samba - May 2005 - nsswitch not calling winbindd - suse 9.3 64 bit & Samba 3.0.14a

Hi - I have a problem that is driving me round the bend.

I have installed Suse 9.3 (64-bit) and compiled Samba 3.0.14a from source.

The server is going to be part of an ADS network so I have Kerberos
working fine and I have joined the domain ('net ads testjoin' works
fine).

I have compiled and loaded the idmap_rid module and that seems to be
working fine too.  wbinfo -u gives me all the domain users and wbinfo -g
the groups.  'net ads info' gives me this:

LDAP server: 192.168.5.4
LDAP server name: brain
Realm: UK.*****.PLC
Bind Path: dc=UK,dc=*****,dc=PLC
LDAP port: 389
Server time: Sat, 21 May 2005 23:12:14 GMT
KDC server: 192.168.5.4
Server time offset: 0

which also seems fine to me.

However, the wheels come off when I try a 'getent passwd' (which returns
no domain users) or 'getent passwd administrator' (returns nothing).

My /etc/nsswitch.conf looks like this:

passwd:         files winbind
group:          files winbind

hosts:          files dns wins
networks:       files dns

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files

I have tried running winbindd with debug info in the foreground (see
listing below) and there is no sign of activity at all when 'getent' is
run.  It is as if the nsswitch.conf just ignores winbind.  If I remove
'files' and leave:

passwd:		winbind

in nsswitch.conf then 'getent passwd' returns nothing.

libnss_wins.so and libnss_winbind.so are both in /lib and both have a
softlink to a .so.2.  i have even made links in /lib64 reasoning that
they might be better found there?

Has anyone got any suggestions as to how i could force nsswitch.conf to
call winbind?

Not really sure where to go next other than to a different distro as it
would seem to me in my limited capacity that the OS is not making the
right library calls?

Thanks in advance,
Noel


newbelly:~ # winbindd -i -d3
winbindd version 3.0.14a started.
Copyright The Samba Team 2000-2004
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/lib/smb.conf"
Processing section "[global]"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Processing section "[IT]"
adding IPC service
adding IPC service
added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0
added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0
idmap_init: using 'idmap_rid' as remote backend
Module '/usr/local/samba/lib/idmap/idmap_rid.so' loaded
rid_idmap_parse: parsing entry: 0
rid_idmap_parse:        entry 0 has name: [UK]
rid_idmap_parse:        entry 0 has sid:
[S-1-5-21-2025429265-764733703-725345543]
rid_idmap_parse:        entry 0 has min_id: [500]
rid_idmap_parse:        entry 0 has max_id: [500000]
rid_idmap_init: using 1 mappings:
rid_idmap_init: domain: [UK], sid:
[S-1-5-21-2025429265-764733703-725345543], min_id: [500], max_id: [500000]
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Added domain UK UK.******.PLC S-0-0
cm_get_ipc_userpass: No auth-user defined
Doing spnego session setup (blob length=108)
got OID=1 2 840 48018 1 2 2
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 113554 1 2 2 3
got OID=1 3 6 1 4 1 311 2 2 10
got principal=brain$@UK.******.PLC
Doing kerberos session setup
Ticket in ccache[MEMORY:cliconnect] expiration Sun, 22 May 2005 09:18:38 GMT
lsa_io_sec_qos: length c does not match size 8
add_trusted_domain: UK is an ADS native mode domain
ads: alternate_name
Connected to LDAP server 192.168.5.12
got ldap server name lips@UK.******.PLC, using bind path:
dc=UK,dc=******,dc=PLC
ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
ads_sasl_spnego_bind: got server principal name =lips$@UK.******.PLC
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
Ticket in ccache[MEMORY:winbind_ccache] expiration Sun, 22 May 2005
09:18:38 GMT
Found alternate name 'UK' for realm 'UK.******.PLC'
Added domain BUILTIN  S-1-5-32
Added domain NEWBELLY  S-1-5-21-2759713905-3148918603-543342210

Sridhar,

Spot on!  Works at treat as soon as I killed nscd.  I must admit I had
my doubts when I saw your email but thanks very much for that.  I just
need to look at why nscd interferes with winbind so badly....

