samba - Feb 2007 - AD integration: "getent passwd" can't see *new* users, but "wbinfo -u" can

I have two different systems (on different networks) showing this
behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
via winbind, with nss using winbind.  At some point in time (which is
unknown to me), the samba server stopped seeing new users, groups,
machines which are added to AD.

scenario:
I add a new user to AD, say "smbtest".  I then look for the user with
"wbinfo -u", and it shows up.  However, it does not show up with
"getent passwd" (same for groups, "getent group").  If I try
to map a
share to a drive letter, it goes something like this:

C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password

System error 1326 has occurred.


Logon failure: unknown user name or bad password.

(The same results occur for existing shares, so it's not from lack of
a home directory)

Of particular interest is log.winbindd-idmap.  Whenever I try to
connect as the user smbtest to their home directory or another share,
this is logged here several times:

[2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
  rid_idmap_get_id_from_sid: no suitable range available for sid:
S-1-5-21-4050315045-3251428658-993335031-3123

"wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
"smbtest" as expected.
"wbinfo -n smbtest" returns that sid.
Other users/sids work.

other stuff I've tried / observed:

"net ads testjoin" looks good.
kerberos looks good.
There are no local accounts within the idmap uid/gid range.
"/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
I've restarted samba and winbindd, and the whole machine went down for
a reboot, but I'm still getting the same behavior.

-- only config files below --
smb.conf:

[global]
        workgroup = DOMAIN
        realm = DOMAIN
        server string = samba server
        interfaces = eth0
        bind interfaces only = Yes
        security = ADS
        allow trusted domains = No
        obey pam restrictions = Yes
        pam password change = Yes
        log level = 2 winbind:3 passdb:2 auth:2
        log file = /var/log/samba/%m.log
        socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        dns proxy = No
        wins server = DC1
        idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
        idmap uid = 1000-60000
        idmap gid = 1000-60000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = /
        winbind use default domain = Yes
        winbind nested groups = Yes
        hosts allow = 192.168.1.0/255.255.255.0, 127.
        hosts deny = 0.0.0.0/0.0.0.0

[homes]
        comment = Home Directory
        path = /home/%U
        read only = No
        create mask = 0640
        directory mask = 0750
        browseable = No

/end smb.conf

/etc/nsswitch.conf:

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files dns mdns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

/end nsswitch.conf

-- 
Noah Dain
"The beatings will continue, until moral improves" - the Management

Did you solve it ?? I have a similar problem. wbinfo -u give me a user,
however when a look for it with getent passwd it doesn't appear. With
other users everything is correct.

Thanks,

Fernando.


El lun, 12-02-2007 a las 01:17 -0500, Noah Dain
escribi?:
> I have two different systems (on different networks) showing this
> behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
> 3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
> via winbind, with nss using winbind.  At some point in time (which is
> unknown to me), the samba server stopped seeing new users, groups,
> machines which are added to AD.
> 
> scenario:
> I add a new user to AD, say "smbtest".  I then look for the user
with
> "wbinfo -u", and it shows up.  However, it does not show up with
> "getent passwd" (same for groups, "getent group").  If
I try to map a
> share to a drive letter, it goes something like this:
> 
> C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
> 
> System error 1326 has occurred.
> 
> 
> Logon failure: unknown user name or bad password.
> 
> (The same results occur for existing shares, so it's not from lack of
> a home directory)
> 
> Of particular interest is log.winbindd-idmap.  Whenever I try to
> connect as the user smbtest to their home directory or another share,
> this is logged here several times:
> 
> [2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
>   rid_idmap_get_id_from_sid: no suitable range available for sid:
> S-1-5-21-4050315045-3251428658-993335031-3123
> 
> "wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
> "smbtest" as expected.
> "wbinfo -n smbtest" returns that sid.
> Other users/sids work.
> 
> other stuff I've tried / observed:
> 
> "net ads testjoin" looks good.
> kerberos looks good.
> There are no local accounts within the idmap uid/gid range.
> "/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
> I've restarted samba and winbindd, and the whole machine went down for
> a reboot, but I'm still getting the same behavior.
> 
> -- only config files below --
> smb.conf:
> 
> [global]
>         workgroup = DOMAIN
>         realm = DOMAIN
>         server string = samba server
>         interfaces = eth0
>         bind interfaces only = Yes
>         security = ADS
>         allow trusted domains = No
>         obey pam restrictions = Yes
>         pam password change = Yes
>         log level = 2 winbind:3 passdb:2 auth:2
>         log file = /var/log/samba/%m.log
>         socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         dns proxy = No
>         wins server = DC1
>         idmap backend = rid:BUILTIN=1000-9999, DOMAIN=10000-60000
>         idmap uid = 1000-60000
>         idmap gid = 1000-60000
>         template homedir = /home/%U
>         template shell = /bin/bash
>         winbind separator = /
>         winbind use default domain = Yes
>         winbind nested groups = Yes
>         hosts allow = 192.168.1.0/255.255.255.0, 127.
>         hosts deny = 0.0.0.0/0.0.0.0
> 
> [homes]
>         comment = Home Directory
>         path = /home/%U
>         read only = No
>         create mask = 0640
>         directory mask = 0750
>         browseable = No
> 
> /end smb.conf
> 
> /etc/nsswitch.conf:
> 
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
> hosts:          files dns mdns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> 
> /end nsswitch.conf
> 
> -- 
> Noah Dain
> "The beatings will continue, until moral improves" - the
Management
-- 
Fernando Ruza (fernandor@sescam.jccm.es)
Dto. Informatica
Hospital Univesitario de Guadalajara
Tfl: 949 209 215
     661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.6.14.3 & ext3)
-------------------------------------------------------------------
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.