[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all

Emmanuel Florac eflorac at intellique.com
Sat Feb 18 12:20:52 UTC 2017


I've got a Debian/Jessie Samba 4.2.14 running as an AD member. ADC is a
Windows2008R2 server. Join worked without problem.

# net ads testjoin
Join is OK

wbinfo -u and wbinfo -g work perfectly and provides a list of users and
groups from the AD as expected. wbinfo -i <user> works too:

# wbinfo -i TESTAD\\testuser
TESTAD\testuser:*:4294967295:4294967295:testuser:/home/TESTAD/testuser:/bin/false

Edit: something's wrong here, because wbinfo -i maps all users and
groups to the id 4294967295 which is, as @TheSkunk remarked, 2^32 -1.

However getent passwd TESTAD\\testuser fails:

# getent passwd TESTAD\\testuser
# echo $? 
2

I can connect to the server with any AD account using smbclient:

# smbclient //srv1/data -U TESTAD\\testuser
Enter TESTAD\testuser's password: 
Domain=[TESTAD] OS=[Windows 6.1] Server=[Samba 4.2.14-Debian]
smb: \> ls
  .                                   D        0  Fri Feb 17 16:23:04
2017 ..                                  D        0  Wed Feb  1
16:47:02 2017 test.txt                            N        5  Fri Feb
17 14:38:21 2017 popo                                D        0  Fri
Feb 17 16:23:04 2017

117125466112 blocks of size 1024. 117052392484 blocks available
smb: \> 

However the connection is mapped to nobody/nogroup, and created files
are owned by nobody too. Windows machines fail to connect using any AD
account. However if I create a local account with smbpasswd -a <user>,
they can connect using it. However, their connection parameters, files,
etc. are all mapped to nobody though the account exists locally too.

Here's the current smb.conf (as close to default as possible):

[global]
        workgroup = TESTAD
        realm = TESTAD.lan
        server role = member server
        security = ADS
        map to guest = Bad User
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb
        inherit permissions = Yes
        inherit acls = Yes


[DATA]
        path = /mnt/raid/
        read only = No
        guest ok = Yes

here is /etc/nsswitch.conf (I've tried adding and removing 'winbind'
from shadow, no change at all):

# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try: # `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

I don't understand why authentication never seems to go through
winbind. I'm getting desperate, any ideas?

-- 
------------------------------------------------------------------------
Emmanuel Florac     |   Direction technique
                    |   Intellique
                    |	<eflorac at intellique.com>
                    |   +33 1 78 94 84 02
------------------------------------------------------------------------



More information about the samba mailing list