Le 22/06/2015 13:23, Rowland Penny a ?crit :> On 22/06/15 11:59, Marc Recht? wrote: >> Sorry I forgot the /etc/samba/smb.conf: >> >> [global] >> >> workgroup = STUDELEC-SA >> server string = Samba Server Version %v >> >> ; netbios name = MYSERVER >> >> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 >> ; hosts allow = 127. 192.168.12. 192.168.13. >> >> ; max protocol = SMB2 >> >> # log files split per-machine: >> log file = /var/log/samba/smb.log >> # maximum size of 50KB per log file, then rotate: >> max log size = 50 >> >> log level = winbind:9 >> # ----------------------- Domain Members Options >> ------------------------ >> >> security = ADS >> realm = STUDELEC-SA.COM >> server role = member server >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config STUDELEC-SA:backend = ad >> idmap config STUDELEC-SA:schema_mode = rfc2307 >> idmap config STUDELEC-SA:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> winbind expand groups = 4 >> winbind normalize names = Yes >> domain master = no >> local master = no >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> >> >> OK, issuing this command: >> >> $ getent passwd tunix >> >> Produces in /var/log/log.wb-STUDELEC-SA: >> >> 2015/06/22 12:32:37.473115, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 20 >> [2015/06/22 12:32:37.473241, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 20 >> [2015/06/22 12:32:37.473278, 3] >> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >> [27699]: list trusted domains >> [2015/06/22 12:32:37.473301, 3] >> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >> ads: trusted_domains >> [2015/06/22 12:32:37.474261, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 20 >> [2015/06/22 12:34:23.262925, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 59 >> [2015/06/22 12:34:23.263078, 3] >> ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >> msrpc_name_to_sid: name=STUDELEC-SA\TUNIX >> [2015/06/22 12:34:23.263178, 3] >> ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >> name_to_sid [rpc] STUDELEC-SA\TUNIX for domain STUDELEC-SA >> [2015/06/22 12:34:23.267421, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 59 >> [2015/06/22 12:34:23.267684, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 59 >> [2015/06/22 12:34:23.267767, 3] >> ../source3/winbindd/winbindd_ads.c:605(query_user) >> ads: query_user >> [2015/06/22 12:34:23.329798, 3] >> ../source3/winbindd/winbindd_ads.c:730(query_user) >> ads query_user gave tunix >> [2015/06/22 12:34:23.329862, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 59 >> [2015/06/22 12:34:23.330027, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 59 >> [2015/06/22 12:34:23.330068, 3] >> ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >> msrpc_sid_to_name: S-1-5-21-497920593-2320919703-1315762108-513 for >> domain STUDELEC-SA >> [2015/06/22 12:34:23.331468, 5] >> ../source3/winbindd/winbindd_msrpc.c:320(msrpc_sid_to_name) >> Mapped sid to [STUDELEC-SA]\[Utilisateurs du domaine] >> [2015/06/22 12:34:23.331501, 5] >> ../source3/winbindd/winbindd_cache.c:1184(resolve_username_to_alias) >> resolve_username_to_alias: backend query returned >> NT_STATUS_INVALID_PARAMETER >> [2015/06/22 12:34:23.331528, 5] >> ../source3/winbindd/winbindd_msrpc.c:328(msrpc_sid_to_name) >> returning mapped name -- Utilisateurs_du_domaine >> [2015/06/22 12:34:23.331563, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 59 >> [2015/06/22 12:34:23.331698, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 59 >> [2015/06/22 12:34:23.332704, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 59 >> [2015/06/22 12:37:37.501433, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 20 >> [2015/06/22 12:37:37.501560, 3] >> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >> [27699]: list trusted domains >> [2015/06/22 12:37:37.501598, 3] >> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >> ads: trusted_domains >> [2015/06/22 12:37:37.503225, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 20 >> [2015/06/22 12:42:37.505184, 4] >> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >> child daemon request 20 >> [2015/06/22 12:42:37.505292, 3] >> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >> [27699]: list trusted domains >> [2015/06/22 12:42:37.505325, 3] >> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >> ads: trusted_domains >> [2015/06/22 12:42:37.506940, 4] >> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >> Finished processing child request 20 >> >> >> >> Le 22/06/2015 09:56, Rowland Penny a ?crit : >>> On 22/06/15 07:38, Marc Recht? wrote: >>>> Hello, >>>> >>>> Trying to set up an AD member server, I am stuck on nsswitch not >>>> working. >>>> >>>> wbinfo -u returns the list of domain users, but getent passwd <some >>>> user> always fails (exit 2) >>>> >>>> /etc/nsswitch.conf >>>> passwd: files winbind >>>> shadow: files winbind >>>> group: files winbind >>>> >>>> $ ls -l /usr/lib64/libnss_w* >>>> lrwxrwxrwx 1 root root 19 23 f?vr. 14:39 >>>> /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2 >>>> -rwxr-xr-x 1 root root 19224 23 f?vr. 14:40 >>>> /usr/lib64/libnss_winbind.so.2 >>>> lrwxrwxrwx 1 root root 16 23 f?vr. 14:39 /usr/lib64/libnss_wins.so >>>> -> libnss_wins.so.2 >>>> -rwxr-xr-x 1 root root 10976 23 f?vr. 14:40 >>>> /usr/lib64/libnss_wins.so.2 >>>> >>>> System is Fedora 21 64-bit with up to date packages >>>> >>>> Thanks >>>> >>> >>> I think you are going to have to give us a bit more info, just telling >>> us it doesn't work, isn't enough. >>> >>> smb.conf, anything in the logs etc >>> >>> Rowland >>> >> >> >> >> > > OK, every thing looks correct in smb.conf, though you don't need: > > server role = member server > winbind trusted domains only = no > > So I suppose the next question is, what is the member server joined to ? > > If it is a Samba4 AD DC, then have you given your users a gidNumber > attribute and have you given 'Domain Users' (at least) a gidNumber > attribute ? These numbers need to be inside the range set in your > smb.conf '10000-99999', anything outside these numbers will be ignored. > > If it is a windows AD DC, then is IDMU installed, if it is, then > uidNumbers, gidNumbers as above. > > RowlandServer is MS Windows 2000 What is IDMU ? We have made sure NIS Extension is installed and that "tunix" uid/gid have been set to 10000/10000. But others users (groups) have not been set, especially "Domain Users" (Utilisateurs_du_domaine in my log). Setting its GID value in UNIX Tab solved the issue ! May be the Wiki could stress on that particular point. Thanks for your help. Marc
On 22/06/15 13:19, Marc Rechte wrote:> > > Le 22/06/2015 13:23, Rowland Penny a ?crit : >> On 22/06/15 11:59, Marc Recht? wrote: >>> Sorry I forgot the /etc/samba/smb.conf: >>> >>> [global] >>> >>> workgroup = STUDELEC-SA >>> server string = Samba Server Version %v >>> >>> ; netbios name = MYSERVER >>> >>> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 >>> ; hosts allow = 127. 192.168.12. 192.168.13. >>> >>> ; max protocol = SMB2 >>> >>> # log files split per-machine: >>> log file = /var/log/samba/smb.log >>> # maximum size of 50KB per log file, then rotate: >>> max log size = 50 >>> >>> log level = winbind:9 >>> # ----------------------- Domain Members Options >>> ------------------------ >>> >>> security = ADS >>> realm = STUDELEC-SA.COM >>> server role = member server >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> idmap config STUDELEC-SA:backend = ad >>> idmap config STUDELEC-SA:schema_mode = rfc2307 >>> idmap config STUDELEC-SA:range = 10000-99999 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind refresh tickets = Yes >>> winbind expand groups = 4 >>> winbind normalize names = Yes >>> domain master = no >>> local master = no >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> >>> >>> OK, issuing this command: >>> >>> $ getent passwd tunix >>> >>> Produces in /var/log/log.wb-STUDELEC-SA: >>> >>> 2015/06/22 12:32:37.473115, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 20 >>> [2015/06/22 12:32:37.473241, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 20 >>> [2015/06/22 12:32:37.473278, 3] >>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>> [27699]: list trusted domains >>> [2015/06/22 12:32:37.473301, 3] >>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>> ads: trusted_domains >>> [2015/06/22 12:32:37.474261, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 20 >>> [2015/06/22 12:34:23.262925, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 59 >>> [2015/06/22 12:34:23.263078, 3] >>> ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>> msrpc_name_to_sid: name=STUDELEC-SA\TUNIX >>> [2015/06/22 12:34:23.263178, 