samba - Jan 2009 - Winbind+nss working on one centOS 5.2 box but not another

Hi all,

I have an odd situation on my hands:

* Two CentOS 5.2 boxes both joined to an AD domain.

* Same samba version (3.0.28-1.el5_2.1) smb.conf, only the netbios names
differ

* Can enumerate users and groups using winbind -{u,g} on both.

* nss doesn't enumerate users & groups on one (same lib versions, same
conf file).

//bentis@testukmcsstor1//:~$ rpm -qa | grep nss-
nss-tools-3.12.2.0-2.el5.centos
nss-3.12.2.0-2.el5.centos
pkinit-nss-0.7.3-1.el5
nss-3.12.2.0-2.el5.centos

Looks like this may be more of a libnss problem than a samba one, but
can anyone suggest how I can start to troubleshoot?

Thanks in advance,

Ben Tisdall

Something is not right with the group mapping, but I am unsure what.

getent returns different a primary GID for a given user on each box and
the group mapping differs in each case:

Box A:

//user@host//:~$ getent group 10012
OURDOMAIN\domain users:*:10012:

Box B:

//user@host//:~$ getent group 10004
OURDOMAIN\domain users:*:10004:

When I do a long file listing winbindd is printing stuff like this:

[14855]: getpwuid 10082
Added timed event "async_request_timeout": 2ae2266d45b0
child daemon request 51
timed_events_timeout: 299/999987
process_request: request fn DUAL_UID2SID
[14254]: uid to sid 10082
uid = [10082]
Cache entry with key = IDMAP/UID/10082 couldn't be found
Query backends to map ids->sids
Query sids from domain OURDOMAIN
Fetching record UID 10082
Record UID 10082 not found
Query sids from domain SAMBASERVER
pdb_default_uid_to_rid: host has no idea of uid 10082
Storing response for pid 14257, len 3240
Destroying timed event 2ae2266d45b0 "async_request_timeout"
Retrieving response for pid 14257
uid2sid_recv: uid 10082 has sid S-1-22-1-10082
Could not find domain for sid S-1-22-1-10082



Ben Tisdall wrote:
> Hi all,
> 
> I have an odd situation on my hands:
> 
> * Two CentOS 5.2 boxes both joined to an AD domain.
> 
> * Same samba version (3.0.28-1.el5_2.1) smb.conf, only the netbios names
> differ
> 
> * Can enumerate users and groups using winbind -{u,g} on both.
> 
> * nss doesn't enumerate users & groups on one (same lib versions,
same
> conf file).
> 
> //bentis@testukmcsstor1//:~$ rpm -qa | grep nss-
> nss-tools-3.12.2.0-2.el5.centos
> nss-3.12.2.0-2.el5.centos
> pkinit-nss-0.7.3-1.el5
> nss-3.12.2.0-2.el5.centos
> 
> Looks like this may be more of a libnss problem than a samba one, but
> can anyone suggest how I can start to troubleshoot?
> 
> Thanks in advance,
> 
> Ben Tisdall
> 
> 
> 
> 
> 
>

tim clusters wrote:
> 
> What is your id backend? AD or RID? Can you post your smb.conf?
> 
Hi Tim & thanks for replying.

This is very minimal smb.conf - the history is that it was copied
verbatim from a Guardian snap appliance & worked perfectly well on 'Box
A'.

workgroup = OURDOMAIN
security = ads
server string = Samba Server Version %v
netbios name = testukmcsstor1
realm = OURDOMAIN.PRIV
idmap uid = 10000-20000
idmap gid = 10000-20000
;interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;hosts allow = 127. 10

# logs split per machine
log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate
max log size = 50
preferred master = no
wins support = yes
;       wins server = w.x.y.z
;       wins proxy = yes

;       dns proxy = yes

load printers = yes
cups options = raw

;       map archive = no
;       map hidden = no
;       map read only = no
;       map system = no
;       store dos attributes = yes

Include = /etc/samba/shares.conf

NB: I can testparm the conf from both boxes & the output diffs perfectly.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Hello all,

I have 2 boxes with identical smb.conf files apart from the netbios
name. The contents of the shares have been copied from one to the other
preserving the UNIX UIDs/GIDs and both boxes join to the AD domain
without problems. The domain sid is the same on both machines.

However, something isn't right with the group mapping:

Box A (shows the correct AD groups with ls -l)

//user@host//:~$ getent group 10012
OURDOMAIN\domain users:*:10012:

Box B (show mostly UIDs/GIDs with ls -l)

//user@host//:~$ getent group 10004
OURDOMAIN\domain users:*:10004:

Can anyone give me a clue as to where to start looking to debug this?

Many thanks in advance.

Ben Tisdall