samba - Oct 2018 - NSS interface lists all domain users but gives error on single user

Hello Rowland,
I changed nsswitch.conf as suggested, but I still have the same result.

[...]
> Providing the there is a user called 'manuelb' in AD, winbind
should
> show the user with 'getent passwd AGENZIA+manuelb'
If I list all users, I get all users. Let's display the end of the list
using both wbinfo and getent:

root at kubuntu-test:~# wbinfo -u | tail -2
AGENZIA\lorenam
AGENZIA\manuelb

root at kubuntu-test:~# getent passwd | tail -2
AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash
AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bash

If I create a file and change its uid to one of these, I see that NSS
does not resolve it:

root at kubuntu-test:~# touch /tmp/ttt 
root at kubuntu-test:~# chown 10183 /tmp/ttt 
root at kubuntu-test:~# ls -l /tmp/ttt
-rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt

Even the "id" command does not resolve it. Nor the getent:

root at kubuntu-test:~# id 'AGENZIA\lorenam'
id: ‘AGENZIA\\lorenam’: no such user
root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
root at kubuntu-test:~#

This is the complete global section as displayed by testparam:

[global]
	dns proxy = No
	log file = /var/log/samba/log.%m
	map to guest = Bad User
	max log size = 1000
	panic action = /usr/share/samba/panic-action %d
	realm = AGENZIA.LOCAL
	security = ADS
	server role = member server
	server string = %h server (Samba, Ubuntu)
	template homedir = /home/%U
	template shell = /bin/bash
	username map = /usr/local/samba/etc/user.map
	usershare allow guests = Yes
	winbind cache time = 5
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind offline logon = Yes
	winbind refresh tickets = Yes
	workgroup = AGENZIA
	idmap config agenzia : range = 8000-20000
	idmap config agenzia : backend = rid
	idmap config * : range = 3000-7999
	idmap config * : backend = tdb

As you may see, the uids given by wbinfo and getent are in the correct
range.
I do not know how to better debug the problem: I have reised "log
level" in smb.conf but no logging is done during the getent execution.

Thank you,
Giuseppe

On Wed, 17 Oct 2018 21:22:42 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
> I changed nsswitch.conf as suggested, but I still have the same
> result.
> 
> [...]
> > Providing the there is a user called 'manuelb' in AD, winbind
should
> > show the user with 'getent passwd AGENZIA+manuelb'
> 
> If I list all users, I get all users. Let's display the end of the
> list using both wbinfo and getent:
> 
> root at kubuntu-test:~# wbinfo -u | tail -2
> AGENZIA\lorenam
> AGENZIA\manuelb
This shows the users are in AD, it does not mean the Unix OS will know
who they are.
> 
> root at kubuntu-test:~# getent passwd | tail -2
> AGENZIA\lorenam:*:10182:8513::/home/lorenam:/bin/bash
> AGENZIA\manuelb:*:10183:8513::/home/manuelb:/bin/bash
This does show that Unix knows who they are.
> 
> If I create a file and change its uid to one of these, I see that NSS
> does not resolve it:
> 
> root at kubuntu-test:~# touch /tmp/ttt 
> root at kubuntu-test:~# chown 10183 /tmp/ttt 
> root at kubuntu-test:~# ls -l /tmp/ttt
> -rw-r--r-- 1 10183 root 0 ott 17 20:54 /tmp/ttt
> 
> Even the "id" command does not resolve it. Nor the getent:
>
And then for some reason, Unix doesn't know who the user is.
 
> root at kubuntu-test:~# id 'AGENZIA\lorenam'
> id: ‘AGENZIA\\lorenam’: no such user
> root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
> root at kubuntu-test:~#
> 
> This is the complete global section as displayed by testparam:
> 
> [global]
> 	dns proxy = No
> 	log file = /var/log/samba/log.%m
> 	map to guest = Bad User
> 	max log size = 1000
> 	panic action = /usr/share/samba/panic-action %d
> 	realm = AGENZIA.LOCAL
> 	security = ADS
> 	server role = member server
> 	server string = %h server (Samba, Ubuntu)
> 	template homedir = /home/%U
> 	template shell = /bin/bash
> 	username map = /usr/local/samba/etc/user.map
> 	usershare allow guests = Yes
> 	winbind cache time = 5
> 	winbind enum groups = Yes
> 	winbind enum users = Yes
> 	winbind offline logon = Yes
> 	winbind refresh tickets = Yes
> 	workgroup = AGENZIA
> 	idmap config agenzia : range = 8000-20000
> 	idmap config agenzia : backend = rid
> 	idmap config * : range = 3000-7999
> 	idmap config * : backend = tdb
>
There isn't anything wrong there.
 
