[Samba] SID_TO_UID not working
Hello everyone, I use winbind against a Samba DC for nsswich, and on one client it works perfectly (Samba 3.5.15 on all systems). On another client, everything works except SID_TO_UID (i.e. wbinfo -i, -S ... which breaks directory listings, too). I've now tried to narrow down the problem in a level 10 log, but I need some help interpreting. In log.winbindd, I see the following when running wbinfo -S S-1-5-21-5-55-55-3032 (SID changed): === [2012/12/06 17:43:12.841393, 3] winbindd/winbindd_sid_to_uid.c:47(winbindd_sid_to_uid_send) sid to uid S-1-5-21-5-55-55-3032 [2012/12/06 17:43:12.841517, 10] lib/gencache.c:334(gencache_get_data_blob) Cache entry with key = IDMAP/SID2UID/S-1-5-21-5-55-55-3032 couldn't be found [2012/12/06 17:43:12.841564, 10] winbindd/winbindd_util.c:843(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-21-5-55-55-3032) [2012/12/06 17:43:12.841605, 10] winbindd/winbindd_util.c:853(find_lookup_domain_from_sid) calling find_our_domain [2012/12/06 17:43:12.841679, 10] winbindd/winbindd_cache.c:4805(wcache_fetch_ndr) Entry has timed out [2012/12/06 17:43:12.852143, 5] winbindd/winbindd_sid_to_uid.c:90(winbindd_sid_to_uid_recv) Could not convert sid S-1-5-21-5-55-55-3032: NT_STATUS_NONE_MAPPED [2012/12/06 17:43:12.852201, 10] winbindd/winbindd.c:655(wb_request_done) wb_request_done[10630:SID_TO_UID]: NT_STATUS_NONE_MAPPED === wbinfo -S then yields: Could not convert sid S-1-5-21-5-55-55-3032 to uid Now I'm not sure what "Entry has timed out" means. This occurs even when I do "net cache flush" before. In the meantime, /var/log/samba/log.wb-SGI looks like the request is correctly answered by the server. The request comes in: === [2012/12/06 17:43:12.841812, 10] winbindd/winbindd_dual.c:62(child_read_request) Need to read 28 extra bytes [2012/12/06 17:43:12.841921, 4] winbindd/winbindd_dual.c:1528(fork_domain_child) child daemon request 63 [2012/12/06 17:43:12.841956, 10] winbindd/winbindd_dual.c:485(child_process_request) child_process_request: request fn NDRCMD [2012/12/06 17:43:12.841986, 10] winbindd/winbindd_dual_ndr.c:263(winbindd_dual_ndrcmd) winbindd_dual_ndrcmd: Running command WBINT_LOOKUPSID (SGI) [2012/12/06 17:43:12.842034, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-21-5-55-55-3032 === ... Then there's a lot of parsing and other noise, until we return with the correct answer: === [2012/12/06 17:43:12.850133, 10] rpc_client/cli_lsarpc.c:191(rpccli_lsa_lookup_sids_noalloc) LSA_LOOKUPSIDS returned 'NT_STATUS_OK', mapped count = 1' [2012/12/06 17:43:12.850170, 5] winbindd/winbindd_rpc.c:373(msrpc_sid_to_name) Mapped sid to [SGI]\[matare] [2012/12/06 17:43:12.850205, 10] winbindd/winbindd_cache.c:555(refresh_sequence_number) refresh_sequence_number: SGI time ok [2012/12/06 17:43:12.850234, 10] winbindd/winbindd_cache.c:600(refresh_sequence_number) refresh_sequence_number: SGI seq number is now 1354812192 [2012/12/06 17:43:12.850375, 10] winbindd/winbindd_cache.c:969(wcache_save_sid_to_name) wcache_save_sid_to_name: S-1-5-21-5-55-55-3032 -> matare (NT_STATUS_OK) [2012/12/06 17:43:12.850410, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid out: struct wbint_LookupSid type : * type : SID_NAME_USER (1) domain : * domain : * domain : 'SGI' name : * name : * name : 'matare' result : NT_STATUS_OK === Note the times, which show that the mapping is retrieved from the DC by the child process before the parent returns NT_STATUS_NONE_MAPPED. I find this really confusing and frankly, I'm out of ideas where to look. Please, if you have any idea let me know. Maybe I'm looking entirely in the wrong direction... Thanks, Victor-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind and getent again
On Wednesday, 02.11.2011 13:04:00 Gaiseric Vandal wrote: > Does it work if you explicitly state a domain user? > e.g > getent passwd "TRUSTEDOMAIN\someuser" Ok, that actually does work. But... > > I have the same symptom on my system- I don't think it actually breaks > anything. I'm suspecting it breaks rpc.idmapd (NFS4). However NFS4 has always been kind of complex and fragile, so it might in fact have some other cause. Anyways, rpc.idmapd maps all domain groups to nobody, so it must be having some trouble with them. Can anybody confirm that rpc.idmapd correctly resolves domain groups from nss_winbind when getent group does not work? > > On 11/02/2011 12:26 PM, Victor Mataré wrote: > > Hi everyone, > > > > I'm trying to use winbind as nsswitch module on a domain member against > > a samba PDC, and it used to work fine with samba 3.4. But no after > > upgrading to 3.5.11, getent group/passwd don't show domain users/groups > > anymore. However wbinfo -g and wbinfo -u work as expected. Also: > > > > # wbinfo -i matare > > matare:*:50011:5:Victor Mataré:/home/SGI/matare:/bin/false > > # wbinfo -U 50011 > > S-1-5-21-154097467-3372353439-1977514440-3032 > > # wbinfo -G 5 > > S-1-5-21-154097467-3372353439-1977514440-513 > > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-3032 > > SGI\matare 1 > > # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-513 > > SGI\Domain Users 2 > > > > But getent passwd/group shows only local users. My smb.conf on the > > member looks like this: [global] > > > > workgroup = SGI > > server string = Auerhahn > > security = domain > > password server = BUSSARD GIRLITZ > > log file = /var/log/samba/log.