[Samba] NSS interface lists all domain users but gives error on single user
Rowland Penny
rpenny at samba.org
Thu Oct 18 07:43:51 UTC 2018
On Thu, 18 Oct 2018 04:56:08 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> Hello Rowland
>
> Il giorno mer, 17/10/2018 alle 21.28 +0100, Rowland Penny via samba ha
> scritto:
> [...]
> > What does 'wbinfo -U 10182' return ?
> > The last number should be 2182
>
> root at kubuntu-test:~# wbinfo -U 10182
> S-1-5-21-1076504413-1754488879-1808648030-2182
> root at kubuntu-test:~# wbinfo -n 'AGENZIA\lorenam'
> S-1-5-21-1076504413-1754488879-1808648030-2182 SID_USER (1)
> root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
> root at kubuntu-test:~#
>
> > > I do not know how to better debug the problem: I have reised "log
> > > level" in smb.conf but no logging is done during the getent
> > > execution.
> > >
> >
> > Bit lost myself here, why doesn't 'getent passwd username' return
> > anything ?
> > Is there anything like sssd running ?
> >
> > Have you changed anything else ?
>
> This is a new installation for testing purposes: there were no
> previous installation, so nothing changed. sssd is not installed.
>
> root at kubuntu-test:~# COLUMNS=80 dpkg -l | egrep samba\|winb\|sss
> ii libnss-winbind 2:4.7.6+dfsg amd64 Samba nameservice
> integration plu ii libpam-winbind 2:4.7.6+dfsg amd64 Windows
> domain authentication int ii libwbclient0:a 2:4.7.6+dfsg
> amd64 Samba winbind client library ii python-samba
> 2:4.7.6+dfsg amd64 Python bindings for Samba ii
> samba 2:4.7.6+dfsg amd64 SMB/CIFS file, print, and
> login s ii samba-common 2:4.7.6+dfsg all common files
> used by both the Sam ii samba-common-b 2:4.7.6+dfsg amd64
> Samba common files used by both t ii samba-dsdb-mod 2:4.7.6+dfsg
> amd64 Samba Directory Services Database ii samba-libs:amd
> 2:4.7.6+dfsg amd64 Samba core libraries ii samba-vfs-modu
> 2:4.7.6+dfsg amd64 Samba Virtual FileSystem plugins ii
> winbind 2:4.7.6+dfsg amd64 service to resolve user and
> group
>
>
> even commenting out the lines about the rid idmap backend, and hence
> defaulting to the "*" domain config that uses tdb, the mapping works.
> wbinfo and tdb file display/contain the same mapping:
>
> #idmap config AGENZIA : backend = rid
> #idmap config AGENZIA : range = 8000-20000
>
> # systemctl stop winbind smbd nmbd
> #
> rm /var/cache/samba/gencache.tdb /var/cache/samba/netsamlogon_cache.tdb
> \ /var/lib/samba/account_policy.tdb /var/lib/samba/group_mapping.tdb
> \ /var/lib/samba/winbindd_cache.tdb /var/lib/samba/winbindd_cache.tdb.bak
> \ /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/private/idmap2.tdb
> # systemctl start winbind smbd nmbd
>
> # getent passwd 'AGENZIA\lorenam'
> # getent passwd | fgrep 'AGENZIA\lorenam'
> AGENZIA\lorenam:*:3034:3004::/home/lorenam:/bin/bash
>
> # wbinfo --uid-to-sid 3034
> S-1-5-21-1076504413-1754488879-1808648030-2182
> # tdbtool /var/lib/samba/winbindd_idmap.tdb show 'UID 3034\0'
> key 9 bytes
> UID 3034
> data 47 bytes
> [000] 53 2D 31 2D 35 2D 32 31 2D 31 30 37 36 35 30 34 S-1-5-21
> -1076504 [010] 34 31 33 2D 31 37 35 34 34 38 38 38 37 39 2D 31
> 413-1754 488879-1 [020] 38 30 38 36 34 38 30 33 30 2D 32 31 38 32
> 00 80864803 0-2182
>
> # wbinfo --sid-to-uid S-1-5-21-1076504413-1754488879-1808648030-2182
> 3034
> # tdbtool /var/lib/samba/winbindd_idmap.tdb show
> 'S-1-5-21-1076504413-1754488879-1808648030-2182\0' key 47 bytes
> S-1-5-21-1076504413-1754488879-1808648030-2182
> data 9 bytes
> [000] 55 49 44 20 33 30 33 34 00 UID 3034
>
> So, I think this is not related to the mapping, but probably to
> libnss- winbind.
>
If that was the case, why does 'getent passwd' work ?
OK, what version of Kubuntu is this ? I will run up a VM and see if I
can find the problem.
Rowland
More information about the samba
mailing list