Giuseppe Sacco
2018-Oct-17 19:22 UTC
[Samba] NSS interface lists all domain users but gives error on single user
Hello Rowland, I changed nsswitch.conf as suggested, but I still have the same result. [...]> Providing the there is a user called 'manuelb' in AD, winbind should > show the user with 'getent passwd AGENZIA+manuelb'If I list all users, I get all users. Let's display the end of the list using both wbinfo and getent: root at kubuntu-test:~# wbinfo -u | tail -2 AGENZIA\lorenam AGENZIA\manuelb root at kubuntu-test:~# getent passwd | tail -2 AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bash If I create a file and change its uid to one of these, I see that NSS does not resolve it: root at kubuntu-test:~# touch /tmp/ttt root at kubuntu-test:~# chown 10183 /tmp/ttt root at kubuntu-test:~# ls -l /tmp/ttt -rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt Even the "id" command does not resolve it. Nor the getent: root at kubuntu-test:~# id 'AGENZIA\lorenam' id: ‘AGENZIA\\lorenam’: no such user root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam' root at kubuntu-test:~# This is the complete global section as displayed by testparam: [global] dns proxy = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 panic action = /usr/share/samba/panic-action %d realm = AGENZIA.LOCAL security = ADS server role = member server server string = %h server (Samba, Ubuntu) template homedir = /home/%U template shell = /bin/bash username map = /usr/local/samba/etc/user.map usershare allow guests = Yes winbind cache time = 5 winbind enum groups = Yes winbind enum users = Yes winbind offline logon = Yes winbind refresh tickets = Yes workgroup = AGENZIA idmap config agenzia : range = 8000-20000 idmap config agenzia : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb As you may see, the uids given by wbinfo and getent are in the correct range. I do not know how to better debug the problem: I have reised "log level" in smb.conf but no logging is done during the getent execution. Thank you, Giuseppe
Rowland Penny
2018-Oct-17 20:28 UTC
[Samba] NSS interface lists all domain users but gives error on single user
On Wed, 17 Oct 2018 21:22:42 +0200 Giuseppe Sacco via samba <samba at lists.samba.org> wrote:> Hello Rowland, > I changed nsswitch.conf as suggested, but I still have the same > result. > > [...] > > Providing the there is a user called 'manuelb' in AD, winbind should > > show the user with 'getent passwd AGENZIA+manuelb' > > If I list all users, I get all users. Let's display the end of the > list using both wbinfo and getent: > > root at kubuntu-test:~# wbinfo -u | tail -2 > AGENZIA\lorenam > AGENZIA\manuelbThis shows the users are in AD, it does not mean the Unix OS will know who they are.> > root at kubuntu-test:~# getent passwd | tail -2 > AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash > AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bashThis does show that Unix knows who they are.> > If I create a file and change its uid to one of these, I see that NSS > does not resolve it: > > root at kubuntu-test:~# touch /tmp/ttt > root at kubuntu-test:~# chown 10183 /tmp/ttt > root at kubuntu-test:~# ls -l /tmp/ttt > -rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt > > Even the "id" command does not resolve it. Nor the getent: >And then for some reason, Unix doesn't know who the user is.> root at kubuntu-test:~# id 'AGENZIA\lorenam' > id: ‘AGENZIA\\lorenam’: no such user > root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam' > root at kubuntu-test:~# > > This is the complete global section as displayed by testparam: > > [global] > dns proxy = No > log file = /var/log/samba/log.%m > map to guest = Bad User > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > realm = AGENZIA.LOCAL > security = ADS > server role = member server > server string = %h server (Samba, Ubuntu) > template homedir = /home/%U > template shell = /bin/bash > username map = /usr/local/samba/etc/user.map > usershare allow guests = Yes > winbind cache time = 5 > winbind enum groups = Yes > winbind enum users = Yes > winbind offline logon = Yes > winbind refresh tickets = Yes > workgroup = AGENZIA > idmap config agenzia : range = 8000-20000 > idmap config agenzia : backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdb >There isn't anything wrong there.