thr3ads.net - samba - [Samba] getent group by name fails [Oct 2013]

If this information is useful, please help other people find it:
Share via:

Lee Allen

2013-Oct-11 14:16 UTC

[Samba] getent group by name fails

Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind

'wbinfo -g' and 'getent group' successfully list all groups.
'getent group 10006' returns:
 domain users:x:10006:
'getent group "domain users"' fails with return code 2

partial log.winbind after above command:

[2013/10/11 10:01:31.288199,  3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [31911]: request interface version
[2013/10/11 10:01:31.288288,  3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [31911]: request location of privileged pipe
[2013/10/11 10:01:31.288421,  3]
winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
  getgrnam domain users
[2013/10/11 10:01:31.288520,  3]
winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
  msrpc_name_to_sid: name=DOMAIN\USERS
[2013/10/11 10:01:31.288547,  3]
winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
  name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN

if I specify the domain name, ie: 'getent group "ALLENLAN\\domain
users"'
it still fails...

[2013/10/11 10:02:18.280728,  3]
winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [31925]: request interface version
[2013/10/11 10:02:18.280823,  3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [31925]: request location of privileged pipe
[2013/10/11 10:02:18.280940,  3]
winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
  getgrnam ALLENLAN\domain users
[2013/10/11 10:02:18.281033,  3]
winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
  msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS
[2013/10/11 10:02:18.281060,  3]
winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
  name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN

Note the missing space in "DOMAIN\USERS" in the logs.  I don't
know whether
this is relevant.

'getent passwd' does not have any such problems - it can query by UID or
username


smb.conf:

[global]
    workgroup = ALLENLAN
    realm = allenlan.net
    password server = 192.168.0.13
    preferred master = no
    server string = zone-samba3
    security = ads
    encrypt passwords = yes
    log level = 3
    log file = /var/log/samba/%m
    max log size = 50
    printcap name = cups
    printing = cups
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind separator = \
    idmap config * : backend = ad
    idmap config * : range = 10000-100000


-- 
*Lee Allen*

steve

2013-Oct-11 16:25 UTC

head link

[Samba] getent group by name fails

On Fri, 2013-10-11 at 10:16 -0400, Lee Allen wrote:> Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind
> 
> 'wbinfo -g' and 'getent group' successfully list all
groups.
> 'getent group 10006' returns:
>  domain users:x:10006:
> 'getent group "domain users"' fails with return code 2
> 
> partial log.winbind after above command:
> 
> [2013/10/11 10:01:31.288199,  3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [31911]: request interface version
> [2013/10/11 10:01:31.288288,  3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [31911]: request location of privileged pipe
> [2013/10/11 10:01:31.288421,  3]
> winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
>   getgrnam domain users
> [2013/10/11 10:01:31.288520,  3]
> winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>   msrpc_name_to_sid: name=DOMAIN\USERS
> [2013/10/11 10:01:31.288547,  3]
> winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>   name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN
> 
> if I specify the domain name, ie: 'getent group "ALLENLAN\\domain
users"'
> it still fails...
> 
> [2013/10/11 10:02:18.280728,  3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [31925]: request interface version
> [2013/10/11 10:02:18.280823,  3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [31925]: request location of privileged pipe
> [2013/10/11 10:02:18.280940,  3]
> winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
>   getgrnam ALLENLAN\domain users
> [2013/10/11 10:02:18.281033,  3]
> winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>   msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS
> [2013/10/11 10:02:18.281060,  3]
> winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>   name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN
> 
> Note the missing space in "DOMAIN\USERS" in the logs.  I
don't know whether
> this is relevant.
> 
> 'getent passwd' does not have any such problems - it can query by
UID or
> username
> 
> 
> smb.conf:
> 
> [global]
>     workgroup = ALLENLAN
>     realm = allenlan.net
>     password server = 192.168.0.13
>     preferred master = no
>     server string = zone-samba3
>     security = ads
>     encrypt passwords = yes
>     log level = 3
>     log file = /var/log/samba/%m
>     max log size = 50
>     printcap name = cups
>     printing = cups
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>     winbind nested groups = yes
>     winbind separator = \
>     idmap config * : backend = ad
>     idmap config * : range = 10000-100000
Quite a bit missing here. Try:

idmap config * : backend = tdb
idmap config * : range = 9800-9900
idmap config ALLENLAN : default = yes
idmap config ALLENLAN : schema mode = rfc2307
idmap config ALLENLAN : backend = ad
idmap config ALLENLAN : range = 10000-1000000

HTH
Steve

Volker Lendecke

2013-Oct-12 07:53 UTC

head link

[Samba] getent group by name fails

On Fri, Oct 11, 2013 at 10:16:48AM -0400, Lee Allen
wrote:> Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind
> 
> 'wbinfo -g' and 'getent group' successfully list all
groups.
> 'getent group 10006' returns:
>  domain users:x:10006:
> 'getent group "domain users"' fails with return code 2
> 
> partial log.winbind after above command:
> 
> [2013/10/11 10:01:31.288199,  3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [31911]: request interface version
> [2013/10/11 10:01:31.288288,  3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [31911]: request location of privileged pipe
> [2013/10/11 10:01:31.288421,  3]
> winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
>   getgrnam domain users
> [2013/10/11 10:01:31.288520,  3]
> winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>   msrpc_name_to_sid: name=DOMAIN\USERS
> [2013/10/11 10:01:31.288547,  3]
> winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>   name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN
> 
> if I specify the domain name, ie: 'getent group "ALLENLAN\\domain
users"'
> it still fails...
> 
> [2013/10/11 10:02:18.280728,  3]
> winbindd/winbindd_misc.c:384(winbindd_interface_version)
>   [31925]: request interface version
> [2013/10/11 10:02:18.280823,  3]
> winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
>   [31925]: request location of privileged pipe
> [2013/10/11 10:02:18.280940,  3]
> winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
>   getgrnam ALLENLAN\domain users
> [2013/10/11 10:02:18.281033,  3]
> winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid)
>   msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS
> [2013/10/11 10:02:18.281060,  3]
> winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid)
>   name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN
> 
> Note the missing space in "DOMAIN\USERS" in the logs.  I
don't know whether
> this is relevant.
> 
> 'getent passwd' does not have any such problems - it can query by
UID or
> username
> 
> 
> smb.conf:
> 
> [global]
>     workgroup = ALLENLAN
>     realm = allenlan.net
>     password server = 192.168.0.13
>     preferred master = no
>     server string = zone-samba3
>     security = ads
>     encrypt passwords = yes
>     log level = 3
>     log file = /var/log/samba/%m
>     max log size = 50
>     printcap name = cups
>     printing = cups
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
Please try without "winbind use default domain = yes"
>     winbind nested groups = yes
>     winbind separator = \
Just a wild guess: Can you try removing this line? \ is
default.

If that does not help, please send us full debug level 10
logs of that command together with the output of

strace -ttT -s 1000 -o /tmp/getent.out getent group "domain users"

Regards,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

*****************************************************************
visit us on it-sa:IT security exhibitions in N?rnberg, Germany
October 8th - 10th 2013, hall 12, booth 333
free tickets available via code 270691 on: www.it-sa.de/gutschein
******************************************************************

Reasonably Related Threads

Search for more seemingly similar threads

samba - Oct 2013 - getent group by name fails

[Samba] getent group by name fails

[Samba] getent group by name fails

[Samba] getent group by name fails

Reasonably Related Threads