[Samba] Winbind - NSS problem?

Luciano Mannucci luciano at vespaperitivo.it
Wed May 30 14:55:02 UTC 2018 

Hello all,

I have a very old samba server, successfully migrated from 2.11 to 3.x,
then now to 4.8.0 while the windows userbase went from workgroup to AD,
now on AD 2008R2. Everything seems to work flawlessly till a new user
was added to the AD. From my samba server I can't see it in the getent
passwd list (the others are all there) tough wbinfo -a newuser%password
says:

plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -i says

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user newuser

Of course the new user cannot see it's home directory.

Of course I restarted the service, cleaned the cache and even
bootstrapped my server, removed the *tdb files end rejoined
the domain.

Has someone else seen the same?

My relevant configuration:

nsswitch.conf
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.4/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
#group: compat
group: winbind files
group_compat: nis
hosts: files dns
networks: files
#passwd: compat
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

smb4.conf:
[global]
	security = ADS
	netbios name = HERMES
	server string = "HERMES"
	password server = 192.168.132.4 *
	workgroup = MCS2003
	idmap uid = 3000-8004
	idmap gid = 800-1988
	idmap config MCS2003 : backend = rid
	idmap config MCS2003 : range = 3000 - 8004
	winbind enum users = yes
	winbind enum groups = yes
	template homedir = /dati/mailbox/%U
	template shell = /bin/tcsh
	os level = 2
	time server = Yes
	unix extensions = Yes
	encrypt passwords = Yes
	map to guest = Bad User
	log level = 1 auth:10 winbind:2
	log file = /var/log/samba/users/%m.log
	wins support = No
	max xmit = 8192
	max protocol = SMB3_11
	realm = MCS2003.IT
	winbind refresh tickets = yes
	winbind use default domain = yes
	client use spnego = yes
	client ntlmv2 auth = yes
	usershare allow guests = No
	nt pipe support = no
	write cache size = 65536
	allow trusted domains = no
[homes]
comment = Home Directory for %S
	vfs objects = zfsacl
        path = /dati/mailbox/%S
        browseable = yes
        guest ok = no
        read only = No
        create mask = 0644
        directory mask = 0755
        preserve case = yes
        short preserve case = yes

Luciano.
-- 
 /"\                         /Via A. Salaino, 7 - 20144 Milano (Italy)
 \ /  ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250
  X   AGAINST HTML MAIL    /  E-MAIL: posthamster at sublink.sublink.ORG
 / \  AND POSTINGS        /   WWW: http://www.lesassaie.IT/

More information about the samba mailing list