normalize names = Yes
>>>>    domain master = no
>>>>    local master = no
>>>>    vfs objects = acl_xattr
>>>>    map acl inherit = Yes
>>>>    store dos attributes = Yes
>>>>
>>>>
>>>>
>>>> OK, issuing this command:
>>>>
>>>> $ getent passwd tunix
>>>>
>>>> Produces in /var/log/log.wb-STUDELEC-SA:
>>>>
>>>> 2015/06/22 12:32:37.473115,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 20
>>>> [2015/06/22 12:32:37.473241,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 20
>>>> [2015/06/22 12:32:37.473278,  3] 
>>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>>>   [27699]: list trusted domains
>>>> [2015/06/22 12:32:37.473301,  3] 
>>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>>>   ads: trusted_domains
>>>> [2015/06/22 12:32:37.474261,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 20
>>>> [2015/06/22 12:34:23.262925,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 59
>>>> [2015/06/22 12:34:23.263078,  3] 
>>>> ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>>>>   msrpc_name_to_sid: name=STUDELEC-SA\TUNIX
>>>> [2015/06/22 12:34:23.263178,  3] 
>>>> ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>>>>   name_to_sid [rpc] STUDELEC-SA\TUNIX for domain STUDELEC-SA
>>>> [2015/06/22 12:34:23.267421,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 59
>>>> [2015/06/22 12:34:23.267684,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 59
>>>> [2015/06/22 12:34:23.267767,  3] 
>>>> ../source3/winbindd/winbindd_ads.c:605(query_user)
>>>>   ads: query_user
>>>> [2015/06/22 12:34:23.329798,  3] 
>>>> ../source3/winbindd/winbindd_ads.c:730(query_user)
>>>>   ads query_user gave tunix
>>>> [2015/06/22 12:34:23.329862,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 59
>>>> [2015/06/22 12:34:23.330027,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 59
>>>> [2015/06/22 12:34:23.330068,  3] 
>>>> ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name)
>>>>   msrpc_sid_to_name: S-1-5-21-497920593-2320919703-1315762108-513 
>>>> for domain STUDELEC-SA
>>>> [2015/06/22 12:34:23.331468,  5] 
>>>> ../source3/winbindd/winbindd_msrpc.c:320(msrpc_sid_to_name)
>>>>   Mapped sid to [STUDELEC-SA]\[Utilisateurs du domaine]
>>>> [2015/06/22 12:34:23.331501,  5] 
>>>> ../source3/winbindd/winbindd_cache.c:1184(resolve_username_to_alias)
>>>>   resolve_username_to_alias: backend query returned 
>>>> NT_STATUS_INVALID_PARAMETER
>>>> [2015/06/22 12:34:23.331528,  5] 
>>>> ../source3/winbindd/winbindd_msrpc.c:328(msrpc_sid_to_name)
>>>>   returning mapped name -- Utilisateurs_du_domaine
>>>> [2015/06/22 12:34:23.331563,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 59
>>>> [2015/06/22 12:34:23.331698,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 59
>>>> [2015/06/22 12:34:23.332704,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 59
>>>> [2015/06/22 12:37:37.501433,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 20
>>>> [2015/06/22 12:37:37.501560,  3] 
>>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>>>   [27699]: list trusted domains
>>>> [2015/06/22 12:37:37.501598,  3] 
>>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>>>   ads: trusted_domains
>>>> [2015/06/22 12:37:37.503225,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 20
>>>> [2015/06/22 12:42:37.505184,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler)
>>>>   child daemon request 20
>>>> [2015/06/22 12:42:37.505292,  3] 
>>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
>>>>   [27699]: list trusted domains
>>>> [2015/06/22 12:42:37.505325,  3] 
>>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains)
>>>>   ads: trusted_domains
>>>> [2015/06/22 12:42:37.506940,  4] 
>>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler)
>>>>   Finished processing child request 20
>>>>
>>>>
>>>>
>>>> Le 22/06/2015 09:56, Rowland Penny a écrit :
>>>>> On 22/06/15 07:38, Marc Rechté wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Trying to set up an AD member server, I am stuck on nsswitch not
>>>>>> working.
>>>>>>
>>>>>> wbinfo -u returns the list of domain users, but getent passwd <some
>>>>>> user> always fails (exit 2)
>>>>>>
>>>>>> /etc/nsswitch.conf
>>>>>> passwd:     files winbind
>>>>>> shadow:     files winbind
>>>>>> group:      files winbind
>>>>>>
>>>>>> $ ls -l /usr/lib64/libnss_w*
>>>>>> lrwxrwxrwx 1 root root    19 23 févr. 14:39
>>>>>> /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2
>>>>>> -rwxr-xr-x 1 root root 19224 23 févr. 14:40
>>>>>> /usr/lib64/libnss_winbind.so.2
>>>>>> lrwxrwxrwx 1 root root    16 23 févr. 14:39 
>>>>>> /usr/lib64/libnss_wins.so
>>>>>> -> libnss_wins.so.2
>>>>>> -rwxr-xr-x 1 root root 10976 23 févr. 14:40 
>>>>>> /usr/lib64/libnss_wins.so.2
>>>>>>
>>>>>> System is Fedora 21 64-bit with up to date packages
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>
>>>>> I think you are going to have to give us a bit more info, just 
>>>>> telling
>>>>> us it doesn't work, isn't enough.
>>>>>
>>>>> smb.conf, anything in the logs etc
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>> OK, every thing looks correct in smb.conf, though you don't need:
>>>
>>> server role = member server
>>> winbind trusted domains only = no
>>>
>>> So I suppose the next question is, what is the member server joined 
>>> to ?
>>>
>>> If it is a Samba4 AD DC, then have you given your users a gidNumber 
>>> attribute and have you given 'Domain Users' (at least) a gidNumber 
>>> attribute ? These numbers need to be inside the range set in your 
>>> smb.conf '10000-99999', anything outside these numbers will be ignored.
>>>
>>> If it is a windows AD DC, then is IDMU installed, if it is, then 
>>> uidNumbers, gidNumbers as above.
>>>
>>> Rowland
>>
>> Server is MS Windows 2000
>>
>> What is IDMU ? 
>
> IDMU = Identity Management for UNIX, but because you are using windows 
> 2000 (why???) it will be called 'Services for UNIX' or SFU
>
>> We have made sure NIS Extension is installed and that "tunix" uid/gid 
>> have been set to 10000/10000. But others users (groups) have not been 
>> set, especially "Domain Users" (Utilisateurs_du_domaine in my log). 
>> Setting its GID value in UNIX Tab solved the issue !
>
> Ah, it sounds like you have created a group called 'tunix' in AD, if 
> you have, please remove it, you shouldn't have personal groups in AD. 
> You *must* give 'Domain Users' a gidNumber, winbind will not work 
> without it, try using the 10000 you have removed from the tunix group.
>
> Rowland
>
>>
>> May be the Wiki could stress on that particular point.
>>
>>
>> Thanks for your help.
>>
>> Marc
>
Actually it is Windows 2008 R2 and I am sorry because all these UID/GID 
points are highlighted in the Wiki: " you *must* add these attributes to 
your AD ..." and a note explicitly mention my problem. RTFM well ! :)

More information about the samba mailing list