Noel Kelly
2005-May-22 22:50 UTC
[Samba] nsswitch not calling winbindd - suse 9.3 64 bit & Samba 3.0.14a
Hi - I have a problem that is driving me round the bend. I have installed Suse 9.3 (64-bit) and compiled Samba 3.0.14a from source. The server is going to be part of an ADS network so I have Kerberos working fine and I have joined the domain ('net ads testjoin' works fine). I have compiled and loaded the idmap_rid module and that seems to be working fine too. wbinfo -u gives me all the domain users and wbinfo -g the groups. 'net ads info' gives me this: LDAP server: 192.168.5.4 LDAP server name: brain Realm: UK.*****.PLC Bind Path: dc=UK,dc=*****,dc=PLC LDAP port: 389 Server time: Sat, 21 May 2005 23:12:14 GMT KDC server: 192.168.5.4 Server time offset: 0 which also seems fine to me. However, the wheels come off when I try a 'getent passwd' (which returns no domain users) or 'getent passwd administrator' (returns nothing). My /etc/nsswitch.conf looks like this: passwd: files winbind group: files winbind hosts: files dns wins networks: files dns services: files protocols: files rpc: files ethers: files netmasks: files netgroup: files publickey: files bootparams: files automount: files nis aliases: files I have tried running winbindd with debug info in the foreground (see listing below) and there is no sign of activity at all when 'getent' is run. It is as if the nsswitch.conf just ignores winbind. If I remove 'files' and leave: passwd: winbind in nsswitch.conf then 'getent passwd' returns nothing. libnss_wins.so and libnss_winbind.so are both in /lib and both have a softlink to a .so.2. i have even made links in /lib64 reasoning that they might be better found there? Has anyone got any suggestions as to how i could force nsswitch.conf to call winbind? Not really sure where to go next other than to a different distro as it would seem to me in my limited capacity that the OS is not making the right library calls? Thanks in advance, Noel newbelly:~ # winbindd -i -d3 winbindd version 3.0.14a started. Copyright The Samba Team 2000-2004 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.conf" Processing section "[global]" Processing section "[homes]" Processing section "[printers]" Processing section "[print$]" Processing section "[IT]" adding IPC service adding IPC service added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0 added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0 idmap_init: using 'idmap_rid' as remote backend Module '/usr/local/samba/lib/idmap/idmap_rid.so' loaded rid_idmap_parse: parsing entry: 0 rid_idmap_parse: entry 0 has name: [UK] rid_idmap_parse: entry 0 has sid: [S-1-5-21-2025429265-764733703-725345543] rid_idmap_parse: entry 0 has min_id: [500] rid_idmap_parse: entry 0 has max_id: [500000] rid_idmap_init: using 1 mappings: rid_idmap_init: domain: [UK], sid: [S-1-5-21-2025429265-764733703-725345543], min_id: [500], max_id: [500000] Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Added domain UK UK.******.PLC S-0-0 cm_get_ipc_userpass: No auth-user defined Doing spnego session setup (blob length=108) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=brain$@UK.******.PLC Doing kerberos session setup Ticket in ccache[MEMORY:cliconnect] expiration Sun, 22 May 2005 09:18:38 GMT lsa_io_sec_qos: length c does not match size 8 add_trusted_domain: UK is an ADS native mode domain ads: alternate_name Connected to LDAP server 192.168.5.12 got ldap server name lips@UK.******.PLC, using bind path: dc=UK,dc=******,dc=PLC ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 ads_sasl_spnego_bind: got server principal name =lips$@UK.******.PLC ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found) Ticket in ccache[MEMORY:winbind_ccache] expiration Sun, 22 May 2005 09:18:38 GMT Found alternate name 'UK' for realm 'UK.******.PLC' Added domain BUILTIN S-1-5-32 Added domain NEWBELLY S-1-5-21-2759713905-3148918603-543342210
Noel Kelly
2005-May-23 08:01 UTC
[Samba] nsswitch not calling winbindd - suse 9.3 64 bit & Samba 3.0.14a
