Re: [Samba] getent passwd does not list trusted users

[Gaiseric Vandal]

This maybe related to idmap allocation -  tho not sure how.

Initially my PDC was running Samba 3.0.x.    When I did "getent passwd" 
or "getent group"  samba would create idmap entries for users and groups 
from trusted domains.    There were some other things broken with idmap 
and samba that made it unstable for maintaining a trust with  Active 
Directory, thus the move to 3.4 and then to 3.5.

The 3.4 upgrade seems to have broken the automatic allocation.  (This 
could just be a configuration error in my smb.conf)   In my environment, 
that wasn't a huge deal since the number of users and groups in the 
trusted domain us quite small and stable.     I could manually add an 
idmapping with the wbinfo  or with an LDAP editor.

This morning, "getent group" would show the trusted WINDOWS groups.  I 
added another group in the WINDOWS domain to see if Samba would 
automatically create a group mapping (which it didn't) and to make sure 
that it at least showed up with "wbinfo -g" (which it did-  so at least 
I wasn't working just from a cache.)    But then "getent group" stopped 
listing WINDOWS groups.  ("getent group WINDOWS\\thenewgroup" did 
work.")  Once I manually created an idmap entry for the new group, 
"getent group" was able to list all the groups.

So my guess is that samba or winbind chokes up when it finds a winbind 
user or group in a domain for which an idmap entry is missing and can't 
be created.

I tried adding idmap entries for the few users in the WINDOWS domain who 
didn't have idmappings, but "getent passwd" still doesn't work.




-------- Original Message --------
Subject:        Re: [Samba] getent passwd does not list trusted users
Date:   Mon, 06 Jun 2011 15:16:28 -0400
From:   Gaiseric Vandal <gaiseric.van...@gmail.com>
Reply-To:       gaiseric.van...@gmail.com
To:     samba@lists.samba.org



I do have the entries in /etc/nswitch.conf

The "getent passwd"  won't list the winbind users although I can get
details on a specific user with the "getent passwd
SOMEDOMAIN\\someuser"   common


I looked in the /var/samba/locks directory -

I have a winbindd_cache.tdb file that is current.  I don't have a
current idmap_cache.tdb file anymore.  Not sure I need one.   I
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to
3.5.x, and it seems with .X upgrade that the configuration for winbind
and idmapping changes.


This may be a bug in Solaris itself rather than samba.





On 06/06/2011 02:28 PM, timothy mcdaniel wrote:
 I have been looking at
 
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
 and I think that if you add this in your nsswitch.conf like it says in the
 website above:
 if you already have the passwd: files ldap and group: files ldap in your
 nsswitch.conf then just add winbind to the end of the lines of the passwd
 and group lines. just like it is shown below: If you need any more help just
 email me back, and I will try to help you.

 *passwd*: files ldap winbind
    group: files ldap winbind

 ---------- Forwarded message ----------
 From: Gaiseric Vandal<gaiseric.van...@gmail.com>
 To: Samba<samba@lists.samba.org>
 Date: Mon, 06 Jun 2011 12:04:14 -0400
 Subject: [Samba] getent passwd does not list trusted users
 I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
 provided build.  I have an ldap backend for everything (unix+samba accounts,
 idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
 call "SAMBA."    Each samba account is tied to a unix account.

 I have a one-way  domain trust setup with a Windows 2003 domain which we
 can call "WIN2003."  SAMBA trusts WIN2003.   "getent passwd" and "getent
 group" seem to fundamentally be working (depending on syntax)  BUT "getent
 passwd" does NOT list trusted users.


 On the solaris machine:

 
---------------------------------------------------------------------------------------------------------------------------------------------------------------
 "wbinfo -u"  and "wbinfo -g"    lists all users in this domain + the
 WIN2003 domain.   For the SAMBA users, the domain name is stripped out.


   "getent passwd" -  lists all "unix" users (in ldap or /etc/passwd.)
         It does not list the samba users -  which is the expected and
 desired behaviour.
         I had expected it to list users from the WIN2003 domain.


 "getent group"  -  lists all "unix" groups  (in ldap or /etc/passwd)
         It does not listed the SAMBA groups - which is the expected and
 desired behaviour.
         It does list WIN2003 groups-  which is  also the expected and
 desired behaviour.


 "getent passwd SAMBA\\user" -  shows uid, gid, home directory, shell
 "getent passwd WIN2003\\user" -  shows uid, gid, home directory, shell

 "getent group SAMBA\\group" -  shows gid, members
 "getent group WIN2003\\group" -  shows gid, members


 "id SAMBA\\user" -  shows uid and gid
 "id  WIN2003 \\user" -  shows uid and gid


 
---------------------------------------------------------------------------------------------------------------------------------------------------------------


 I can use chown and other commands from solaris command line  to grant
 rights to a user from the trusted domain.  However, in a Windows machine in
 samba domain, when setting file permissions, I can not see the trusted
 domain.


 Any thoughts?


 Thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba