Jason Ellison
2009-Apr-07 20:33 UTC
[CentOS] CentOS 5.3 samba: getent does not return data from the active directory (ads)
CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the
server can be a member of an existing Active Directory (AD). Correct
configuration of kerbos was verified using kinit and klist. The samba
configuration was verified by using "smbclient -k -L server". winbind
was verified by using "wbinfo -g". The problem seems to be nsswitch
accessing winbindd to get group information via the "getent group"
command. I added winbind to the /etc/nsswitch.conf file like so:
[root at nagios ~]# grep winbind /etc/nsswitch.conf
passwd: files winbind
shadow: files winbind
group: files winbind
I verified that all dynamic libraries are being accessed correctly
by using "strace getent group".
Below is the debug output of winbindd when issuing various commands
that interact with it. The commands are noted in (parenthesis).
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK
("getent group" command issued)
accepted socket 17
[17171]: request interface version
[17171]: request location of privileged pipe
accepted socket 18
[17171]: setgrent
[17171]: endgrent
("getent passwd" command issued)
accepted socket 17
[17172]: request interface version
[17172]: request location of privileged pipe
accepted socket 18
[17172]: setpwent
[17172]: endpwent
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK
("wbinfo -g" command issued)
accepted socket 17
[17158]: request interface version
[17158]: request location of privileged pipe
accepted socket 18
[17158]: list groups
get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
get_sam_group_entries: Returned 2 local groups
get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well
get_sam_group_entries: Returned 0 local groups
get_cache: Setting ADS methods for domain COMPANY
ads: enum_dom_groups
NOTES:
[root at nagios ~]# uname -a
Linux nagios.hq.company.local 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1
09:53:14 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[root at nagios ~]# rpm -qa samba krb* nss*
nss_db-2.2-35.3
nss_db-2.2-35.3
krb5-libs-1.6.1-31.el5
nss-tools-3.12.2.0-4.el5.centos
nss_ldap-253-17.el5
krb5-libs-1.6.1-31.el5
samba-3.0.33-3.7.el5
krb5-auth-dialog-0.7-1
nss-3.12.2.0-4.el5.centos
nss-3.12.2.0-4.el5.centos
nss_ldap-253-17.el5
krb5-workstation-1.6.1-31.el5
JohnS
2009-Apr-07 21:03 UTC
[CentOS] CentOS 5.3 samba: getent does not return data from the active directory (ads)
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:> CentOS 5.3 getent does not return data from the active directory (ads) > > I have installed and configured kerberos and samba so that the > server can be a member of an existing Active Directory (AD). Correct > configuration of kerbos was verified using kinit and klist. The samba > configuration was verified by using "smbclient -k -L server". winbind > was verified by using "wbinfo -g". The problem seems to be nsswitch > accessing winbindd to get group information via the "getent group" > command. I added winbind to the /etc/nsswitch.conf file like so: > > [root at nagios ~]# grep winbind /etc/nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind--- Try "hosts: files dns wins" "hosts: files winbind" You realy don't say if your authenticating what and where @. But I do know you did not list "the hosts:" line in nsswitch. One of those should do it. getent group_name will never work with out changing it.
JohnS
2009-Apr-07 21:17 UTC
[CentOS] CentOS 5.3 samba: getent does not return data from the active directory (ads)
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote: By the way looking again:> ("getent passwd" command issued)Should be "getent passwd | grep user_name"> accepted socket 17 > [17172]: request interface version > [17172]: request location of privileged pipe > accepted socket 18 > [17172]: setpwent > [17172]: endpwent >So as "getent group | grep "group_name" JohnStanley
Rob Townley
2009-Apr-08 15:35 UTC
[CentOS] CentOS 5.3 samba: getent does not return data from the active directory (ads)
Have you browsed the LDAP entries in ActiveDirectory to see if they match similar entries for working windows hosts. Under the computer entry, look carefully at dnsHostname and servicePrincipalName. For a server, there are many many entries for these two variables. CIFS/x2, HOSTx2, LDAPS?/, ..... and so on. On 4/7/09, Jason Ellison <infotek at gmail.com> wrote:> CentOS 5.3 getent does not return data from the active directory (ads) > > I have installed and configured kerberos and samba so that the > server can be a member of an existing Active Directory (AD). Correct > configuration of kerbos was verified using kinit and klist. The samba > configuration was verified by using "smbclient -k -L server". winbind > was verified by using "wbinfo -g". The problem seems to be nsswitch > accessing winbindd to get group information via the "getent group" > command. I added winbind to the /etc/nsswitch.conf file like so: > > [root at nagios ~]# grep winbind /etc/nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > > I verified that all dynamic libraries are being accessed correctly > by using "strace getent group". > > Below is the debug output of winbindd when issuing various commands > that interact with it. The commands are noted in (parenthesis). > > (winbindd -i -d 9) > > 00a0 status: NT_STATUS_OK > > ("getent group" command issued) > > accepted socket 17 > [17171]: request interface version > [17171]: request location of privileged pipe > accepted socket 18 > [17171]: setgrent > [17171]: endgrent > > ("getent passwd" command issued) > > accepted socket 17 > [17172]: request interface version > [17172]: request location of privileged pipe > accepted socket 18 > [17172]: setpwent > [17172]: endpwent > > (winbindd -i -d 9) > > 00a0 status: NT_STATUS_OK > > ("wbinfo -g" command issued) > > accepted socket 17 > [17158]: request interface version > [17158]: request location of privileged pipe > accepted socket 18 > [17158]: list groups > get_sam_group_entries: BUILTIN or local domain; enumerating local groups as > well > Attempting to register passdb backend ldapsam > Successfully added passdb backend 'ldapsam' > Attempting to register passdb backend ldapsam_compat > Successfully added passdb backend 'ldapsam_compat' > Attempting to register passdb backend NDS_ldapsam > Successfully added passdb backend 'NDS_ldapsam' > Attempting to register passdb backend NDS_ldapsam_compat > Successfully added passdb backend 'NDS_ldapsam_compat' > Attempting to register passdb backend smbpasswd > Successfully added passdb backend 'smbpasswd' > Attempting to register passdb backend tdbsam > Successfully added passdb backend 'tdbsam' > Attempting to find an passdb backend to match tdbsam (tdbsam) > Found pdb backend tdbsam > pdb backend tdbsam has a valid init > get_sam_group_entries: Returned 2 local groups > get_sam_group_entries: BUILTIN or local domain; enumerating local groups as > well > get_sam_group_entries: Returned 0 local groups > get_cache: Setting ADS methods for domain COMPANY > ads: enum_dom_groups > > > NOTES: > > [root at nagios ~]# uname -a > Linux nagios.hq.company.local 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 > 09:53:14 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux > > [root at nagios ~]# rpm -qa samba krb* nss* > nss_db-2.2-35.3 > nss_db-2.2-35.3 > krb5-libs-1.6.1-31.el5 > nss-tools-3.12.2.0-4.el5.centos > nss_ldap-253-17.el5 > krb5-libs-1.6.1-31.el5 > samba-3.0.33-3.7.el5 > krb5-auth-dialog-0.7-1 > nss-3.12.2.0-4.el5.centos > nss-3.12.2.0-4.el5.centos > nss_ldap-253-17.el5 > krb5-workstation-1.6.1-31.el5 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
Possibly Parallel Threads
- Winbind in Win2003 ADS: wbinfo -u works, wbinfo -g does not
- samba 3.0.20pre1 winbind dumps core on Solaris 9
- Samba PDC With LDAP Backend, Failed to initialise SAM_ACCOUNT for user
- winbind: wbinfo -g sees "domain users", getent group does not
- wbinfo -g and -u problems ? no answer at my first post ?