> As you may see, the uids given by wbinfo and getent are in the correct
> range.
What does 'wbinfo -U 10182' return ?
The last number should be 2182
> I do not know how to better debug the problem: I have reised "log
> level" in smb.conf but no logging is done during the getent execution.
> 
Bit lost myself here, why doesn't 'getent passwd username' return
anything ?
Is there anything like sssd running ?

Have you changed anything else ?

Rowland

Hello Rowland

Il giorno mer, 17/10/2018 alle 21.28 +0100, Rowland Penny via samba ha
scritto:
[...]
> What does 'wbinfo -U 10182' return ?
> The last number should be 2182
root at kubuntu-test:~# wbinfo -U 10182
S-1-5-21-1076504413-1754488879-1808648030-2182
root at kubuntu-test:~# wbinfo -n 'AGENZIA\lorenam'
S-1-5-21-1076504413-1754488879-1808648030-2182 SID_USER (1)
root at kubuntu-test:~# getent passwd 'AGENZIA\lorenam'
root at kubuntu-test:~# 
> > I do not know how to better debug the problem: I have reised "log
> > level" in smb.conf but no logging is done during the getent
> > execution.
> > 
> 
> Bit lost myself here, why doesn't 'getent passwd username'
return
> anything ?
> Is there anything like sssd running ?
> 
> Have you changed anything else ?
This is a new installation for testing purposes: there were no previous
installation, so nothing changed. sssd is not installed.

root at kubuntu-test:~# COLUMNS=80 dpkg -l | egrep samba\|winb\|sss
ii  libnss-winbind 2:4.7.6+dfsg amd64        Samba nameservice integration plu
ii  libpam-winbind 2:4.7.6+dfsg amd64        Windows domain authentication int
ii  libwbclient0:a 2:4.7.6+dfsg amd64        Samba winbind client library
ii  python-samba   2:4.7.6+dfsg amd64        Python bindings for Samba
ii  samba          2:4.7.6+dfsg amd64        SMB/CIFS file, print, and login s
ii  samba-common   2:4.7.6+dfsg all          common files used by both the Sam
ii  samba-common-b 2:4.7.6+dfsg amd64        Samba common files used by both t
ii  samba-dsdb-mod 2:4.7.6+dfsg amd64        Samba Directory Services Database
ii  samba-libs:amd 2:4.7.6+dfsg amd64        Samba core libraries
ii  samba-vfs-modu 2:4.7.6+dfsg amd64        Samba Virtual FileSystem plugins
ii  winbind        2:4.7.6+dfsg amd64        service to resolve user and group


even commenting out the lines about the rid idmap backend, and hence
defaulting to the "*" domain config that uses tdb, the mapping works.
wbinfo and tdb file display/contain the same mapping:

   #idmap config AGENZIA : backend = rid
   #idmap config AGENZIA : range = 8000-20000

# systemctl stop winbind smbd nmbd
# rm /var/cache/samba/gencache.tdb /var/cache/samba/netsamlogon_cache.tdb \
  /var/lib/samba/account_policy.tdb /var/lib/samba/group_mapping.tdb \
  /var/lib/samba/winbindd_cache.tdb /var/lib/samba/winbindd_cache.tdb.bak \
  /var/lib/samba/winbindd_idmap.tdb  /var/lib/samba/private/idmap2.tdb
# systemctl start winbind smbd nmbd

# getent passwd 'AGENZIA\lorenam'
# getent passwd | fgrep 'AGENZIA\lorenam'
AGENZIA\lorenam:*:3034:3004::/home/lorenam:/bin/bash

# wbinfo --uid-to-sid 3034
S-1-5-21-1076504413-1754488879-1808648030-2182
# tdbtool /var/lib/samba/winbindd_idmap.tdb show 'UID 3034\0'
key 9 bytes
UID 3034
data 47 bytes
[000] 53 2D 31 2D 35 2D 32 31  2D 31 30 37 36 35 30 34  S-1-5-21 -1076504
[010] 34 31 33 2D 31 37 35 34  34 38 38 38 37 39 2D 31  413-1754 488879-1
[020] 38 30 38 36 34 38 30 33  30 2D 32 31 38 32 00     80864803 0-2182

# wbinfo --sid-to-uid S-1-5-21-1076504413-1754488879-1808648030-2182
3034
# tdbtool /var/lib/samba/winbindd_idmap.tdb show
'S-1-5-21-1076504413-1754488879-1808648030-2182\0'
key 47 bytes
S-1-5-21-1076504413-1754488879-1808648030-2182
data 9 bytes
[000] 55 49 44 20 33 30 33 34  00                       UID 3034

So, I think this is not related to the mapping, but probably to libnss-
winbind.

Bye,
Giuseppe