samba - Oct 2018 - NSS interface lists all domain users but gives error on single user

Hello,
i configured samba and winbind in order to let domain users access
folders shared by samba on linux. The configuration is shown later.

Please note that idmap is configured correctly:

root at kubuntu-test:~# wbinfo --user-info 'AGENZIA+manuelb'
AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
root at kubuntu-test:~# wbinfo -n 'AGENZIA+manuelb'
S-1-5-21-1076504413-1754488879-1808648030-2183 SID_USER (1)
root at kubuntu-test:~# wbinfo --sid-to-uid
'S-1-5-21-1076504413-1754488879-1808648030-2183'
5035

as you may see now, listing all users works, but querying information
for a single user does not work.

root at kubuntu-test:~# getent passwd | tail -1 
AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
root at kubuntu-test:~# getent passwd 'AGENZIA+manuelb'
root at kubuntu-test:~# id 'AGENZIA+manuelb'
id: ‘AGENZIA+manuelb’: no such user

Windows domain is managed by Windows Server 2008 and it is at
functional level of Windows 2003. The version of linux packages is
quite current, i.e.:

ii  libc-bin            2.27-3ubuntu1  amd64          GNU C Library: Binaries
ii  libnss-winbind:amd6 2:4.7.6+dfsg~u amd64          Samba nameservice
integration plugins
ii  libpam-winbind:amd6 2:4.7.6+dfsg~u amd64          Windows domain
authentication integration p
ii  samba               2:4.7.6+dfsg~u amd64          SMB/CIFS file, print, and
login server for
ii  winbind             2:4.7.6+dfsg~u amd64          service to resolve user
and group informati

NSS configuration is simple:

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files winbind

This is 'testparam' output:

# Global parameters
[global]
	dns proxy = No
	log file = /var/log/samba/log.%m
	map to guest = Bad User
	max log size = 1000
	panic action = /usr/share/samba/panic-action %d
	realm = AGENZIA.LOCAL
	security = ADS
	server role = member server
	server string = %h server (Samba, Ubuntu)
	template homedir = /home/%U
	template shell = /bin/bash
	usershare allow guests = Yes
	winbind cache time = 5
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	winbind separator = +
	workgroup = AGENZIA
	idmap config * : range = 5000-5100
	idmap config * : backend = tdb

What can be the problem?

Thank you,
Giuseppe Sacco

On Wed, 17 Oct 2018 15:03:41 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> Hello,
> i configured samba and winbind in order to let domain users access
> folders shared by samba on linux. The configuration is shown later.
> 
> Please note that idmap is configured correctly:
> 
> root at kubuntu-test:~# wbinfo --user-info 'AGENZIA+manuelb'
> AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
> root at kubuntu-test:~# wbinfo -n 'AGENZIA+manuelb'
> S-1-5-21-1076504413-1754488879-1808648030-2183 SID_USER (1)
> root at kubuntu-test:~# wbinfo --sid-to-uid
> 'S-1-5-21-1076504413-1754488879-1808648030-2183' 5035
> 
> as you may see now, listing all users works, but querying information
> for a single user does not work.
> 
> root at kubuntu-test:~# getent passwd | tail -1 
> AGENZIA+manuelb:*:5035:5002::/home/manuelb:/bin/bash
> root at kubuntu-test:~# getent passwd 'AGENZIA+manuelb'
> root at kubuntu-test:~# id 'AGENZIA+manuelb'
> id: ‘AGENZIA+manuelb’: no such user
> 
> Windows domain is managed by Windows Server 2008 and it is at
> functional level of Windows 2003. The version of linux packages is
> quite current, i.e.:
> 
> ii  libc-bin            2.27-3ubuntu1  amd64          GNU C Library:
> Binaries ii  libnss-winbind:amd6 2:4.7.6+dfsg~u amd64          Samba
> nameservice integration plugins ii  libpam-winbind:amd6
> 2:4.7.6+dfsg~u amd64          Windows domain authentication
> integration p ii  samba               2:4.7.6+dfsg~u amd64
> SMB/CIFS file, print, and login server for ii  winbind
> 2:4.7.6+dfsg~u amd64          service to resolve user and group
> informati
> 
> NSS configuration is simple:
> 
> passwd:         files winbind systemd
> group:          files winbind systemd
> shadow:         files winbind
> 
> This is 'testparam' output:
> 
> # Global parameters
> [global]
> 	dns proxy = No
> 	log file = /var/log/samba/log.%m
> 	map to guest = Bad User
> 	max log size = 1000
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = AGENZIA.LOCAL
> 	security = ADS
> 	server role = member server
> 	server string = %h server (Samba, Ubuntu)
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	usershare allow guests = Yes
> 	winbind cache time = 5
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	winbind separator = +
> 	workgroup = AGENZIA
> 	idmap config * : range = 5000-5100
> 	idmap config * : backend = tdb
> 
> What can be the problem?
> 
> Thank you,
> Giuseppe Sacco
> 
You haven't set up idmap correctly, see here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and here:

https://wiki.samba.org/index.php/Idmap_config_ad

or here:

https://wiki.samba.org/index.php/Idmap_config_rid

Rowland

Hello Rowland,

Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha
scritto:
> On Wed, 17 Oct 2018 15:03:41 +0200
> Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> [...]
> > # Global parameters
> > [global]
> > 	dns proxy = No
> > 	log file = /var/log/samba/log.%m
> > 	map to guest = Bad User
> > 	max log size = 1000
> > 	panic action = /usr/share/samba/panic-action %d
> > 	realm = AGENZIA.LOCAL
> > 	security = ADS
> > 	server role = member server
> > 	server string = %h server (Samba, Ubuntu)
> > 	template homedir = /home/%U
> > 	template shell = /bin/bash
> > 	usershare allow guests = Yes
> > 	winbind cache time = 5
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> > 	winbind offline logon = Yes
> > 	winbind refresh tickets = Yes
> > 	winbind separator = +
> > 	workgroup = AGENZIA
> > 	idmap config * : range = 5000-5100
> > 	idmap config * : backend = tdb
> 
> You haven't set up idmap correctly, see here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> and here:
> https://wiki.samba.org/index.php/Idmap_config_ad
> or here:
> https://wiki.samba.org/index.php/Idmap_config_rid
If I understand the documentation, I need to setup two idmap config,
one allocating ids for the BUILTIN users (using the tdb backend) and a
separate one for my domain users. I tought that using "*" would have
covered all domains, but I now think this is not true. Moreover, using
the rid backend, I found that not all users were listed until its range
was not large enough.

So, I changed the idmap config this way:

	idmap config * : range = 3000-7999
	idmap config * : backend = tdb
	idmap config AGENZIA : range = 8000-20000
	idmap config AGENZIA : backend = rid

I stopped the samba daemons, deleted the relevant tdb files, restarted
all daemons. I did not leave/join the domain again.

But I still have the same problem: "getent passwd" list all users,
while "getent passwd 'AGENZIA+manuelb'" does not give any
results.

Thank you very much,
Giuseppe