%m > > log level = 2 winbind:10 > > max log size = 50 > > winbind expand groups = 4 > > winbind neste groups = yes > > winbind enum groups = yes > > winbind enum users = yes > > idmap uid = 5-50 > > idmap gid = 5-50 > > winbind use default domain = yes > > idmap config SGI:range = 5-50 > > > > I really don't see the problem the nss_winbind module might be having: > > > > # strace -e trace=file getent group > > execve("/usr/bin/getent", ["getent", "group"], [/* 40 vars */]) = 0 > > access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or > > directory) open("/etc/ld.so.cache", O_RDONLY) = 3 > > open("/lib64/libc.so.6", O_RDONLY) = 3 > > open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3 > > open("/etc/nsswitch.conf", O_RDONLY)= 3 > > open("/etc/ld.so.cache", O_RDONLY) = 3 > > open("/lib64/libnss_files.so.2", O_RDONLY) = 3 > > open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 > > root:x:0:root > > bin:x:1:root,bin,daemon > > [... prints local UNIX groups ...] > > postgres:x:70: > > open("/etc/ld.so.cache", O_RDONLY) = 4 > > open("/lib64/libnss_winbind.so.2", O_RDONLY) = 4 > > lstat("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size@96, ...}) = 0 > > lstat("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) > > 0 > > lstat("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750, > > st_size@96, ...}) = 0 > > lstat("/var/cache/samba/winbindd_privileged/pipe", > > {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 > > > > And that's it. I also can't make out any error message in the logs, not > > even with log level 10. On the PDC and BDC, getent group works > > perfectly (also both via nss_winbind). Seriously, I'm out of ideas. Any > > pointer is greatly appreciated. pgp136VVBXwOy.pgp Description: This is a digitally signed message part. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind and getent again
Hi everyone, I'm trying to use winbind as nsswitch module on a domain member against a samba PDC, and it used to work fine with samba 3.4. But now after upgrading to 3.5.11, getent group/passwd don't show domain users/groups anymore. However wbinfo -g and wbinfo -u work as expected. Also: # wbinfo -i matare matare:*:50011:50000:Victor Mataré:/home/SGI/matare:/bin/false # wbinfo -U 50011 S-1-5-21-154097467-3372353439-1977514440-3032 # wbinfo -G 5 S-1-5-21-154097467-3372353439-1977514440-513 # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-3032 SGI\matare 1 # wbinfo -s S-1-5-21-154097467-3372353439-1977514440-513 SGI\Domain Users 2 But getent passwd/group shows only local users. My smb.conf on the member looks like this: [global] workgroup = SGI server string = Auerhahn security = domain password server = BUSSARD GIRLITZ log file = /var/log/samba/log.%m log level = 2 winbind:10 max log size = 50 winbind expand groups = 4 winbind nested groups = yes winbind enum groups = yes winbind enum users = yes idmap uid = 5-50 idmap gid = 5-50 winbind use default domain = yes idmap config SGI:range = 5-50 I really don't see the problem the nss_winbind module might be having: # strace -e trace=file getent group execve("/usr/bin/getent", ["getent", "group"], [/* 40 vars */]) = 0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libc.so.6", O_RDONLY) = 3 open("/usr/lib64/locale/locale-archive", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY)= 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib64/libnss_files.so.2", O_RDONLY) = 3 open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 root:x:0:root bin:x:1:root,bin,daemon [... prints local UNIX groups ...] postgres:x:70: open("/etc/ld.so.cache", O_RDONLY) = 4 open("/lib64/libnss_winbind.so.2", O_RDONLY) = 4 lstat("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 lstat("/var/cache/samba/winbindd_privileged", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat("/var/cache/samba/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 And that's it. I also can't make out any error message in the logs, not even with log level 10. On the PDC and BDC, getent group works perfectly (also both via nss_winbind). Seriously, I'm out of ideas. Any pointer is greatly appreciated. -- Victor Mataré Sysadmin Lehrstuhl für Ingenieur- und Hydrogeologie der RWTH Aachen Lochnerstraße 4-20 52064 Aachen Ph: +49-241-8096778 Fx: +49-241-8092280 http://www.lih.rwth-aachen.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ldapsam:editposix and add user script
Hello Everyone, We run a Samba 3.0 PDC and got all account information in LDAP. No idealx scripts, as we let samba do all the work of creating unix accounts in LDAP. Now until recently, the "add user script" parameter worked as expected, simply calling that script when I did a "net rpc user add". Now it won't do that anymore, unless it finds that there's no unix account for a legitimage SMB user upon session setup (according to manpage). This condition however, is negated by ldapsam:editposix = yes. As I understood it, the "add user script" was a general purpose option to do anything that needs to be done upon user addition in samba. The new behaviour just limits flexibility. Any idea how one could implement a custom script that's run when a user is created? thanks, Victor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba