samba - Mar 2006 - RHEL3, winbind, "Error looking up domain users"

Hello,

I've been attempting to get this working all day. :)

I have an RHEL3 machine connected to a Windows 2000 PDC
as a domain member. I'm running samba 3.0.21c, compiled from an SRPM:
# rpm -q samba
samba-3.0.21c-1

When I try to list my users, I get this:
# wbinfo -u
Error looking up domain users
Exit 1

Similarly, `getent passwd` fails to show any SMB users. But
`getent passwd some_previously_authenticated_smb_user` works fine.

`net rpc info` doesn't return anything. `net rpc user -S PDC -U USER`
works, but only if I specify the PDC and USER.

I have winbind working for authentication, but I can't seem to get
it to list users or groups. This is problematic, as I am forced to
make my users authenticate before I can use the new UID/GID to create
directories. That's just not good.

Is this a known issue with RHEL3?

I'm seeing nothing in the logs and my attempts to strace
haven't shown me anything useful either. Any pointers?

Also, the W2K PDC is running Active Directory. I've seen some info
about connecting to an ADS domain in the howtos, but I haven't tried
it yet because of the RPM hell I would have to go through to get KRB5
updated past 1.3.1 on RHEL3. Is this the problem? Do I need to connect
to it as an ADS instead of a normal PDC?

Thanks!

Jesse Guardiani wrote:
> Hello,
> 
> I've been attempting to get this working all day. :)
> 
> I have an RHEL3 machine connected to a Windows 2000 PDC
> as a domain member. I'm running samba 3.0.21c, compiled from an SRPM:
> # rpm -q samba
> samba-3.0.21c-1
> 
> When I try to list my users, I get this:
> # wbinfo -u
> Error looking up domain users
> Exit 1
> 
> Similarly, `getent passwd` fails to show any SMB users. But
> `getent passwd some_previously_authenticated_smb_user` works fine.
> 
> `net rpc info` doesn't return anything. `net rpc user -S PDC -U USER`
> works, but only if I specify the PDC and USER.
> 
> I have winbind working for authentication, but I can't seem to get
> it to list users or groups. This is problematic, as I am forced to
> make my users authenticate before I can use the new UID/GID to create
> directories. That's just not good.
> 
> Is this a known issue with RHEL3?
> 
> I'm seeing nothing in the logs and my attempts to strace
> haven't shown me anything useful either. Any pointers?
> 
> Also, the W2K PDC is running Active Directory. I've seen some info
> about connecting to an ADS domain in the howtos, but I haven't tried
> it yet because of the RPM hell I would have to go through to get KRB5
> updated past 1.3.1 on RHEL3. Is this the problem? Do I need to connect
> to it as an ADS instead of a normal PDC?

Turns out that RPM Hell was the way to go. W2K + AD indeed requires ADS
in samba, even though you can get basic auth working without ADS. So I
upgraded my KRB5 to these:
     http://www.hep.ph.ic.ac.uk/~georgiou/krb5/
     (downloaded and installed e2fsprogs-1.35-12.3.EL4.i386.rpm and
     e2fsprogs-devel-1.35-12.3.EL4.i386.rpm from RHEL4 to satisfy the
     deps first)

Found from this post:
     https://www.redhat.com/archives/taroon-list/2005-February/msg00294.html

Then I rebuilt samba-3.0.21c-1.src.rpm from the samba website and installed
the new binary RPM with --force.

And I put it all together with a combination of these:
     http://info.ccone.at/INFO/Samba/Samba-Guide/unixclients.html#adssdm
     http://info.ccone.at/INFO/Samba/Samba-Guide/unixclients.html#ch9-nsswbnd
     http://info.ccone.at/INFO/Samba/Samba-Guide/unixclients.html#ch9-adssdm

And the KRB setup stuff from this:
     http://gentoo-wiki.com/HOWTO_fix_Linux_into_Active_Directory#krb5.conf

I'm not sure if the KRB setup stuff was necessary, but I was getting KBC
errors before I tried it, and it worked after I tried it, so I'm not
complaining.

`wbinfo -u` now works, along with `getent passwd` and everything else! Woo hoo!