samba - Apr 2015 - Samba 4.1 Member Server and Winbind

On Wed, 22 Apr 2015, Andrey Repin wrote:
> Greetings, Peter Ross!
Greetings, Andrey!
>> for a while I am running a Samba 4.1 AD server under FreeBSD (from the
>> FreeBSD ports). At thw moment the domain has ca. 20 Windows 7 desktops.
>
>> I wanted to add a Samba 4.1 file server as a member server, was able to
>> joint the domain and see AD users via "winbind -u"
>
>> but "getent password" or "id <user>" does not
work.
>
> Sounds quite familiar...
>
>> The smb4.conf is following
>
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
>> I added RFC2307 attributes to the AD server according to
>
>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>
>> and installed RSAT on a Windows 7 desktop. I can see and manipulate
"Unix
>> Attributes" (giving UIDs/GIDs from 10000 upwards) and see them in
the LDAP
>> dump.
>
>> In /etc/nsswitch.conf I have
>
>> passwd: compat winbind
>> group: compat winbind
Moved back (tried before) to

passwd: files winbind
group: files winbind

because of this in auth.log:

2015-04-23T11:50:42.800676+10:00 filetest1.vv.fda sshd[98179]: 
NSSWITCH(nsparser): /etc/nsswitch.conf line 16: 'compat' used with 
sources, other than 'cache'

  but the later does not work either.

2015-04-23T12:05:31.804932+10:00 filetest1.vv.fda sshd[99725]: 
NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no 
fallback provided

"getent passwd" and "id pross" do not bother to ask winbind,
it seems.

Only "winbind -u" initiates network traffic to the AD server, to ask
for
the list.

The name of the NSS library bothers me, really "nss_winbind.so.1"
without
a "lib"? Given there was a bug before 
(https://bugzilla.samba.org/show_bug.cgi?id=9704)

Or does it have to do with the path (under FreeBSD ports install under 
/usr/local)?

I will dig into NSS a bit. It was "just works" until now so I never 
bothered to look for details there.

The IDs in AD seem to be okay, I see them in ldsearch and they are in the 
right range.

Regards
peter

Hi Andrey and all,

problem solved but part of the mystery remains:

It has to do with the root shell!!

On Thu, 23 Apr 2015, Peter Ross wrote:
>>> for a while I am running a Samba 4.1 AD server under FreeBSD (from
the
>>> FreeBSD ports). At thw moment the domain has ca. 20 Windows 7
desktops.
>> 
>>> I wanted to add a Samba 4.1 file server as a member server, was
able to
>>> joint the domain and see AD users via "winbind -u"
>> 
>>> but "getent password" or "id <user>" does
not work.
>>
> In nsswitch.conf
>
> passwd: files winbind
> group: files winbind
>
> In auth.log:
>
> 2015-04-23T12:05:31.804932+10:00 filetest1.vv.fda sshd[99725]: 
> NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no
fallback
> provided
I found this here googling for the error:
-----------------------------------------
http://freebsd.1045724.n5.nabble.com/NSS-ldap-errors-td5891855.html

I'm trying to implement net/nss-pam-ldapd on 9.2-RELEASE, and hitting 
some NSS issues
..
This is related to using bash-static as root's shell . As well as setting 
non root users login shell to bash-static .

The "I have no name" user name issue and the the getpwuid* calls
failing
have to do with the fact that bash-static can not load some library , but 
my memory is lost on the exact library and details . I wasted a bunch of 
time on this in 7.2-RELEASE and it took a while to debug this .  Using a 
standard port of bash or any other shell resolved this for me .
-----------------------------------------

Well, I have my root shell changed to /bin/sh..

Changing the root shell back to /etc/csh works:

$ id pross
uid=10000(pross) gid=10000(domain_users) groups=10000(domain_users)

Both shells are dynamically linked under my FreeBSD-10 system.

$ file /bin/sh
/bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), 
dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1 
(1001512), stripped
$ file /bin/csh
/bin/csh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), 
dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1 
(1001512), stripped

So, it has obviously to do with the shell, shell environment and dynamic 
libraries.

