Hi all, I'm using Ubuntu 14.04 samba 4.1.6 packages, attempting to set up a server for file shares AD clients can use. My previous setup was a simple AD join with a user map file (1 to 1 AD to unix user) that i've been migrating for approximately 7 years, and with the last 2003 AD server removed from the network it stopped working (2008 R2 DC's now). After approximately 2 weeks of varying results (including a working config for 24 hours), I seem to have come full circle to 'non functional' again. I'm able to join the domain using either net ads join -k or net ads join -u Administrator wbinfo -u - Gives me a list of domain users wbinfo -g - Gives a list of domain groups wbinfo -i Administrator | wbinfo -i CAG\\Administrator | wbinfo -i CAG+Administrator all return failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for <blah> and getent passwd only returns local+nis users. I see a _lot_ of posts about this via google but few with solutions. SFU is (was?) functional and pushing uid and gid's, and at several points in the last two weeks getent passwd|group has been functional Any suggestions appreciated. Thanks Carl Gherardi smb.conf: [global] workgroup = CAG security = ADS realm = CAG.DOMAIN.NAME netbios aliases = gong dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 500-999 idmap config CAG:backend = ad idmap config CAG:range = 1000-99999 idmap config CAG:schema_mode = rfc2307 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = no winbind nested groups = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind expand groups = 4 winbind normalize names = Yes domain master = no local master = no dns proxy = no log level = 3 auth:10 winbind:3 nsswitch.conf passwd: compat winbind nis group: compat winbind nis
On 04/05/15 04:02, Carl Gherardi wrote:> Hi all, > > I'm using Ubuntu 14.04 samba 4.1.6 packages, attempting to set up a server > for file shares AD clients can use. My previous setup was a simple AD join > with a user map file (1 to 1 AD to unix user) that i've been migrating for > approximately 7 years, and with the last 2003 AD server removed from the > network it stopped working (2008 R2 DC's now). > > After approximately 2 weeks of varying results (including a working config > for 24 hours), I seem to have come full circle to 'non functional' again. > > I'm able to join the domain using either net ads join -k or net ads join -u > Administrator > > wbinfo -u - Gives me a list of domain users > wbinfo -g - Gives a list of domain groups > > wbinfo -i Administrator | wbinfo -i CAG\\Administrator | wbinfo -i > CAG+Administrator all return > failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for <blah>I use Linux Mint 17 and this doesn't work for me either, so I wouldn't worry.> > and getent passwd only returns local+nis users.This is were you can start worrying :-)> > I see a _lot_ of posts about this via google but few with solutions. > > SFU is (was?) functional and pushing uid and gid's, and at several points > in the last two weeks getent passwd|group has been functionalSo, if it was working, what have you changed, or had changed for you by an update ? Can you check that a user you expect to show up via 'getent passwd username' does in fact still have a uidNumber attribute containing a number between 1000-99999 (also do you have any local users ?) Can you also check that 'Domain Users' (at least) has a gidNumber attribute containing a number between 1000-99999 (again, do you have any local groups?) Rowland> > Any suggestions appreciated. > > Thanks > > Carl Gherardi > > smb.conf: > [global] > workgroup = CAG > security = ADS > realm = CAG.DOMAIN.NAME > netbios aliases = gong > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 500-999 > idmap config CAG:backend = ad > idmap config CAG:range = 1000-99999 > > idmap config CAG:schema_mode = rfc2307 > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = no > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind expand groups = 4 > winbind normalize names = Yes > domain master = no > local master = no > dns proxy = no > log level = 3 auth:10 winbind:3 > > nsswitch.conf > > passwd: compat winbind nis > group: compat winbind nis
Daniel Carrasco MarĂn
2015-May-04 11:38 UTC
[Samba] wbinfo -u -g work, wbinfo -i and getent fail
2015-05-04 13:01 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:> On 04/05/15 04:02, Carl Gherardi wrote: > >> Hi all, >> >> I'm using Ubuntu 14.04 samba 4.1.6 packages, attempting to set up a server >> for file shares AD clients can use. My previous setup was a simple AD join >> with a user map file (1 to 1 AD to unix user) that i've been migrating for >> approximately 7 years, and with the last 2003 AD server removed from the >> network it stopped working (2008 R2 DC's now). >> >> After approximately 2 weeks of varying results (including a working config >> for 24 hours), I seem to have come full circle to 'non functional' again. >> >> I'm able to join the domain using either net ads join -k or net ads join >> -u >> Administrator >> >> wbinfo -u - Gives me a list of domain users >> wbinfo -g - Gives a list of domain groups >> >> wbinfo -i Administrator | wbinfo -i CAG\\Administrator | wbinfo -i >> CAG+Administrator all return >> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for <blah> >> > > I use Linux Mint 17 and this doesn't work for me either, so I wouldn't > worry. > > >> and getent passwd only returns local+nis users. >> > > This is were you can start worrying :-) > > >> I see a _lot_ of posts about this via google but few with solutions. >> >> SFU is (was?) functional and pushing uid and gid's, and at several points >> in the last two weeks getent passwd|group has been functional >> > > So, if it was working, what have you changed, or had changed for you by an > update ? > > Can you check that a user you expect to show up via 'getent passwd > username' does in fact still have a uidNumber attribute containing a number > between 1000-99999 (also do you have any local users ?) > > Can you also check that 'Domain Users' (at least) has a gidNumber > attribute containing a number between 1000-99999 (again, do you have any > local groups?) > > Rowland > > > >> Any suggestions appreciated. >> >> Thanks >> >> Carl Gherardi >> >> smb.conf: >> [global] >> workgroup = CAG >> security = ADS >> realm = CAG.DOMAIN.NAME >> netbios aliases = gong >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 500-999 >> idmap config CAG:backend = ad >> idmap config CAG:range = 1000-99999 >> >> idmap config CAG:schema_mode = rfc2307 >> winbind nss info = rfc2307 >> >> winbind trusted domains only = no >> winbind use default domain = no >> winbind nested groups = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> winbind expand groups = 4 >> winbind normalize names = Yes >> domain master = no >> local master = no >> dns proxy = no >> log level = 3 auth:10 winbind:3 >> >> nsswitch.conf >> >> passwd: compat winbind nis >> group: compat winbind nis >> >I'm getting similar behavior on my server, but is working fine. Have you tried other tools?. For me: "wbinfo -u -g" works. "wbinfo -i user" works. "wbinfo -i group" fails with that error. "getent passwd" works and show local and AD users. "getent group" only show local groups. but other tools works perfect: "chwon user:group file" works perfect. "getent group groupname" works "getent passwd user" works Permissions on CUPS using domain groups are working too. Try that tools because maybe is working fine even if getent don't show the users/groups and wbinfo -i is failing. Greetings!!