samba - Feb 2017 - getent passwd user no output, addc + dm

There are two ubuntu 16.04 samba 4.5 servers. Ubuntu ADDC and a Member
(ubuntu-dm1)
>From Member "wbinfo -u" shows shows users of ADDC
>From Member "net ads join -U administrator" was successfull with
no errors.
The dns A record was added in ADDC.

But getent passwd <user> shows no results.

DMember's /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


root at ubuntu-dm1:~# ldconfig -p |grep winbind
libnss_winbind.so.2 (libc6,x86-64) =>
/lib/x86_64-linux-gnu/libnss_winbind.so.2

root at ubuntu-dm1:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins




Any help will be welcome
Lin


root at ubuntu-dm1:~# strace -e trace=connect,access,stat,open getent passwd
justin
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110)
= -1
ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110)
= -1
ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) =
3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) =
3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_winbind.so.2", O_RDONLY|O_CLOEXEC)
= 3
open("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64", 0x7ffee3224700) =
-1
ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/tls/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/tls", 0x7ffee3224700) = -1
ENOENT (No
such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/x86_64/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/x86_64", 0x7ffee3224700) = -1
ENOENT
(No such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/libpthread.so.0",
O_RDONLY|O_CLOEXEC)
= -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba", {st_mode=S_IFDIR|0755,
st_size=12288, ...}) = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0",
O_RDONLY|O_CLOEXEC) = 3
connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/samba/winbindd/pipe"},
110) = 0
connect(4, {sa_family=AF_LOCAL,
sun_path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
+++ exited with 2 +++

Hmm. 

/lib/x86_64-linux-gnu/libnss_winbind.so.2 
With samba 4.5 
http://packages.ubuntu.com/search?keywords=samba shows 4.5 in zesty. 
Did you recompile? 

Please post the output of : winbindd -V
apt-cache policy winbind

or if the 4.5. installed from source, if so, then you have a mixed setup of
"source" and deb packages, and that wont work.

If its from source, check for leftovers in ubuntu dpkg -l |egrep
"samba|winbind"


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Lin Pro via
samba
> Verzonden: vrijdag 17 februari 2017 3:27
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] getent passwd user no output, addc + dm
> 
> There are two ubuntu 16.04 samba 4.5 servers. Ubuntu ADDC and a Member
> (ubuntu-dm1)
> From Member "wbinfo -u" shows shows users of ADDC
> From Member "net ads join -U administrator" was successfull with
no
> errors.
> The dns A record was added in ADDC.
> 
> But getent passwd <user> shows no results.
> 
> DMember's /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 
> 
> root at ubuntu-dm1:~# ldconfig -p |grep winbind
> libnss_winbind.so.2 (libc6,x86-64) =>
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> 
> root at ubuntu-dm1:~# wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
> 
> 
> 
> 
> Any help will be welcome
> Lin
> 
> 
> root at ubuntu-dm1:~# strace -e trace=connect,access,stat,open getent
passwd
> justin
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"},
110) = -
> 1
> ENOENT (No such file or directory)
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"},
110) = -
> 1
> ENOENT (No such file or directory)
> open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_compat.so.2",
O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC)
= 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_files.so.2",
O_RDONLY|O_CLOEXEC) = 3
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_winbind.so.2",
O_RDONLY|O_CLOEXEC) = 3
>
open("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64",
0x7ffee3224700) = -1
> ENOENT (No such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/tls/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/tls", 0x7ffee3224700) = -1
ENOENT
> (No
> such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/x86_64/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/x86_64", 0x7ffee3224700) =
-1 ENOENT
> (No such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/libpthread.so.0",
> O_RDONLY|O_CLOEXEC)
> = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba", {st_mode=S_IFDIR|0755,
> st_size=12288, ...}) = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file
or
> directory)
> open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC)
= 3
> open("/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0",
> O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/samba/winbindd/pipe"},
> 110) = 0
> connect(4, {sa_family=AF_LOCAL,
> sun_path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> +++ exited with 2 +++
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Fri, 17 Feb 2017 09:44:51 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hmm. 
> 
> /lib/x86_64-linux-gnu/libnss_winbind.so.2 
> With samba 4.5 
> http://packages.ubuntu.com/search?keywords=samba shows 4.5 in zesty. 
> Did you recompile? 
> 
> Please post the output of : winbindd -V
> apt-cache policy winbind
> 
> or if the 4.5. installed from source, if so, then you have a mixed
> setup of "source" and deb packages, and that wont work. 
> 
> If its from source, check for leftovers in ubuntu dpkg -l |egrep
> "samba|winbind"
> 
Using a self-compiled version of Samba will work with the OS packages
installed, provided the PATH is set up correctly and the required
libnss_winbind links are set up correctly as well.

