Tomasz Chmielewski
2009-Jan-22 16:54 UTC
[Samba] "getent group" shows AD groups; "getent passwd" only shows local users
I had winbind configured so that it could fetch users from AD.
Everything was working properly, but something happened in the past
couple of days (no change in the Samba config) I'm not able to diagnose.
"getent group" enumerates groups, "getent passwd"
doesn't.
"wbinfo -g" returns groups, whereas I get this error when trying to
get
users:
# wbinfo -u
Error looking up domain users
# net rpc join -S GNCNET -U user_linux
Password:
Joined domain NUT.
# net ads join -S GNCNET -U user_linux
user_linux's password:
[2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286)
ads_connect: No logon servers
Failed to join domain: No logon servers
I see the Samba machine sends and receives packets on port 389 when I do
"getent passwd", but just no users are returned.
Ideas?
This is my smb.conf:
workgroup = NUT
password server = GNCNET
realm = GNCNET.GEORGIANUT.COM
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
template homedir = /home/%D/cbl
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
server string = Samba Server %v
encrypt passwords = Yes
log file = /var/log/samba/log.%m
max log size = 100
log level = 8
os level = 18
local master = No
dns proxy = No
winbind enum users = yes
winbind enum groups = yes
In log.winbindd I can see errors like:
[2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696)
ads_do_paged_search_args:
ldap_search_with_timeout((objectCategory=user)) -> Operations error
[2009/01/22 10:44:55, 3]
libads/ldap_utils.c:ads_do_search_retry_internal(76)
Reopening ads connection to realm 'GEORGIANUT.COM' after error
Operations error
[2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677)
sitename_fetch: Returning sitename for georgianut.com:
"Default-First-Site-Name"
[2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294)
ads_find_dc: looking for realm 'georgianut.com'
[2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
get_sorted_dc_list: attempting lookup for name georgianut.com
(sitename Default-First-Site-Name) using [ads]
--
Tomasz Chmielewski
http://wpkg.org
Brian Gregorcy
2009-Jan-22 23:25 UTC
[Samba] "getent group" shows AD groups; "getent passwd" only shows local users
Tomasz Chmielewski wrote:> I had winbind configured so that it could fetch users from AD. > Everything was working properly, but something happened in the past > couple of days (no change in the Samba config) I'm not able to diagnose. > > "getent group" enumerates groups, "getent passwd" doesn't. > > "wbinfo -g" returns groups, whereas I get this error when trying to get > users: > > # wbinfo -u > Error looking up domain users > > # net rpc join -S GNCNET -U user_linux > Password: > Joined domain NUT. > > # net ads join -S GNCNET -U user_linux > user_linux's password: > [2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286) > ads_connect: No logon servers > Failed to join domain: No logon servers > > > I see the Samba machine sends and receives packets on port 389 when I do > "getent passwd", but just no users are returned. > > Ideas? > > > This is my smb.conf: > > workgroup = NUT > password server = GNCNET > realm = GNCNET.GEORGIANUT.COM > security = ads > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind separator = + > template homedir = /home/%D/cbl > template shell = /bin/bash > winbind use default domain = true > winbind offline logon = false > > server string = Samba Server %v > encrypt passwords = Yes > > log file = /var/log/samba/log.%m > max log size = 100 > log level = 8 > > os level = 18 > local master = No > dns proxy = No > > winbind enum users = yes > winbind enum groups = yes > > > In log.winbindd I can see errors like: > > [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696) > ads_do_paged_search_args: > ldap_search_with_timeout((objectCategory=user)) -> Operations error > [2009/01/22 10:44:55, 3] > libads/ldap_utils.c:ads_do_search_retry_internal(76) > Reopening ads connection to realm 'GEORGIANUT.COM' after error > Operations error > [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677) > sitename_fetch: Returning sitename for georgianut.com: > "Default-First-Site-Name" > [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294) > ads_find_dc: looking for realm 'georgianut.com' > [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626) > get_sorted_dc_list: attempting lookup for name georgianut.com > (sitename Default-First-Site-Name) using [ads] >check that your clock on the linux box matches the clock on the DC. --Brian