Cheers
Noel

Sridhar Venkatakrishnan wrote:
> Are you running nscd? That could mess up things a bit.
>
> Sridhar
>
> Noel Kelly wrote:
>
>> Hi - I have a problem that is driving me round the bend.
>>
>> I have installed Suse 9.3 (64-bit) and compiled Samba 3.0.14a from
>> source.
>>
>> The server is going to be part of an ADS network so I have Kerberos
>> working fine and I have joined the domain ('net ads testjoin'
works
>> fine).
>>
>> I have compiled and loaded the idmap_rid module and that seems to be
>> working fine too.  wbinfo -u gives me all the domain users and wbinfo
-g
>> the groups.  'net ads info' gives me this:
>>
>> LDAP server: 192.168.5.4
>> LDAP server name: brain
>> Realm: UK.*****.PLC
>> Bind Path: dc=UK,dc=*****,dc=PLC
>> LDAP port: 389
>> Server time: Sat, 21 May 2005 23:12:14 GMT
>> KDC server: 192.168.5.4
>> Server time offset: 0
>>
>> which also seems fine to me.
>>
>> However, the wheels come off when I try a 'getent passwd'
(which returns
>> no domain users) or 'getent passwd administrator' (returns
nothing).
>>
>> My /etc/nsswitch.conf looks like this:
>>
>> passwd:         files winbind
>> group:          files winbind
>>
>> hosts:          files dns wins
>> networks:       files dns
>>
>> services:       files
>> protocols:      files
>> rpc:            files
>> ethers:         files
>> netmasks:       files
>> netgroup:       files
>> publickey:      files
>>
>> bootparams:     files
>> automount:      files nis
>> aliases:        files
>>
>> I have tried running winbindd with debug info in the foreground (see
>> listing below) and there is no sign of activity at all when
'getent' is
>> run.  It is as if the nsswitch.conf just ignores winbind.  If I remove
>> 'files' and leave:
>>
>> passwd:        winbind
>>
>> in nsswitch.conf then 'getent passwd' returns nothing.
>>
>> libnss_wins.so and libnss_winbind.so are both in /lib and both have a
>> softlink to a .so.2.  i have even made links in /lib64 reasoning that
>> they might be better found there?
>>
>> Has anyone got any suggestions as to how i could force nsswitch.conf to
>> call winbind?
>>
>> Not really sure where to go next other than to a different distro as it
>> would seem to me in my limited capacity that the OS is not making the
>> right library calls?
>>
>> Thanks in advance,
>> Noel
>>
>>
>> newbelly:~ # winbindd -i -d3
>> winbindd version 3.0.14a started.
>> Copyright The Samba Team 2000-2004
>> lp_load: refreshing parameters
>> Initialising global parameters
>> params.c:pm_process() - Processing configuration file
>> "/usr/local/samba/lib/smb.conf"
>> Processing section "[global]"
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Processing section "[print$]"
>> Processing section "[IT]"
>> adding IPC service
>> adding IPC service
>> added interface ip=192.168.5.134 bcast=192.168.5.255
nmask=255.255.255.0
>> added interface ip=192.168.5.134 bcast=192.168.5.255
nmask=255.255.255.0
>> idmap_init: using 'idmap_rid' as remote backend
>> Module '/usr/local/samba/lib/idmap/idmap_rid.so' loaded
>> rid_idmap_parse: parsing entry: 0
>> rid_idmap_parse:        entry 0 has name: [UK]
>> rid_idmap_parse:        entry 0 has sid:
>> [S-1-5-21-2025429265-764733703-725345543]
>> rid_idmap_parse:        entry 0 has min_id: [500]
>> rid_idmap_parse:        entry 0 has max_id: [500000]
>> rid_idmap_init: using 1 mappings:
>> rid_idmap_init: domain: [UK], sid:
>> [S-1-5-21-2025429265-764733703-725345543], min_id: [500], max_id:
>> [500000]
>> Registered MSG_REQ_POOL_USAGE
>> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
>> Added domain UK UK.******.PLC S-0-0
>> cm_get_ipc_userpass: No auth-user defined
>> Doing spnego session setup (blob length=108)
>> got OID=1 2 840 48018 1 2 2
>> got OID=1 2 840 113554 1 2 2
>> got OID=1 2 840 113554 1 2 2 3
>> got OID=1 3 6 1 4 1 311 2 2 10
>> got principal=brain$@UK.******.PLC
>> Doing kerberos session setup
>> Ticket in ccache[MEMORY:cliconnect] expiration Sun, 22 May 2005
>> 09:18:38 GMT
>> lsa_io_sec_qos: length c does not match size 8
>> add_trusted_domain: UK is an ADS native mode domain
>> ads: alternate_name
>> Connected to LDAP server 192.168.5.12
>> got ldap server name lips@UK.******.PLC, using bind path:
>> dc=UK,dc=******,dc=PLC
>> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
>> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
>> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
>> ads_sasl_spnego_bind: got server principal name =lips$@UK.******.PLC
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
>> found)
>> Ticket in ccache[MEMORY:winbind_ccache] expiration Sun, 22 May 2005
>> 09:18:38 GMT
>> Found alternate name 'UK' for realm 'UK.******.PLC'
>> Added domain BUILTIN  S-1-5-32
>> Added domain NEWBELLY  S-1-5-21-2759713905-3148918603-543342210
>>
>>
>>
>>
>>
>>  
>>
>