I can live with this but.. it would be better not to have it (especially 
for others - I am not the first with this problem)

I have to admit I do not understand 100% how the NSS is setup that it 
relies on the root shell.

It nearly seems to me that FreeBSD's base system is "to blame" or
can the
samba port take care of it so the problem does not occur?

Well, maybe I should have not done the root shell change but it works for 
a while by now..

FreeBSD provides a second UID 0 login, toor, maybe I should have used this 
for things where I prefer sh. Mainly because of running more complicated 
commands (while $foo; do for i in $is; do..) using this shell, and if I 
give them as parameters to a remote ssh with a csh it becomes a 
nightmare..

Regards
Peter

Greetings, Peter Ross!
> problem solved but part of the mystery remains:
> It has to do with the root shell!!
Oh? I'm no expert, but I could probably explain it.
If you're using statically linked shell (busybox comes to mind), you are
locked to whatever libs have been linked in at the compile time.

Also re: your previous wonder about library name, it may differ between
distributions. As you predicted, it needs some digging to find the right name,
if it doesn't work OOB.
> On Thu, 23 Apr 2015, Peter Ross wrote:
>>>> for a while I am running a Samba 4.1 AD server under FreeBSD
(from the
>>>> FreeBSD ports). At thw moment the domain has ca. 20 Windows 7
desktops.
>>> 
>>>> I wanted to add a Samba 4.1 file server as a member server, was
able to
>>>> joint the domain and see AD users via "winbind -u"
>>> 
>>>> but "getent password" or "id <user>"
does not work.
>>>
>> In nsswitch.conf
>>
>> passwd: files winbind
>> group: files winbind
>>
>> In auth.log:
>>
>> 2015-04-23T12:05:31.804932+10:00 filetest1.vv.fda sshd[99725]: 
>> NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no
fallback
>> provided
> I found this here googling for the error:
> -----------------------------------------
> http://freebsd.1045724.n5.nabble.com/NSS-ldap-errors-td5891855.html
> I'm trying to implement net/nss-pam-ldapd on 9.2-RELEASE, and hitting 
> some NSS issues
> ..
> This is related to using bash-static as root's shell . As well as
setting
> non root users login shell to bash-static .
> The "I have no name" user name issue and the the getpwuid* calls
failing
> have to do with the fact that bash-static can not load some library , but 
> my memory is lost on the exact library and details . I wasted a bunch of 
> time on this in 7.2-RELEASE and it took a while to debug this .  Using a 
> standard port of bash or any other shell resolved this for me .
> -----------------------------------------
> Well, I have my root shell changed to /bin/sh..
> Changing the root shell back to /etc/csh works:
> $ id pross
> uid=10000(pross) gid=10000(domain_users) groups=10000(domain_users)
> Both shells are dynamically linked under my FreeBSD-10 system.
> $ file /bin/sh
> /bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), 
> dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1 
> (1001512), stripped
> $ file /bin/csh
> /bin/csh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), 
> dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 10.1 
> (1001512), stripped
> So, it has obviously to do with the shell, shell environment and dynamic 
> libraries.
> I can live with this but.. it would be better not to have it (especially 
> for others - I am not the first with this problem)
> I have to admit I do not understand 100% how the NSS is setup that it 
> relies on the root shell.
> It nearly seems to me that FreeBSD's base system is "to
blame" or can the
> samba port take care of it so the problem does not occur?
> Well, maybe I should have not done the root shell change but it works for 
> a while by now..
> FreeBSD provides a second UID 0 login, toor, maybe I should have used this 
> for things where I prefer sh. Mainly because of running more complicated 
> commands (while $foo; do for i in $is; do..) using this shell, and if I 
> give them as parameters to a remote ssh with a csh it becomes a 
> nightmare..

-- 
With best regards,
Andrey Repin
Friday, April 24, 2015 00:18:28

Sorry for my terrible english...