Sridhar, Spot on! Works at treat as soon as I killed nscd. I must admit I had my doubts when I saw your email but thanks very much for that. I just need to look at why nscd interferes with winbind so badly.... Cheers Noel Sridhar Venkatakrishnan wrote:> Are you running nscd? That could mess up things a bit. > > Sridhar > > Noel Kelly wrote: > >> Hi - I have a problem that is driving me round the bend. >> >> I have installed Suse 9.3 (64-bit) and compiled Samba 3.0.14a from >> source. >> >> The server is going to be part of an ADS network so I have Kerberos >> working fine and I have joined the domain ('net ads testjoin' works >> fine). >> >> I have compiled and loaded the idmap_rid module and that seems to be >> working fine too. wbinfo -u gives me all the domain users and wbinfo -g >> the groups. 'net ads info' gives me this: >> >> LDAP server: 192.168.5.4 >> LDAP server name: brain >> Realm: UK.*****.PLC >> Bind Path: dc=UK,dc=*****,dc=PLC >> LDAP port: 389 >> Server time: Sat, 21 May 2005 23:12:14 GMT >> KDC server: 192.168.5.4 >> Server time offset: 0 >> >> which also seems fine to me. >> >> However, the wheels come off when I try a 'getent passwd' (which returns >> no domain users) or 'getent passwd administrator' (returns nothing). >> >> My /etc/nsswitch.conf looks like this: >> >> passwd: files winbind >> group: files winbind >> >> hosts: files dns wins >> networks: files dns >> >> services: files >> protocols: files >> rpc: files >> ethers: files >> netmasks: files >> netgroup: files >> publickey: files >> >> bootparams: files >> automount: files nis >> aliases: files >> >> I have tried running winbindd with debug info in the foreground (see >> listing below) and there is no sign of activity at all when 'getent' is >> run. It is as if the nsswitch.conf just ignores winbind. If I remove >> 'files' and leave: >> >> passwd: winbind >> >> in nsswitch.conf then 'getent passwd' returns nothing. >> >> libnss_wins.so and libnss_winbind.so are both in /lib and both have a >> softlink to a .so.2. i have even made links in /lib64 reasoning that >> they might be better found there? >> >> Has anyone got any suggestions as to how i could force nsswitch.conf to >> call winbind? >> >> Not really sure where to go next other than to a different distro as it >> would seem to me in my limited capacity that the OS is not making the >> right library calls? >> >> Thanks in advance, >> Noel >> >> >> newbelly:~ # winbindd -i -d3 >> winbindd version 3.0.14a started. >> Copyright The Samba Team 2000-2004 >> lp_load: refreshing parameters >> Initialising global parameters >> params.c:pm_process() - Processing configuration file >> "/usr/local/samba/lib/smb.conf" >> Processing section "[global]" >> Processing section "[homes]" >> Processing section "[printers]" >> Processing section "[print$]" >> Processing section "[IT]" >> adding IPC service >> adding IPC service >> added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0 >> added interface ip=192.168.5.134 bcast=192.168.5.255 nmask=255.255.255.0 >> idmap_init: using 'idmap_rid' as remote backend >> Module '/usr/local/samba/lib/idmap/idmap_rid.so' loaded >> rid_idmap_parse: parsing entry: 0 >> rid_idmap_parse: entry 0 has name: [UK] >> rid_idmap_parse: entry 0 has sid: >> [S-1-5-21-2025429265-764733703-725345543] >> rid_idmap_parse: entry 0 has min_id: [500] >> rid_idmap_parse: entry 0 has max_id: [500000] >> rid_idmap_init: using 1 mappings: >> rid_idmap_init: domain: [UK], sid: >> [S-1-5-21-2025429265-764733703-725345543], min_id: [500], max_id: >> [500000] >> Registered MSG_REQ_POOL_USAGE >> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED >> Added domain UK UK.******.PLC S-0-0 >> cm_get_ipc_userpass: No auth-user defined >> Doing spnego session setup (blob length=108) >> got OID=1 2 840 48018 1 2 2 >> got OID=1 2 840 113554 1 2 2 >> got OID=1 2 840 113554 1 2 2 3 >> got OID=1 3 6 1 4 1 311 2 2 10 >> got principal=brain$@UK.******.PLC >> Doing kerberos session setup >> Ticket in ccache[MEMORY:cliconnect] expiration Sun, 22 May 2005 >> 09:18:38 GMT >> lsa_io_sec_qos: length c does not match size 8 >> add_trusted_domain: UK is an ADS native mode domain >> ads: alternate_name >> Connected to LDAP server 192.168.5.12 >> got ldap server name lips@UK.******.PLC, using bind path: >> dc=UK,dc=******,dc=PLC >> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2 >> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 >> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3 >> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10 >> ads_sasl_spnego_bind: got server principal name =lips$@UK.******.PLC >> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache >> found) >> Ticket in ccache[MEMORY:winbind_ccache] expiration Sun, 22 May 2005 >> 09:18:38 GMT >> Found alternate name 'UK' for realm 'UK.******.PLC' >> Added domain BUILTIN S-1-5-32 >> Added domain NEWBELLY S-1-5-21-2759713905-3148918603-543342210 >> >> >> >> >> >> >> >