Rowland Penny
2015-Apr-14 14:20 UTC
[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
On 14/04/15 14:59, Adam Tauno Williams wrote:> On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote: >> Hi! I'm trying to add a member to be used as fileserver, following the >> guides at: >> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC >> The AD server has been in use for month, but I can't get user >> information from the new member. The new member was joined to the >> directory, and nsswitch was configured. Running 'id username' returns >> 'No such user'. >> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and 'wbinfo >> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo >> --ping-dc' >> But, when I try 'id username', or 'wbinfo -i username', it fails with >> WBC_ERR_DOMAIN_NOT_FOUND >> $ wbinfo -i username >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for user username >> $ wbinfo -n username >> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1) >> And using '--sid-to-uid' I got the UID: >> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118 >> 10000 Servers ? Web Development in Python & Java ? DevOps ? Big Data > I am experiencing much the same issue; wbinfo -u/-g works but getent > passwd/group only contains a very partial user list and querying a > specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although > otherwise the domain is functional and there are active workstations. > > Did you every identify a solution? >It should work, it sounds like a mis-configuration somewhere, can you post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and /etc/krb5.conf from the member server. Rowland
Adam Tauno Williams
2015-Apr-14 19:59 UTC
[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
On Tue, 2015-04-14 at 15:20 +0100, Rowland Penny wrote:> On 14/04/15 14:59, Adam Tauno Williams wrote: > > On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote: > >> Hi! I'm trying to add a member to be used as fileserver, following the > >> guides at: > >> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > >> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC > >> The AD server has been in use for month, but I can't get user > >> information from the new member. The new member was joined to the > >> directory, and nsswitch was configured. Running 'id username' returns > >> 'No such user'. > >> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and 'wbinfo > >> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo > >> --ping-dc' > >> But, when I try 'id username', or 'wbinfo -i username', it fails with > >> WBC_ERR_DOMAIN_NOT_FOUND > >> $ wbinfo -i username > >> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >> Could not get info for user username > >> $ wbinfo -n username > >> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1) > >> And using '--sid-to-uid' I got the UID: > >> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118 > >> 10000 Servers ? Web Development in Python & Java ? DevOps ? Big Data > > I am experiencing much the same issue; wbinfo -u/-g works but getent > > passwd/group only contains a very partial user list and querying a > > specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although > > otherwise the domain is functional and there are active workstations. > > Did you every identify a solution? > It should work, it sounds like a mis-configuration somewhere, can you > post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and > /etc/krb5.conf from the member server."wbinfo -u" lists 415 lines "getent passwd" returns 93 lines A host configured to use nslcd and LDAP directory returns 560 lines for "getent passwd". Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all sernet-samba-4.0.21-7.el6.x86_64 [root at barbel profiles]# wbinfo -i cleslie failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE /etc/samba/smb.conf ################### idmap_ldb:use rfc2307 = yes idmap config *:backend = tdb idmap config *:range = 4000001-4999999 idmap config BACKBONE:backend = ad idmap config BACKBONE:schema_mode = rfc2307 idmap config BACKBONE:range = 100-400000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind expand groups = 4 winbind normalize names = Yes domain master = no local master = no vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA
Rowland Penny
2015-Apr-14 20:49 UTC
[Samba] wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
On 14/04/15 20:59, Adam Tauno Williams wrote:> On Tue, 2015-04-14 at 15:20 +0100, Rowland Penny wrote: >> On 14/04/15 14:59, Adam Tauno Williams wrote: >>> On Thu, 2014-10-30 at 13:41 -0300, Horacio G. de Oro wrote: >>>> Hi! I'm trying to add a member to be used as fileserver, following the >>>> guides at: >>>> - https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>> - https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC >>>> The AD server has been in use for month, but I can't get user >>>> information from the new member. The new member was joined to the >>>> directory, and nsswitch was configured. Running 'id username' returns >>>> 'No such user'. >>>> Running 'wbinfo -u' and 'wbinfo -g', 'wbinfo -n username' and 'wbinfo >>>> --sid-to-uid' works OK. Also 'wbinfo --online-status' and 'wbinfo >>>> --ping-dc' >>>> But, when I try 'id username', or 'wbinfo -i username', it fails with >>>> WBC_ERR_DOMAIN_NOT_FOUND >>>> $ wbinfo -i username >>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >>>> Could not get info for user username >>>> $ wbinfo -n username >>>> S-1-5-21-3087569779-2873525441-767630994-1118 SID_USER (1) >>>> And using '--sid-to-uid' I got the UID: >>>> $ wbinfo --sid-to-uid S-1-5-21-3087569779-2873525441-767630994-1118 >>>> 10000 Servers ? Web Development in Python & Java ? DevOps ? Big Data >>> I am experiencing much the same issue; wbinfo -u/-g works but getent >>> passwd/group only contains a very partial user list and querying a >>> specific user causes the WBC_ERR_DOMAIN_NOT_FOUND error. Although >>> otherwise the domain is functional and there are active workstations. >>> Did you every identify a solution? >> It should work, it sounds like a mis-configuration somewhere, can you >> post the smb.conf, /etc/nsswitch.conf, /etc/resolv.conf and >> /etc/krb5.conf from the member server. > "wbinfo -u" lists 415 lines > > "getent passwd" returns 93 lines > > A host configured to use nslcd and LDAP directory returns 560 lines for > "getent passwd". > > Samba on client is sernet-samba-4.1.17-11.el6.x86_64, AD DCs are all > sernet-samba-4.0.21-7.el6.x86_64 > > [root at barbel profiles]# wbinfo -i cleslie > failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE > > > /etc/samba/smb.conf > ################### > > idmap_ldb:use rfc2307 = yes > idmap config *:backend = tdb > idmap config *:range = 4000001-4999999 > idmap config BACKBONE:backend = ad > idmap config BACKBONE:schema_mode = rfc2307 > idmap config BACKBONE:range = 100-400000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > domain master = no > local master = no > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > >Is this the smb.conf from the AD DC or the member server ? If it is the later, you don't need this : idmap_ldb:use rfc2307 = yes It should only be on the DC. wbinfo connects to the AD DC differently to the way getent does, so the fact that another machine lists the users, shows that the backend is setup correctly (unless nlscd is creating the IDs on the fly). winbind relies on the uidNumber & gidNumber attributes being in smb.conf and the attributes being inside the range you set in smb.conf '100-400000' (by the way, you do know that this could pull in some of the local system users). What are the 'passwd' & 'group' lines in /etc/nsswitch.conf ? What is in /etc/krb5.conf ? what kerberos have you got installed ? (don't know if this makes any difference, but would be good to know) Does /etc/resolv.conf point to the samba4 AD DC ? Can you 'kinit' as Administrator ? and as a normal user? finally, why 'whitemice' ??? Rowland
Apparently Analagous Threads
- wbinfo -u/-g/-n works, but not 'wbinfo -i' or 'id'
- 3.6.8: Winbind/Active Directory: lsass.exe process run cpu to 100%
- SIGSEGV with pam_winbind kerberos authentication
- ldapcmp finds differences of "DC" vs "dc"???
- LDAP_INSUFFICIENT_ACCESS_RIGHTS error stops FSMO transfer