[Samba] NSS interface lists all domain users but gives error on single user

Rowland Penny rpenny at samba.org
Wed Oct 17 20:28:23 UTC 2018 

On Wed, 17 Oct 2018 21:22:42 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:

> Hello Rowland,
> I changed nsswitch.conf as suggested, but I still have the same
> result.
> 
> [...]
> > Providing the there is a user called 'manuelb' in AD, winbind should
> > show the user with 'getent passwd AGENZIA+manuelb'
> 
> If I list all users, I get all users. Let's display the end of the
> list using both wbinfo and getent:
> 
> root at kubuntu-test:~# wbinfo -u | tail -2
> AGENZIA\lorenam
> AGENZIA\manuelb

This shows the users are in AD, it does not mean the Unix OS will know
who they are.

> 
> root at kubuntu-test:~# getent passwd | tail -2
> AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash
> AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bash

This does show that Unix knows who they are.

> 
> If I create a file and change its uid to one of these, I see that NSS
> does not resolve it:
> 
> root at kubuntu-test:~# touch /tmp/ttt 
> root at kubuntu-test:~# chown 10183 /tmp/ttt 
> root at kubuntu-test:~# ls -l /tmp/ttt
> -rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt
> 
> Even the "id" command does not resolve it. Nor the getent:
>

And then for some reason, Unix doesn't know who the user is.
 
> root at kubuntu-test:~# id 'AGENZIA\lorenam'
> id: ‘AGENZIA\\lorenam’: no such user
> root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
> root at kubuntu-test:~#
> 
> This is the complete global section as displayed by testparam:
> 
> [global]
> 	dns proxy = No
> 	log file = /var/log/samba/log.%m
> 	map to guest = Bad User
> 	max log size = 1000
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = AGENZIA.LOCAL
> 	security = ADS
> 	server role = member server
> 	server string = %h server (Samba, Ubuntu)
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	username map = /usr/local/samba/etc/user.map
> 	usershare allow guests = Yes
> 	winbind cache time = 5
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	workgroup = AGENZIA
> 	idmap config agenzia : range = 8000-20000
> 	idmap config agenzia : backend = rid
> 	idmap config * : range = 3000-7999
> 	idmap config * : backend = tdb
>

There isn't anything wrong there.
 
> As you may see, the uids given by wbinfo and getent are in the correct
> range.

What does 'wbinfo -U 10182' return ?
The last number should be 2182

> I do not know how to better debug the problem: I have reised "log
> level" in smb.conf but no logging is done during the getent execution.
> 

Bit lost myself here, why doesn't 'getent passwd username' return
anything ?
Is there anything like sssd running ?

Have you changed anything else ?

Rowland

More information about the samba mailing list