Giuseppe Sacco
2018-Oct-17 16:46 UTC
[Samba] NSS interface lists all domain users but gives error on single user
Hello Rowland, Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha scritto:> On Wed, 17 Oct 2018 15:03:41 +0200 > Giuseppe Sacco via samba <samba at lists.samba.org> wrote: > [...] > > # Global parameters > > [global] > > dns proxy = No > > log file = /var/log/samba/log.%m > > map to guest = Bad User > > max log size = 1000 > > panic action = /usr/share/samba/panic-action %d > > realm = AGENZIA.LOCAL > > security = ADS > > server role = member server > > server string = %h server (Samba, Ubuntu) > > template homedir = /home/%U > > template shell = /bin/bash > > usershare allow guests = Yes > > winbind cache time = 5 > > winbind enum groups = Yes > > winbind enum users = Yes > > winbind offline logon = Yes > > winbind refresh tickets = Yes > > winbind separator = + > > workgroup = AGENZIA > > idmap config * : range = 5000-5100 > > idmap config * : backend = tdb > > You haven't set up idmap correctly, see here: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > and here: > https://wiki.samba.org/index.php/Idmap_config_ad > or here: > https://wiki.samba.org/index.php/Idmap_config_ridIf I understand the documentation, I need to setup two idmap config, one allocating ids for the BUILTIN users (using the tdb backend) and a separate one for my domain users. I tought that using "*" would have covered all domains, but I now think this is not true. Moreover, using the rid backend, I found that not all users were listed until its range was not large enough. So, I changed the idmap config this way: idmap config * : range = 3000-7999 idmap config * : backend = tdb idmap config AGENZIA : range = 8000-20000 idmap config AGENZIA : backend = rid I stopped the samba daemons, deleted the relevant tdb files, restarted all daemons. I did not leave/join the domain again. But I still have the same problem: "getent passwd" list all users, while "getent passwd 'AGENZIA+manuelb'" does not give any results. Thank you very much, Giuseppe
Rowland Penny
2018-Oct-17 17:25 UTC
[Samba] NSS interface lists all domain users but gives error on single user
On Wed, 17 Oct 2018 18:46:35 +0200 Giuseppe Sacco via samba <samba at lists.samba.org> wrote:> Hello Rowland, > > Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha > scritto: > > On Wed, 17 Oct 2018 15:03:41 +0200 > > Giuseppe Sacco via samba <samba at lists.samba.org> wrote: > > [...] > > > # Global parameters > > > [global] > > > dns proxy = No > > > log file = /var/log/samba/log.%m > > > map to guest = Bad User > > > max log size = 1000 > > > panic action = /usr/share/samba/panic-action %d > > > realm = AGENZIA.LOCAL > > > security = ADS > > > server role = member server > > > server string = %h server (Samba, Ubuntu) > > > template homedir = /home/%U > > > template shell = /bin/bash > > > usershare allow guests = Yes > > > winbind cache time = 5 > > > winbind enum groups = Yes > > > winbind enum users = Yes > > > winbind offline logon = Yes > > > winbind refresh tickets = Yes > > > winbind separator = + > > > workgroup = AGENZIA > > > idmap config * : range = 5000-5100 > > > idmap config * : backend = tdb > > > > You haven't set up idmap correctly, see here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and here: > > https://wiki.samba.org/index.php/Idmap_config_ad > > or here: > > https://wiki.samba.org/index.php/Idmap_config_rid > > If I understand the documentation, I need to setup two idmap config, > one allocating ids for the BUILTIN users (using the tdb backend) and a > separate one for my domain users. I tought that using "*" would have > covered all domains, but I now think this is not true. Moreover, using > the rid backend, I found that not all users were listed until its > range was not large enough. > > So, I changed the idmap config this way: > > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > idmap config AGENZIA : range = 8000-20000 > idmap config AGENZIA : backend = rid > > I stopped the samba daemons, deleted the relevant tdb files, restarted > all daemons. I did not leave/join the domain again. > > But I still have the same problem: "getent passwd" list all users, > while "getent passwd 'AGENZIA+manuelb'" does not give any results. >okay, try changing this in /etc/nsswitch.conf: passwd: files winbind systemd group: files winbind systemd shadow: files winbind To this: NSS configuration is simple: passwd: files winbind group: files winbind shadow: files make sure that 'smbd' & 'winbind' are running. Providing the there is a user called 'manuelb' in AD, winbind should show the user with 'getent passwd AGENZIA+manuelb' Rowland
Giuseppe Sacco
2018-Oct-17 19:22 UTC
[Samba] NSS interface lists all domain users but gives error on single user
Hello Rowland, I changed nsswitch.conf as suggested, but I still have the same result. [...]> Providing the there is a user called 'manuelb' in AD, winbind should > show the user with 'getent passwd AGENZIA+manuelb'If I list all users, I get all users. Let's display the end of the list using both wbinfo and getent: root at kubuntu-test:~# wbinfo -u | tail -2 AGENZIA\lorenam AGENZIA\manuelb root at kubuntu-test:~# getent passwd | tail -2 AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bash If I create a file and change its uid to one of these, I see that NSS does not resolve it: root at kubuntu-test:~# touch /tmp/ttt root at kubuntu-test:~# chown 10183 /tmp/ttt root at kubuntu-test:~# ls -l /tmp/ttt -rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt Even the "id" command does not resolve it. Nor the getent: root at kubuntu-test:~# id 'AGENZIA\lorenam' id: ‘AGENZIA\\lorenam’: no such user root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam' root at kubuntu-test:~# This is the complete global section as displayed by testparam: [global] dns proxy = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 panic action = /usr/share/samba/panic-action %d realm = AGENZIA.LOCAL security = ADS server role = member server server string = %h server (Samba, Ubuntu) template homedir = /home/%U template shell = /bin/bash username map = /usr/local/samba/etc/user.map usershare allow guests = Yes winbind cache time = 5 winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind refresh tickets = Yes workgroup = AGENZIA idmap config agenzia : range = 8000-20000 idmap config agenzia : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb As you may see, the uids given by wbinfo and getent are in the correct range. I do not know how to better debug the problem: I have reised "log level" in smb.conf but no logging is done during the getent execution. Thank you, Giuseppe
Maybe Matching Threads
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user