samba - Sep 2005 - getent and wbinfo not returning expected results?

Hello,

For some time now have been trying to connect a Samba-3.0.14a-0.4  
server running on SuSE Ent 9 linux server to our Exchange 2003  
(running on Server 2003 Std w/ SP1) server which is also the AD  
server for our domain.

I can connect to the shares using the AD as the authentication  
source, so the basic functionality is there but some command output  
does not show in the way i expect it to.

Such as the "getent passwd" command should return a listing of the  
local passwd file with the Active Directory users appended to it, but  
it only lists the local passwd file.

I can have checked the kerberos ticket to make sure it's still valid,  
here is the output:
>
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: Administrator@DOMAIN.COM
>
>   Issued           Expires          Principal
> Sep 16 11:44:08  Sep 16 21:44:08  krbtgt/DOMAIN.COM@DOMAIN.COM
And i test the join and it is valid, here is the output:
> Join is OK
Some commands work but not the way i would expect them to, such as  
"wbinfo -u". This command comes back with a list of users from the AD
but the domain name is not prepended as i would expect with the  
domain separator value between the domain name and the username.

"wbinfo -g" is exactly the same, it comes back with a list of AD  
groups but the domain is not prepended, what would cause this behavior?

Here is the global section of my smb.conf, maybe i am missing  
something that will be obvious to users on this list.
> [global]
>    workgroup = domain
>    netbios name = mps1intmx01
>    server string = SMB %v for domain.com
>    security = ADS
>    encrypt passwords = Yes
>    template shell = /bin/bash
>    realm = DOMAIN.COM
>
>    # Winbind settings
>    idmap backend = idmap_rid:DOMAIN=500-5000
>    idmap uid = 500-1000
>    idmap gid = 500-1000
>    winbind separator = /
>    winbind enum users = Yes
>    winbind enum groups = Yes
>    winbind use default domain = Yes
>    winbind nested groups = Yes
>    allow trusted domains = No
>
>    preferred master = No
>    local master = No
>    wins server = msp1intmx02.domain.com
>
>    log level = 10
TIA!

> Some commands work but not the way i would expect them to, such as  
> "wbinfo -u". This command comes back with a list of users 
> from the AD  
> but the domain name is not prepended as i would expect with the  
> domain separator value between the domain name and the username.
> 
> "wbinfo -g" is exactly the same, it comes back with a list of AD
> groups but the domain is not prepended, what would cause this 
> behavior?
> 
> Here is the global section of my smb.conf, maybe i am missing  
> something that will be obvious to users on this list.
> 
> > [global]
> >    workgroup = domain
> >    netbios name = mps1intmx01
> >    server string = SMB %v for domain.com
> >    security = ADS
> >    encrypt passwords = Yes
> >    template shell = /bin/bash
> >    realm = DOMAIN.COM
> >
> >    # Winbind settings
> >    idmap backend = idmap_rid:DOMAIN=500-5000
> >    idmap uid = 500-1000
> >    idmap gid = 500-1000
> >    winbind separator = /
> >    winbind enum users = Yes
> >    winbind enum groups = Yes
> >    winbind use default domain = Yes
> >    winbind nested groups = Yes
> >    allow trusted domains = No
> >
> >    preferred master = No
> >    local master = No
> >    wins server = msp1intmx02.domain.com
> >
> >    log level = 10
Remove 'winbind use default domain = Yes' from smb.conf and you'll
see the
domain name prepended to the output from 'wbinfo -u' & 'wbinfo
-g' commands.

~Doug

> I did and this did address the wbinfo -u OR -g output but the getent
> passwd OR group, is still only listing the local users and groups
<sigh> According to the Samba docs, it's either the NSS switch or the
PAM
modules or both that appear to be preventing the enumeration of
users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples'
books.
Check page 228 section 12 in 'Samba-3 by Examples' and you will see what
I
am referring to.

I'm using FreeBSD and their NSS libraries are different from Linux's and
I'm
wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there
are numerous references to libnss_winbind.so.2 in TOSHARG which is based on
Linux. I fear FreeBSD's GCC compiler is either older and/or different than
Linux's. What distro are you using?
> Yes this is sound advice i was playing around with some others like the
> + , which seems to be a common choice but testparm complained about it
> so i changed it to what you see.
Yeah. The separator isn't the real cause behind your woes though.

Let me know what you come up with.

~Doug

> If 'wbinfo -u' returns the domain user list, but 'getent 
> passwd' does not, 
> this means that NSS is not working. It has nothing to do with PAM.
> 
> >
> > I'm using FreeBSD and their NSS libraries are different 
> from Linux's and
> > I'm wondering if that is the cause. FreeBSD uses 
> nss_winbind.so.1 whereas
> > there are numerous references to libnss_winbind.so.2 in 
> TOSHARG which is
> > based on Linux. I fear FreeBSD's GCC compiler is either older
and/or
> > different than Linux's. What distro are you using?
> 
> Have you joined the Samba server to the domain? 
> What do 'net rpc info' and 'net ads info' report?
aries-root@/usr/local/etc: net rpc info
Domain Name: DSP
Domain SID: S-1-5-21-2008768363-1786319642-1659389152
Sequence number: 15618
Num users: 124
Num domain groups: 16
Num local groups: 1
> Is winbindd running?
aries-root@/usr/local/etc: ps aux | grep winbind
root   8276  0.0  0.3  4644  2884  ??  Ss   12:26PM   0:00.01 winbindd -d4
root   8277  0.0  0.3  4584  2836  ??  I    12:26PM   0:00.01 winbindd -d4
> 
> Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
> Did you locate this in the /lib or the /usr/lib directory?
> 
> What error logs are you seeing in /var/adm/messages?
On my FreeBSD machine, the log is located at /var/log/messages:

Sep 16 12:26:21 aries winbindd[8277]: [2005/09/16 12:26:21, 0]
rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
Sep 16 12:26:21 aries winbindd[8277]:   rpc_pipe_bind failed
Sep 16 12:26:25 aries nmbd[8278]: [2005/09/16 12:26:25, 0]
nmbd/nmbd.c:main(737)
Sep 16 12:26:25 aries nmbd[8278]:   standard input is not a socket, assuming
-D option
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
passdb/pdb_tdb.c:tdbsam_tdbopen(195)
Sep 16 12:26:25 aries smbd[8280]:   Unable to open/create TDB passwd
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
Sep 16 12:26:25 aries smbd[8280]:   pdb_getsampwrid: Unable to open TDB rid
database!
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf
line 1: 'compat' used with other sources
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf
line 2: 'compat' used with other sources
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nss_load_module): wins, Undefined
symbol "nss_module_register"
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
smbd/server.c:main(839)
Sep 16 12:26:25 aries smbd[8280]:   standard input is not a socket, assuming
-D option
Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 12:26:29 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol
"nss_module_register"
Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 12:26:51 aries getent: NSSWITCH(nss_load_module): wins, Undefined
symbol "nss_module_register"
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line
1: 'compat' used with other sources
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line
2: 'compat' used with other sources
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nss_load_module): wins, Undefined
symbol "nss_module_register"
Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:06:07 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol
"nss_module_register"
Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:07:08 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol
"nss_module_register"
Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:26:32 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol
"nss_module_register"

aries-root@/usr/local/etc: ll /usr/local/lib/*win*
lrwxr-xr-x  1 root  wheel      31 Sep 15 12:27
/usr/local/lib/libnss_winbind.so -> /usr/local/lib/nss_winbind.so.1
lrwxr-xr-x  1 root  wheel      14 Sep 15 13:29
/usr/local/lib/libnss_winbind.so.1 -> nss_winbind.so
lrwxr-xr-x  1 root  wheel      14 Sep 15 13:30
/usr/local/lib/libnss_winbind.so.2 -> nss_winbind.so
lrwxr-xr-x  1 root  wheel      11 Sep 15 13:30
/usr/local/lib/libnss_wins.so.1 -> nss_wins.so
lrwxr-xr-x  1 root  wheel      11 Sep 15 13:30
/usr/local/lib/libnss_wins.so.2 -> nss_wins.so
-rwxr-xr-x  1 root  wheel   23057 Sep 15 13:28 /usr/local/lib/nss_winbind.so
lrwxr-xr-x  1 root  wheel      14 Sep 15 13:29
/usr/local/lib/nss_winbind.so.1 -> nss_winbind.so
lrwxr-xr-x  1 root  wheel      14 Sep 15 13:30
/usr/local/lib/nss_winbind.so.2 -> nss_winbind.so
-rwxr-xr-x  1 root  wheel  813451 Sep 15 13:28 /usr/local/lib/nss_wins.so
lrwxr-xr-x  1 root  wheel      11 Sep 15 13:30 /usr/local/lib/nss_wins.so.1
-> nss_wins.so
lrwxr-xr-x  1 root  wheel      11 Sep 15 13:30 /usr/local/lib/nss_wins.so.2
-> nss_wins.so
-r-xr-xr-x  1 root  wheel   15164 Sep 15 10:03 /usr/local/lib/pam_winbind.so

Does NSSWITCH follow symlinks?

Side note: Following a post in which a poster complained that when upgrading
Samba, his libraries weren't updated correctly so he has since then decided
to manually copy his libraries from the source directory to the library
path, I decided to do likewise. thus you are seeing files ending in .so as
source and links made to these source files. Perhaps that may have something
to do with the problems I am having with?

~Doug

> > If 'wbinfo -u' returns the domain user list, but 'getent 
> > passwd' does not, 
> > this means that NSS is not working. It has nothing to do with PAM.
Taking a cue from above, I edited nsswitch.conf to reflect your recommended
nsswitch.conf settings as follows:

passwd: files winbind      
group: files winbind      
hosts: files winbind dns
networks: files
shells: files

wbinfo -u, wbinfo -g, getent passwd, and getent group now properly presents
local & domain users!!!!!!!!!!!!!! Egads! I need to be careful with what I
leave in nsswitch.conf! I'm so thrilled to get the enumeration stuff working
now!

One more thing: The getent passwd produces as follows:

aries-root@/usr/local/lib/OLD: /usr/local/sbin/getent passwd
root:$1$nKq6XJlA$znAgh1MrkzByxA6/HDuah1:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
dougs:$1$EKEN2gSO$kXpBoFW5qfpDq3KF0ODT91:1001:1001:Doug
Sampson:/home/dougs:/bin/sh
beckyr:$1$deELUVIF$rHMoGndIAUOqUTfLFQnxR.:1002:1002:Becky
Ryan:/home/beckyr:/bin/sh
alfredos:$1$SxjkDe4a$wib3bY8ugKZy.gRPnjJ2r0:1003:1003:Alfredo
Sierra:/home/alfredos:/bin/sh
michaelm:$1$bSVPy645$N02/WIbak.fLIxShs3JcT1:1004:1004:Michael
MacAulay:/home/michaelm:/bin/sh
DSP-adrianp:x:15000:15000:Adrian Pearson:/usr/home/DSP/adrianp:/bin/bash
DSP-alfredo:x:15001:15000:Alfredo Sierra:/usr/home/DSP/alfredo:/bin/bash
DSP-barry:x:15002:15000:Barry Howland:/usr/home/DSP/barry:/bin/bash
DSP-becky:x:15003:15000:Rebecca L. Ryan:/usr/home/DSP/becky:/bin/bash
DSP-benb:x:15004:15000:Ben Bahan:/usr/home/DSP/benb:/bin/bash
<...snip...>

whereas getent group produces the following:

aries-root@/usr/local/lib/OLD: /usr/local/sbin/getent group
wheel:*:0:root,dougs
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
bind:*:53:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
uucp:*:66:
dialer:*:68:
network:*:69:
www:*:80:
nogroup:*:65533:
nobody:*:65534:
dougs:*:1001:
beckyr:*:1002:
alfredos:*:1003:
michaelm:*:1004:
production:*:10000:dougs,beckyr,alfredos,michaelm
DSP-CUSTSVC:x:15001:DSP-Barry,DSP-denise,DSP-susan,DSP-heatherq,DSP-GIGI,DSP
-moniqueb,DSP-TAMI,DSP-ChrisM,DSP-Leigh,DSP-Maryann,DSP-JoeS
DSP-Domain
Admins:x:15002:DSP-DSPAdmin,DSP-Tom,DSP-root,DSP-Robot,DSP-smtp2pop3,DSP-DSP
ADMIN1,DSP-Doug,DSP-Tom2
DSP-Domain Guests:x:15003:
<...snip...>
DSP-Dynamics:x:15005:DSP-Jared,DSP-Tom,DSP-Kris,DSP-Tom2
DSP-FINANCE:x:15006:DSP-DANNIS,DSP-GIGI,DSP-TAMI,DSP-Tom2,DSP-Tom,DSP-Doug,D
SP-dahmian,DSP-Jared,DSP-Holly,DSP-Lynne,DSP-boe
DSP-Management:x:15007:DSP-DANNIS,DSP-Joe,DSP-GIGI,DSP-TAMI,DSP-TJ,DSP-Tom,D
SP-Becky,DSP-Barry,DSP-Maryann,DSP-Tom2,DSP-Jon,DSP-Jared
DSP-MARKETING:x:15008:DSP-JoeS,DSP-GIGI,DSP-Becky,DSP-Barry,DSP-Leslie

Why is the prepended domain username in lower case in getent passwd but not
with getent group? Will this create problems?

~Doug