It does look like this is the problem, but one other thing I would
check, is nscd running, if so, turn it off, winbind has its own cache.

It might also help if the OP posted their smb.conf

Rowland

On Fri, 17 Feb 2017 07:02:23 -0600
Lin Pro <linforpros at gmail.com> wrote:
> Hi, thank for the reply. Here is the smb.conf on the Domain Member
> [global]
> 
> idmap uid = 10000-20000
> idmap gid = 10000-20000
Remove  the above lines, they are replaced by the 'idmap config' lines
and you shouldn't have both.
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
You might as well remove these, they are the default settings.
> 
> 
> I added "password server" thinking that it will help, to no
avail.
You should let Samba find the password server, so you should remove it.
> Anythink else I should be aware of?
> 
> The worst thing is I tried with prestine fedora image, done everything
> along the lines of the wiki for Domain Member and was stopped at the
> same issue. What is wrong?
> What does successful net ads join -U administrator tell us? Shouldn't
> it check for winbind?
> 
I think you are falling into thinking because 'wbinfo -u' is working
(by the way, this shows winbind is working) that 'getent passwd user'
will as well, without doing anything else.
You are using the winbind 'ad' backend, do your users have a
'uidNumber' attribute containing a unique number inside the range
'10000-999999' ?
Does 'Domain Users' have a 'gidNumber' attribute inside the same
range ?

Rowland

On Fri, 17 Feb 2017 12:04:43 -0600
Lin Pro <linforpros at gmail.com> wrote:
> >>> You are using the winbind 'ad' backend, do your users
have a
> 'uidNumber' attribute containing a unique number inside the range
> '10000-999999' ?
> Does 'Domain Users' have a 'gidNumber' attribute inside the
same
> range ? <<<
> 
> 
> I do not know. "samba-tool user help" does not reveal a
"view"
> argument to have a look.
ldbsearch does though, or ADUC on a windows version less than 10

The sheer fact that you do not know, tells me that you don't have
'uidNumber' or 'gidNumber' attributes in AD. You personally have
to add
them! They are not created automatically.
> But remember - on the Ubuntu AD DC the getent passwd <user> works.
Let
> me list it for you:
> 
> root at dc1:~# getent passwd justin
> SF\justin:*:3000020:100:Justin Falon:/home/SF/justin:/bin/false
Well it would work on the DC, these numbers are coming from idmap.ldb
> 
> Is the big number "3000020" a uidNumber attribute?
No, it is an 'xidNumber' that is mapped to the users SID in idmap.ldb
> 
> Removal of the lines that you mentioned (there were added in
> desparation to look for a solution anyway) did not produce expected
> results.
It won't have made it worse either ;-)
> So at this moment the following is the result:
> root at ubuntu-dm1:~# getent group "Domain Users"
> root at ubuntu-dm1:~# getent group "Admin Users"
> root at ubuntu-dm1:~# getent passwd justin
> root at ubuntu-dm1:~#
Have you read the Samba wiki ?

https://wiki.samba.org/index.php/User_Documentation

Especially:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Let me show you the /etc/smb.conf on both machines, AD DC and teh
> Memeber Domain
> 
> 
> AD DC smb.conf
> 
> # Global parameters
> [global]
> workgroup = SF
> realm = SF.TEST.ORG
> netbios name = DC1
> server role = active directory domain controller
> # dns forwarder just for testing
What do you mean 'just for testing' ? if you use the internal DNS
server, you need the forwarder.
 
