[Samba] NSS interface lists all domain users but gives error on single user

Rowland Penny rpenny at samba.org
Wed Oct 17 13:32:42 UTC 2018 

On Wed, 17 Oct 2018 15:03:41 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:

> Hello,
> i configured samba and winbind in order to let domain users access
> folders shared by samba on linux. The configuration is shown later.
> 
> Please note that idmap is configured correctly:
> 
> root at kubuntu-test:~# wbinfo --user-info 'AGENZIA+manuelb'
> AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
> root at kubuntu-test:~# wbinfo -n 'AGENZIA+manuelb'
> S-1-5-21-1076504413-1754488879-1808648030-2183 SID_USER (1)
> root at kubuntu-test:~# wbinfo --sid-to-uid
> 'S-1-5-21-1076504413-1754488879-1808648030-2183' 5035
> 
> as you may see now, listing all users works, but querying information
> for a single user does not work.
> 
> root at kubuntu-test:~# getent passwd | tail -1 
> AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
> root at kubuntu-test:~# getent passwd 'AGENZIA+manuelb'
> root at kubuntu-test:~# id 'AGENZIA+manuelb'
> id: ‘AGENZIA+manuelb’: no such user
> 
> Windows domain is managed by Windows Server 2008 and it is at
> functional level of Windows 2003. The version of linux packages is
> quite current, i.e.:
> 
> ii  libc-bin            2.27-3ubuntu1  amd64          GNU C Library:
> Binaries ii  libnss-winbind:amd6 2:4.7.6+dfsg~u amd64          Samba
> nameservice integration plugins ii  libpam-winbind:amd6
> 2:4.7.6+dfsg~u amd64          Windows domain authentication
> integration p ii  samba               2:4.7.6+dfsg~u amd64
> SMB/CIFS file, print, and login server for ii  winbind
> 2:4.7.6+dfsg~u amd64          service to resolve user and group
> informati
> 
> NSS configuration is simple:
> 
> passwd:         files winbind systemd
> group:          files winbind systemd
> shadow:         files winbind
> 
> This is 'testparam' output:
> 
> # Global parameters
> [global]
> 	dns proxy = No
> 	log file = /var/log/samba/log.%m
> 	map to guest = Bad User
> 	max log size = 1000
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = AGENZIA.LOCAL
> 	security = ADS
> 	server role = member server
> 	server string = %h server (Samba, Ubuntu)
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	usershare allow guests = Yes
> 	winbind cache time = 5
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	winbind separator = +
> 	workgroup = AGENZIA
> 	idmap config * : range = 5000-5100
> 	idmap config * : backend = tdb
> 
> What can be the problem?
> 
> Thank you,
> Giuseppe Sacco
> 

You haven't set up idmap correctly, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

or here:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

More information about the samba mailing list