> As you may see, the uids given by wbinfo and getent are in the correct > range.What does 'wbinfo -U 10182' return ? The last number should be 2182> I do not know how to better debug the problem: I have reised "log > level" in smb.conf but no logging is done during the getent execution. >Bit lost myself here, why doesn't 'getent passwd username' return anything ? Is there anything like sssd running ? Have you changed anything else ? Rowland
Giuseppe Sacco
2018-Oct-18 02:56 UTC
[Samba] NSS interface lists all domain users but gives error on single user
Hello Rowland Il giorno mer, 17/10/2018 alle 21.28 +0100, Rowland Penny via samba ha scritto: [...]> What does 'wbinfo -U 10182' return ? > The last number should be 2182root at kubuntu-test:~# wbinfo -U 10182 S-1-5-21-1076504413-1754488879-1808648030-2182 root at kubuntu-test:~# wbinfo -n 'AGENZIA\lorenam' S-1-5-21-1076504413-1754488879-1808648030-2182 SID_USER (1) root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam' root at kubuntu-test:~#> > I do not know how to better debug the problem: I have reised "log > > level" in smb.conf but no logging is done during the getent > > execution. > > > > Bit lost myself here, why doesn't 'getent passwd username' return > anything ? > Is there anything like sssd running ? > > Have you changed anything else ?This is a new installation for testing purposes: there were no previous installation, so nothing changed. sssd is not installed. root at kubuntu-test:~# COLUMNS=80 dpkg -l | egrep samba\|winb\|sss ii libnss-winbind 2:4.7.6+dfsg amd64 Samba nameservice integration plu ii libpam-winbind 2:4.7.6+dfsg amd64 Windows domain authentication int ii libwbclient0:a 2:4.7.6+dfsg amd64 Samba winbind client library ii python-samba 2:4.7.6+dfsg amd64 Python bindings for Samba ii samba 2:4.7.6+dfsg amd64 SMB/CIFS file, print, and login s ii samba-common 2:4.7.6+dfsg all common files used by both the Sam ii samba-common-b 2:4.7.6+dfsg amd64 Samba common files used by both t ii samba-dsdb-mod 2:4.7.6+dfsg amd64 Samba Directory Services Database ii samba-libs:amd 2:4.7.6+dfsg amd64 Samba core libraries ii samba-vfs-modu 2:4.7.6+dfsg amd64 Samba Virtual FileSystem plugins ii winbind 2:4.7.6+dfsg amd64 service to resolve user and group even commenting out the lines about the rid idmap backend, and hence defaulting to the "*" domain config that uses tdb, the mapping works. wbinfo and tdb file display/contain the same mapping: #idmap config AGENZIA : backend = rid #idmap config AGENZIA : range = 8000-20000 # systemctl stop winbind smbd nmbd # rm /var/cache/samba/gencache.tdb /var/cache/samba/netsamlogon_cache.tdb \ /var/lib/samba/account_policy.tdb /var/lib/samba/group_mapping.tdb \ /var/lib/samba/winbindd_cache.tdb /var/lib/samba/winbindd_cache.tdb.bak \ /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/private/idmap2.tdb # systemctl start winbind smbd nmbd # getent passwd 'AGENZIA\lorenam' # getent passwd | fgrep 'AGENZIA\lorenam' AGENZIA\lorenam:*:3034:3004::/home/lorenam:/bin/bash # wbinfo --uid-to-sid 3034 S-1-5-21-1076504413-1754488879-1808648030-2182 # tdbtool /var/lib/samba/winbindd_idmap.tdb show 'UID 3034\0' key 9 bytes UID 3034 data 47 bytes [000] 53 2D 31 2D 35 2D 32 31 2D 31 30 37 36 35 30 34 S-1-5-21 -1076504 [010] 34 31 33 2D 31 37 35 34 34 38 38 38 37 39 2D 31 413-1754 488879-1 [020] 38 30 38 36 34 38 30 33 30 2D 32 31 38 32 00 80864803 0-2182 # wbinfo --sid-to-uid S-1-5-21-1076504413-1754488879-1808648030-2182 3034 # tdbtool /var/lib/samba/winbindd_idmap.tdb show 'S-1-5-21-1076504413-1754488879-1808648030-2182\0' key 47 bytes S-1-5-21-1076504413-1754488879-1808648030-2182 data 9 bytes [000] 55 49 44 20 33 30 33 34 00 UID 3034 So, I think this is not related to the mapping, but probably to libnss- winbind. Bye, Giuseppe
Apparently Analagous Threads
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user
- NSS interface lists all domain users but gives error on single user