David Croft
2007-Aug-15 18:54 UTC
[Samba] Winbind can do everything besides lookup by name
Hi,
I have winbind joined to a Win2003 AD domain with rid idmap backend.
Almost everything's working. wbinfo -u and -g work fine, as does
getent passwd and getent group. I can also getent by ID number. The
only thing I can't do is getent by name, which is preventing logins:
root@services2:/etc/pam.d# net ads testjoin
Join is OK
root@services2:/etc/pam.d# getent passwd | grep david.croft
david.croft:*:11157:10513:David
Croft:/home/ntuser/MYDOMAIN/david.croft:/bin/bash
root@services2:/etc/pam.d# getent passwd 11157
david.croft:*:11157:10513:David
Croft:/home/ntuser/MYDOMAIN/david.croft:/bin/bash
root@services2:/etc/pam.d# getent passwd david.croft
root@services2:/etc/pam.d# getent group 11155
linux_users:x:11155:david.croft,joe.bloggs
root@services2:/etc/pam.d# getent group linux_users
root@services2:/etc/pam.d#
Here's the debug log (-d 10) from the getent passwd by name:
[2007/08/15 19:34:37, 6] nsswitch/winbindd.c:new_connection(601)
accepted socket 17
[2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287)
process_request: request fn INTERFACE_VERSION
[2007/08/15 19:34:37, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(483)
[ 0]: request interface version
[2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2007/08/15 19:34:37, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516)
[ 0]: request location of privileged pipe
[2007/08/15 19:34:37, 6] nsswitch/winbindd.c:new_connection(601)
accepted socket 18
[2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287)
process_request: request fn GETPWNAM
[2007/08/15 19:34:37, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336)
[ 0]: getpwnam david.croft
[2007/08/15 19:34:37, 7] nsswitch/winbindd_user.c:winbindd_getpwnam(352)
could not find domain entry for domain DAVID.CROFT
Here's the smb.conf:
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = %h server
security = ADS
allow trusted domains = No
obey pam restrictions = Yes
password server = mydomain-fs1.mydomain.com
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully*
.
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap backend = rid:MYDOMAIN=10000-100000000
idmap uid = 10000-100000000
idmap gid = 10000-100000000
template homedir = /home/ntuser/%D/%U
template shell = /bin/bash
winbind separator winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
invalid users = root
Here's nsswitch.conf:
passwd: compat winbind
group: compat winbind
shadow: compat
Any thoughts?
Cheers,
David
Gerald (Jerry) Carter
2007-Aug-15 20:47 UTC
[Samba] Winbind can do everything besides lookup by name
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David Croft wrote:> [ 0]: getpwnam david.croft > could not find domain entry for domain DAVID.CROFT >....> winbind separatorI bet it's this line. Remove that. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw2Y5IR7qMdg1EfYRApQhAJ4lZ3wPcEHLUD3eh3eQr2r/PsqZzgCgwF/e Gua/BX/sH0fFKAWSu1rAhLw=ZugE -----END PGP SIGNATURE-----