> And member Domain server
> 
> root at ubuntu-dm1:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = SF.TEST.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
> 
That is correct for the Unix domain member, it is also all you need on
the DC as well.

On Fri, 17 Feb 2017 15:37:27 -0600
Lin Pro <linforpros at gmail.com> wrote:
> ////ldbsearch does though, or ADUC on a windows version less than
> 10////
> 
> Are you saying then that the problem would be in the group ID numbers
> and user ID numbers in the case that I'm describing?
What I am saying is that it looks like your users in AD do not have a
uidNumber attribute and/or Domain Users does not have a gidNumber
attribute.
> 
> I installed LTB tools and I'm trying to figure out how to find out
> about those uid numbers
> 
OK, run this on your Samba AD DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
"(&(objectClass=person)(uidNumber=*))" dn uidNumber

Just in case it has got split up, the above should be all one line.

/usr/local/samba/private/sam.ldb is the full path to sam.ldb, yours may be
different

dc=samdom,dc=example,dc=com is the base DN of your AD, yours will be different,
it is your dns name with the dots replaced.

If you have any 'uidNumber' attributes in AD, it will print the DN and
uidNumber

Run this to check if Domain Users has a gidNumber

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
"(&(objectClass=group)(cn=Domain
Users)(gidNumber=*))" dn gidNumber

If you don't get any results, this is your problem and I am very sure
this is your problem. In which case read up on ldbmodify and/or the
Unix Attributes tab on RSAT ADUC, both of which are on the Samba wiki.

Rowland

Hi, I have run the ldbsearch command substituting my correct path
/var/lib/samba/private and the correct domain. In both cases I am
getting the following results:

# returned 3 records
# 0 entries
# 3 referrals

# returned 3 records
# 0 entries
# 3 referrals

thank you for gibing me hope in the tunnel.
I will read the man page about ldbmodify and see what I can come up with.

In the mean time, it seams that ldbsearch can reach ADDC when launched from DM:
root at ubuntu-dm1:~# ldbsearch -H ldap://dc1 -U administrator

...produces

# returned 272 records
# 269 entries
# 3 referrals

Hopefully I am on the right path.

On Fri, Feb 17, 2017 at 4:11 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Fri, 17 Feb 2017 15:37:27 -0600
> Lin Pro <linforpros at gmail.com> wrote:
>
>> ////ldbsearch does though, or ADUC on a windows version less than
>> 10////
>>
>> Are you saying then that the problem would be in the group ID numbers
>> and user ID numbers in the case that I'm describing?
>
> What I am saying is that it looks like your users in AD do not have a
> uidNumber attribute and/or Domain Users does not have a gidNumber
> attribute.
>
>>
>> I installed LTB tools and I'm trying to figure out how to find out
>> about those uid numbers
>>
> OK, run this on your Samba AD DC:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> "(&(objectClass=person)(uidNumber=*))" dn uidNumber
>
> Just in case it has got split up, the above should be all one line.
>
> /usr/local/samba/private/sam.ldb is the full path to sam.ldb, yours may be
different
>
> dc=samdom,dc=example,dc=com is the base DN of your AD, yours will be
different, it is your dns name with the dots replaced.
>
> If you have any 'uidNumber' attributes in AD, it will print the DN
and uidNumber
>
> Run this to check if Domain Users has a gidNumber
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
"(&(objectClass=group)(cn=Domain
> Users)(gidNumber=*))" dn gidNumber
>
> If you don't get any results, this is your problem and I am very sure
> this is your problem. In which case read up on ldbmodify and/or the
> Unix Attributes tab on RSAT ADUC, both of which are on the Samba wiki.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
best regards
linforpros

Is using ADUC from a windows machine a complete substitute of what the
wiki below explains?
https://wiki.samba.org/index.php/LDB#ldbmodify

Just curiuos because it seems beyond me at the moment to dig into it.

Regards