[Samba] wbinfo -u -g work, wbinfo -i and getent fail

Mon May 4 05:38:48 MDT 2015

2015-05-04 13:01 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:

> On 04/05/15 04:02, Carl Gherardi wrote:
>
>> Hi all,
>>
>> I'm using Ubuntu 14.04 samba 4.1.6 packages, attempting to set up a server
>> for file shares AD clients can use. My previous setup was a simple AD join
>> with a user map file (1 to 1 AD to unix user) that i've been migrating for
>> approximately 7 years, and with the last 2003 AD server removed from the
>> network it stopped working (2008 R2 DC's now).
>>
>> After approximately 2 weeks of varying results (including a working config
>> for 24 hours), I seem to have come full circle to 'non functional' again.
>>
>> I'm able to join the domain using either net ads join -k or net ads join
>> -u
>> Administrator
>>
>> wbinfo -u - Gives me a list of domain users
>> wbinfo -g - Gives a list of domain groups
>>
>> wbinfo -i Administrator | wbinfo -i CAG\\Administrator | wbinfo -i
>> CAG+Administrator all return
>> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for <blah>
>>
>
> I use Linux Mint 17 and this doesn't work for me either, so I wouldn't
> worry.
>
>
>> and getent passwd only returns local+nis users.
>>
>
> This is were you can start worrying :-)
>
>
>> I see a _lot_ of posts about this via google but few with solutions.
>>
>> SFU is (was?) functional and pushing uid and gid's, and at several points
>> in the last two weeks getent passwd|group has been functional
>>
>
> So, if it was working, what have you changed, or had changed for you by an
> update ?
>
> Can you check that a user you expect to show up via 'getent passwd
> username' does in fact still have a uidNumber attribute containing a number
> between 1000-99999 (also do you have any local users ?)
>
> Can you also check that 'Domain Users' (at least) has a gidNumber
> attribute containing a number between 1000-99999 (again, do you have any
> local groups?)
>
> Rowland
>
>
>
>> Any suggestions appreciated.
>>
>> Thanks
>>
>> Carl Gherardi
>>
>> smb.conf:
>> [global]
>>     workgroup = CAG
>>     security = ADS
>>     realm = CAG.DOMAIN.NAME
>>     netbios aliases = gong
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>
>>     idmap config *:backend = tdb
>>     idmap config *:range = 500-999
>>     idmap config CAG:backend = ad
>>     idmap config CAG:range = 1000-99999
>>
>>     idmap config CAG:schema_mode = rfc2307
>>     winbind nss info = rfc2307
>>
>>     winbind trusted domains only = no
>>     winbind use default domain = no
>>     winbind nested groups = yes
>>     winbind enum users  = yes
>>     winbind enum groups = yes
>>     winbind refresh tickets = Yes
>>     winbind expand groups = 4
>>     winbind normalize names = Yes
>>     domain master = no
>>     local master = no
>>     dns proxy = no
>>     log level = 3 auth:10 winbind:3
>>
>> nsswitch.conf
>>
>> passwd:         compat winbind nis
>> group:          compat winbind nis
>>
>
I'm getting similar behavior on my server, but is working fine. Have you
tried other tools?. For me:

"wbinfo -u -g" works.
"wbinfo -i user" works.
"wbinfo -i group" fails with that error.
"getent passwd" works and show local and AD users.
"getent group" only show local groups.

but other tools works perfect:
"chwon user:group file" works perfect.
"getent group groupname" works
"getent passwd user" works
Permissions on CUPS using domain groups are working too.

Try that tools because maybe is working fine even if getent don't show the
users/groups and wbinfo -i is failing.

Greetings!!