This maybe related to idmap allocation - tho not sure how.
Initially my PDC was running Samba 3.0.x. When I did "getent
passwd"
or "getent group" samba would create idmap entries for users and
groups
from trusted domains. There were some other things broken with idmap
and samba that made it unstable for maintaining a trust with Active
Directory, thus the move to 3.4 and then to 3.5.
The 3.4 upgrade seems to have broken the automatic allocation. (This
could just be a configuration error in my smb.conf) In my environment,
that wasn't a huge deal since the number of users and groups in the
trusted domain us quite small and stable. I could manually add an
idmapping with the wbinfo or with an LDAP editor.
This morning, "getent group" would show the trusted WINDOWS groups. I
added another group in the WINDOWS domain to see if Samba would
automatically create a group mapping (which it didn't) and to make sure
that it at least showed up with "wbinfo -g" (which it did- so at
least
I wasn't working just from a cache.) But then "getent group"
stopped
listing WINDOWS groups. ("getent group WINDOWS\\thenewgroup" did
work.") Once I manually created an idmap entry for the new group,
"getent group" was able to list all the groups.
So my guess is that samba or winbind chokes up when it finds a winbind
user or group in a domain for which an idmap entry is missing and can't
be created.
I tried adding idmap entries for the few users in the WINDOWS domain who
didn't have idmappings, but "getent passwd" still doesn't
work.
-------- Original Message --------
Subject: Re: [Samba] getent passwd does not list trusted users
Date: Mon, 06 Jun 2011 15:16:28 -0400
From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
Reply-To: gaiseric.vandal at gmail.com
To: samba at lists.samba.org
I do have the entries in /etc/nswitch.conf
The "getent passwd" won't list the winbind users although I can
get
details on a specific user with the "getent passwd
SOMEDOMAIN\\someuser" common
I looked in the /var/samba/locks directory -
I have a winbindd_cache.tdb file that is current. I don't have a
current idmap_cache.tdb file anymore. Not sure I need one. I
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to
3.5.x, and it seems with .X upgrade that the configuration for winbind
and idmapping changes.
This may be a bug in Solaris itself rather than samba.
On 06/06/2011 02:28 PM, timothy mcdaniel wrote:> I have been looking at
>
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
> and I think that if you add this in your nsswitch.conf like it says in the
> website above:
> if you already have the passwd: files ldap and group: files ldap in your
> nsswitch.conf then just add winbind to the end of the lines of the passwd
> and group lines. just like it is shown below: If you need any more help
just
> email me back, and I will try to help you.
>
> *passwd*: files ldap winbind
> group: files ldap winbind
>
>> ---------- Forwarded message ----------
>> From: Gaiseric Vandal<gaiseric.vandal at gmail.com>
>> To: Samba<samba at lists.samba.org>
>> Date: Mon, 06 Jun 2011 12:04:14 -0400
>> Subject: [Samba] getent passwd does not list trusted users
>> I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle
>> provided build. I have an ldap backend for everything (unix+samba
accounts,
>> idmapping for domain trusts.) The Samba server is a PDC for a domain
we can
>> call "SAMBA." Each samba account is tied to a unix
account.
>>
>> I have a one-way domain trust setup with a Windows 2003 domain which
we
>> can call "WIN2003." SAMBA trusts WIN2003. "getent
passwd" and "getent
>> group" seem to fundamentally be working (depending on syntax)
BUT "getent
>> passwd" does NOT list trusted users.
>>
>>
>> On the solaris machine:
>>
>>
---------------------------------------------------------------------------------------------------------------------------------------------------------------
>> "wbinfo -u" and "wbinfo -g" lists all users in
this domain + the
>> WIN2003 domain. For the SAMBA users, the domain name is stripped
out.
>>
>>
>> "getent passwd" - lists all "unix" users (in
ldap or /etc/passwd.)
>> It does not list the samba users - which is the expected and
>> desired behaviour.
>> I had expected it to list users from the WIN2003 domain.
>>
>>
>> "getent group" - lists all "unix" groups (in
ldap or /etc/passwd)
>> It does not listed the SAMBA groups - which is the expected
and
>> desired behaviour.
>> It does list WIN2003 groups- which is also the expected and
>> desired behaviour.
>>
>>
>> "getent passwd SAMBA\\user" - shows uid, gid, home
directory, shell
>> "getent passwd WIN2003\\user" - shows uid, gid, home
directory, shell
>>
>> "getent group SAMBA\\group" - shows gid, members
>> "getent group WIN2003\\group" - shows gid, members
>>
>>
>> "id SAMBA\\user" - shows uid and gid
>> "id WIN2003 \\user" - shows uid and gid
>>
>>
>>
---------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> I can use chown and other commands from solaris command line to grant
>> rights to a user from the trusted domain. However, in a Windows
machine in
>> samba domain, when setting file permissions, I can not see the trusted
>> domain.
>>
>>
>> Any thoughts?
>>
>>
>> Thanks