3] >>> ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>> name_to_sid [rpc] STUDELEC-SA\TUNIX for domain STUDELEC-SA >>> [2015/06/22 12:34:23.267421, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 59 >>> [2015/06/22 12:34:23.267684, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 59 >>> [2015/06/22 12:34:23.267767, 3] >>> ../source3/winbindd/winbindd_ads.c:605(query_user) >>> ads: query_user >>> [2015/06/22 12:34:23.329798, 3] >>> ../source3/winbindd/winbindd_ads.c:730(query_user) >>> ads query_user gave tunix >>> [2015/06/22 12:34:23.329862, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 59 >>> [2015/06/22 12:34:23.330027, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 59 >>> [2015/06/22 12:34:23.330068, 3] >>> ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>> msrpc_sid_to_name: S-1-5-21-497920593-2320919703-1315762108-513 >>> for domain STUDELEC-SA >>> [2015/06/22 12:34:23.331468, 5] >>> ../source3/winbindd/winbindd_msrpc.c:320(msrpc_sid_to_name) >>> Mapped sid to [STUDELEC-SA]\[Utilisateurs du domaine] >>> [2015/06/22 12:34:23.331501, 5] >>> ../source3/winbindd/winbindd_cache.c:1184(resolve_username_to_alias) >>> resolve_username_to_alias: backend query returned >>> NT_STATUS_INVALID_PARAMETER >>> [2015/06/22 12:34:23.331528, 5] >>> ../source3/winbindd/winbindd_msrpc.c:328(msrpc_sid_to_name) >>> returning mapped name -- Utilisateurs_du_domaine >>> [2015/06/22 12:34:23.331563, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 59 >>> [2015/06/22 12:34:23.331698, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 59 >>> [2015/06/22 12:34:23.332704, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 59 >>> [2015/06/22 12:37:37.501433, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 20 >>> [2015/06/22 12:37:37.501560, 3] >>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>> [27699]: list trusted domains >>> [2015/06/22 12:37:37.501598, 3] >>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>> ads: trusted_domains >>> [2015/06/22 12:37:37.503225, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 20 >>> [2015/06/22 12:42:37.505184, 4] >>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>> child daemon request 20 >>> [2015/06/22 12:42:37.505292, 3] >>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>> [27699]: list trusted domains >>> [2015/06/22 12:42:37.505325, 3] >>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>> ads: trusted_domains >>> [2015/06/22 12:42:37.506940, 4] >>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>> Finished processing child request 20 >>> >>> >>> >>> Le 22/06/2015 09:56, Rowland Penny a ?crit : >>>> On 22/06/15 07:38, Marc Recht? wrote: >>>>> Hello, >>>>> >>>>> Trying to set up an AD member server, I am stuck on nsswitch not >>>>> working. >>>>> >>>>> wbinfo -u returns the list of domain users, but getent passwd <some >>>>> user> always fails (exit 2) >>>>> >>>>> /etc/nsswitch.conf >>>>> passwd: files winbind >>>>> shadow: files winbind >>>>> group: files winbind >>>>> >>>>> $ ls -l /usr/lib64/libnss_w* >>>>> lrwxrwxrwx 1 root root 19 23 f?vr. 14:39 >>>>> /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2 >>>>> -rwxr-xr-x 1 root root 19224 23 f?vr. 14:40 >>>>> /usr/lib64/libnss_winbind.so.2 >>>>> lrwxrwxrwx 1 root root 16 23 f?vr. 14:39 /usr/lib64/libnss_wins.so >>>>> -> libnss_wins.so.2 >>>>> -rwxr-xr-x 1 root root 10976 23 f?vr. 14:40 >>>>> /usr/lib64/libnss_wins.so.2 >>>>> >>>>> System is Fedora 21 64-bit with up to date packages >>>>> >>>>> Thanks >>>>> >>>> >>>> I think you are going to have to give us a bit more info, just telling >>>> us it doesn't work, isn't enough. >>>> >>>> smb.conf, anything in the logs etc >>>> >>>> Rowland >>>> >>> >>> >>> >>> >> >> OK, every thing looks correct in smb.conf, though you don't need: >> >> server role = member server >> winbind trusted domains only = no >> >> So I suppose the next question is, what is the member server joined to ? >> >> If it is a Samba4 AD DC, then have you given your users a gidNumber >> attribute and have you given 'Domain Users' (at least) a gidNumber >> attribute ? These numbers need to be inside the range set in your >> smb.conf '10000-99999', anything outside these numbers will be ignored. >> >> If it is a windows AD DC, then is IDMU installed, if it is, then >> uidNumbers, gidNumbers as above. >> >> Rowland > > Server is MS Windows 2000 > > What is IDMU ?IDMU = Identity Management for UNIX, but because you are using windows 2000 (why???) it will be called 'Services for UNIX' or SFU> We have made sure NIS Extension is installed and that "tunix" uid/gid > have been set to 10000/10000. But others users (groups) have not been > set, especially "Domain Users" (Utilisateurs_du_domaine in my log). > Setting its GID value in UNIX Tab solved the issue !Ah, it sounds like you have created a group called 'tunix' in AD, if you have, please remove it, you shouldn't have personal groups in AD. You *must* give 'Domain Users' a gidNumber, winbind will not work without it, try using the 10000 you have removed from the tunix group. Rowland> > May be the Wiki could stress on that particular point. > > > Thanks for your help. > > Marc
Le 22/06/2015 14:53, Rowland Penny a ?crit :> On 22/06/15 13:19, Marc Rechte wrote: >> >> >> Le 22/06/2015 13:23, Rowland Penny a ?crit : >>> On 22/06/15 11:59, Marc Recht? wrote: >>>> Sorry I forgot the /etc/samba/smb.conf: >>>> >>>> [global] >>>> >>>> workgroup = STUDELEC-SA >>>> server string = Samba Server Version %v >>>> >>>> ; netbios name = MYSERVER >>>> >>>> ; interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 >>>> ; hosts allow = 127. 192.168.12. 192.168.13. >>>> >>>> ; max protocol = SMB2 >>>> >>>> # log files split per-machine: >>>> log file = /var/log/samba/smb.log >>>> # maximum size of 50KB per log file, then rotate: >>>> max log size = 50 >>>> >>>> log level = winbind:9 >>>> # ----------------------- Domain Members Options >>>> ------------------------ >>>> >>>> security = ADS >>>> realm = STUDELEC-SA.COM >>>> server role = member server >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> idmap config STUDELEC-SA:backend = ad >>>> idmap config STUDELEC-SA:schema_mode = rfc2307 >>>> idmap config STUDELEC-SA:range = 10000-99999 >>>> >>>> winbind nss info = rfc2307 >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind refresh tickets = Yes >>>> winbind expand groups = 4 >>>> winbind normalize names = Yes >>>> domain master = no >>>> local master = no >>>> vfs objects = acl_xattr >>>> map acl inherit = Yes >>>> store dos attributes = Yes >>>> >>>> >>>> >>>> OK, issuing this command: >>>> >>>> $ getent passwd tunix >>>> >>>> Produces in /var/log/log.wb-STUDELEC-SA: >>>> >>>> 2015/06/22 12:32:37.473115, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 20 >>>> [2015/06/22 12:32:37.473241, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 20 >>>> [2015/06/22 12:32:37.473278, 3] >>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>>> [27699]: list trusted domains >>>> [2015/06/22 12:32:37.473301, 3] >>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>>> ads: trusted_domains >>>> [2015/06/22 12:32:37.474261, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 20 >>>> [2015/06/22 12:34:23.262925, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 59 >>>> [2015/06/22 12:34:23.263078, 3] >>>> ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>>> msrpc_name_to_sid: name=STUDELEC-SA\TUNIX >>>> [2015/06/22 12:34:23.263178, 3] >>>> ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>>> name_to_sid [rpc] STUDELEC-SA\TUNIX for domain STUDELEC-SA >>>> [2015/06/22 12:34:23.267421, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 59 >>>> [2015/06/22 12:34:23.267684, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 59 >>>> [2015/06/22 12:34:23.267767, 3] >>>> ../source3/winbindd/winbindd_ads.c:605(query_user) >>>> ads: query_user >>>> [2015/06/22 12:34:23.329798, 3] >>>> ../source3/winbindd/winbindd_ads.c:730(query_user) >>>> ads query_user gave tunix >>>> [2015/06/22 12:34:23.329862, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 59 >>>> [2015/06/22 12:34:23.330027, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 59 >>>> [2015/06/22 12:34:23.330068, 3] >>>> ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>>> msrpc_sid_to_name: S-1-5-21-497920593-2320919703-1315762108-513 >>>> for domain STUDELEC-SA >>>> [2015/06/22 12:34:23.331468, 5] >>>> ../source3/winbindd/winbindd_msrpc.c:320(msrpc_sid_to_name) >>>> Mapped sid to [STUDELEC-SA]\[Utilisateurs du domaine] >>>> [2015/06/22 12:34:23.331501, 5] >>>> ../source3/winbindd/winbindd_cache.c:1184(resolve_username_to_alias) >>>> resolve_username_to_alias: backend