[Samba] wbinfo -i -> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Rowland Penny
rowlandpenny241155 at gmail.com
Sun Nov 22 11:41:00 UTC 2015
On 22/11/15 10:01, Andrey Repin wrote:
> Greetings, Jeff Dickens!
>
>> Created a new thread because I screwed up and top-posted.
>
>> So I am still stuck. For reference here is the smb.conf on the member
>> server:
>> root at florence:~# more /etc/samba/smb.conf
>> [global]
>> netbios name = FLORENCE
>> security = ADS
>> workgroup = IOL
>> realm = IOL.SEAMANPAPER.COM <http://iol.seamanpaper.com/>
>> log file = /var/log/samba/%m.log
>> log level = 1
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = yes
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> # idmap config used for your domain.
>> # Choose one of the following backends fitting to your
>> # requirements and add the corresponding configuration.
>> # idmap config ad
>> # - idmap config rid
>> # - idmap config autorid
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config IOL:backend = ad
>> idmap config IOL:schema_mode = rfc2307
>> idmap config IOL:range = 1000000-9999999
> Here's the part of the problem. It appears to me the NSS link was first set up
> with range under 3kk. With builtin and local UID/GID's going over 3kk.
> With changing the range post factum, you've threaded on the reserved range.
>
>> winbind nss info = rfc2307
>
>> [home]
>> path=/home/
>> read only = No
>
>> I increased the range because it seems like the DC is using IDs above
>> 1,000,000.
> You should use the same range the domain was provisioned with. Or NSS
> initialized with.
> If you are migrating the domain from Samba3, it may become rather complicated
> to figure out the right range.
>
>> This is on the DC:
>> root at athens:~# wbinfo -u
>> administrator
>> test1
>> krbtgt
>> guest
>> root at athens:~# wbinfo -i administrator
>> administrator:*:0:100::/home/IOL/administrator:/bin/false
>> root at athens:~# wbinfo -i test1
>> test1:*:3000019:100:Test One:/home/IOL/test1:/bin/false
>> root at athens:~#
> Note the artificially low UID and GID numbers. That doesn't look like the NSS
> is in play.
This is on the DC, unless 'Domain Users' is given a gidNumber this is
what you get and also winbind will *not* work on a domain member.
>
> Also, to the your previous example of 'wbinfo -i "domain users"'...
>
> # wbinfo --group-info 'domain users'
> domain users:x:513:
>
> (The point being, 'domain users' is not a user, and -i only looking for users.)
>
You need to give 'Domain Users' a gidNumber if you want to use the
winbind 'ad' backend on a domain member.
Rowland
More information about the samba
mailing list