[Samba] NSS interface lists all domain users but gives error on single user
Giuseppe Sacco
giuseppe at eppesuigoccas.homedns.org
Thu Oct 18 02:56:08 UTC 2018
Hello Rowland
Il giorno mer, 17/10/2018 alle 21.28 +0100, Rowland Penny via samba ha
scritto:
[...]
> What does 'wbinfo -U 10182' return ?
> The last number should be 2182
root at kubuntu-test:~# wbinfo -U 10182
S-1-5-21-1076504413-1754488879-1808648030-2182
root at kubuntu-test:~# wbinfo -n 'AGENZIA\lorenam'
S-1-5-21-1076504413-1754488879-1808648030-2182 SID_USER (1)
root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
root at kubuntu-test:~#
> > I do not know how to better debug the problem: I have reised "log
> > level" in smb.conf but no logging is done during the getent
> > execution.
> >
>
> Bit lost myself here, why doesn't 'getent passwd username' return
> anything ?
> Is there anything like sssd running ?
>
> Have you changed anything else ?
This is a new installation for testing purposes: there were no previous
installation, so nothing changed. sssd is not installed.
root at kubuntu-test:~# COLUMNS=80 dpkg -l | egrep samba\|winb\|sss
ii libnss-winbind 2:4.7.6+dfsg amd64 Samba nameservice integration plu
ii libpam-winbind 2:4.7.6+dfsg amd64 Windows domain authentication int
ii libwbclient0:a 2:4.7.6+dfsg amd64 Samba winbind client library
ii python-samba 2:4.7.6+dfsg amd64 Python bindings for Samba
ii samba 2:4.7.6+dfsg amd64 SMB/CIFS file, print, and login s
ii samba-common 2:4.7.6+dfsg all common files used by both the Sam
ii samba-common-b 2:4.7.6+dfsg amd64 Samba common files used by both t
ii samba-dsdb-mod 2:4.7.6+dfsg amd64 Samba Directory Services Database
ii samba-libs:amd 2:4.7.6+dfsg amd64 Samba core libraries
ii samba-vfs-modu 2:4.7.6+dfsg amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.7.6+dfsg amd64 service to resolve user and group
even commenting out the lines about the rid idmap backend, and hence
defaulting to the "*" domain config that uses tdb, the mapping works.
wbinfo and tdb file display/contain the same mapping:
#idmap config AGENZIA : backend = rid
#idmap config AGENZIA : range = 8000-20000
# systemctl stop winbind smbd nmbd
# rm /var/cache/samba/gencache.tdb /var/cache/samba/netsamlogon_cache.tdb \
/var/lib/samba/account_policy.tdb /var/lib/samba/group_mapping.tdb \
/var/lib/samba/winbindd_cache.tdb /var/lib/samba/winbindd_cache.tdb.bak \
/var/lib/samba/winbindd_idmap.tdb /var/lib/samba/private/idmap2.tdb
# systemctl start winbind smbd nmbd
# getent passwd 'AGENZIA\lorenam'
# getent passwd | fgrep 'AGENZIA\lorenam'
AGENZIA\lorenam:*:3034:3004::/home/lorenam:/bin/bash
# wbinfo --uid-to-sid 3034
S-1-5-21-1076504413-1754488879-1808648030-2182
# tdbtool /var/lib/samba/winbindd_idmap.tdb show 'UID 3034\0'
key 9 bytes
UID 3034
data 47 bytes
[000] 53 2D 31 2D 35 2D 32 31 2D 31 30 37 36 35 30 34 S-1-5-21 -1076504
[010] 34 31 33 2D 31 37 35 34 34 38 38 38 37 39 2D 31 413-1754 488879-1
[020] 38 30 38 36 34 38 30 33 30 2D 32 31 38 32 00 80864803 0-2182
# wbinfo --sid-to-uid S-1-5-21-1076504413-1754488879-1808648030-2182
3034
# tdbtool /var/lib/samba/winbindd_idmap.tdb show 'S-1-5-21-1076504413-1754488879-1808648030-2182\0'
key 47 bytes
S-1-5-21-1076504413-1754488879-1808648030-2182
data 9 bytes
[000] 55 49 44 20 33 30 33 34 00 UID 3034
So, I think this is not related to the mapping, but probably to libnss-
winbind.
Bye,
Giuseppe
More information about the samba
mailing list