query returned >>>> NT_STATUS_INVALID_PARAMETER >>>> [2015/06/22 12:34:23.331528, 5] >>>> ../source3/winbindd/winbindd_msrpc.c:328(msrpc_sid_to_name) >>>> returning mapped name -- Utilisateurs_du_domaine >>>> [2015/06/22 12:34:23.331563, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 59 >>>> [2015/06/22 12:34:23.331698, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 59 >>>> [2015/06/22 12:34:23.332704, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 59 >>>> [2015/06/22 12:37:37.501433, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 20 >>>> [2015/06/22 12:37:37.501560, 3] >>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>>> [27699]: list trusted domains >>>> [2015/06/22 12:37:37.501598, 3] >>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>>> ads: trusted_domains >>>> [2015/06/22 12:37:37.503225, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 20 >>>> [2015/06/22 12:42:37.505184, 4] >>>> ../source3/winbindd/winbindd_dual.c:1338(child_handler) >>>> child daemon request 20 >>>> [2015/06/22 12:42:37.505292, 3] >>>> ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>>> [27699]: list trusted domains >>>> [2015/06/22 12:42:37.505325, 3] >>>> ../source3/winbindd/winbindd_ads.c:1427(trusted_domains) >>>> ads: trusted_domains >>>> [2015/06/22 12:42:37.506940, 4] >>>> ../source3/winbindd/winbindd_dual.c:1346(child_handler) >>>> Finished processing child request 20 >>>> >>>> >>>> >>>> Le 22/06/2015 09:56, Rowland Penny a ?crit : >>>>> On 22/06/15 07:38, Marc Recht? wrote: >>>>>> Hello, >>>>>> >>>>>> Trying to set up an AD member server, I am stuck on nsswitch not >>>>>> working. >>>>>> >>>>>> wbinfo -u returns the list of domain users, but getent passwd <some >>>>>> user> always fails (exit 2) >>>>>> >>>>>> /etc/nsswitch.conf >>>>>> passwd: files winbind >>>>>> shadow: files winbind >>>>>> group: files winbind >>>>>> >>>>>> $ ls -l /usr/lib64/libnss_w* >>>>>> lrwxrwxrwx 1 root root 19 23 f?vr. 14:39 >>>>>> /usr/lib64/libnss_winbind.so -> libnss_winbind.so.2 >>>>>> -rwxr-xr-x 1 root root 19224 23 f?vr. 14:40 >>>>>> /usr/lib64/libnss_winbind.so.2 >>>>>> lrwxrwxrwx 1 root root 16 23 f?vr. 14:39 >>>>>> /usr/lib64/libnss_wins.so >>>>>> -> libnss_wins.so.2 >>>>>> -rwxr-xr-x 1 root root 10976 23 f?vr. 14:40 >>>>>> /usr/lib64/libnss_wins.so.2 >>>>>> >>>>>> System is Fedora 21 64-bit with up to date packages >>>>>> >>>>>> Thanks >>>>>> >>>>> >>>>> I think you are going to have to give us a bit more info, just >>>>> telling >>>>> us it doesn't work, isn't enough. >>>>> >>>>> smb.conf, anything in the logs etc >>>>> >>>>> Rowland >>>>> >>>> >>>> >>>> >>>> >>> >>> OK, every thing looks correct in smb.conf, though you don't need: >>> >>> server role = member server >>> winbind trusted domains only = no >>> >>> So I suppose the next question is, what is the member server joined >>> to ? >>> >>> If it is a Samba4 AD DC, then have you given your users a gidNumber >>> attribute and have you given 'Domain Users' (at least) a gidNumber >>> attribute ? These numbers need to be inside the range set in your >>> smb.conf '10000-99999', anything outside these numbers will be ignored. >>> >>> If it is a windows AD DC, then is IDMU installed, if it is, then >>> uidNumbers, gidNumbers as above. >>> >>> Rowland >> >> Server is MS Windows 2000 >> >> What is IDMU ? > > IDMU = Identity Management for UNIX, but because you are using windows > 2000 (why???) it will be called 'Services for UNIX' or SFU > >> We have made sure NIS Extension is installed and that "tunix" uid/gid >> have been set to 10000/10000. But others users (groups) have not been >> set, especially "Domain Users" (Utilisateurs_du_domaine in my log). >> Setting its GID value in UNIX Tab solved the issue ! > > Ah, it sounds like you have created a group called 'tunix' in AD, if > you have, please remove it, you shouldn't have personal groups in AD. > You *must* give 'Domain Users' a gidNumber, winbind will not work > without it, try using the 10000 you have removed from the tunix group. > > Rowland > >> >> May be the Wiki could stress on that particular point. >> >> >> Thanks for your help. >> >> Marc >Actually it is Windows 2008 R2 and I am sorry because all these UID/GID points are highlighted in the Wiki: " you *must* add these attributes to your AD ..." and a note explicitly mention my problem. RTFM well ! :)