[Samba] getent passwd does not list trusted users
I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid --- I can use chown and other commands from solaris command line to grant rights to a user from the trusted domain. However, in a Windows machine in samba domain, when setting file permissions, I can not see the trusted domain. Any thoughts? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandal gaiseric.van...@gmail.com To: Samba samba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid --- I can use chown and other commands from solaris command line to grant rights to a user from the trusted domain. However, in a Windows machine in samba domain, when setting file permissions, I can not see the trusted domain. Any thoughts? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common I looked in the /var/samba/locks directory - I have a winbindd_cache.tdb file that is current. I don't have a current idmap_cache.tdb file anymore. Not sure I need one. I initially stated with samba 3.0.x, then upgraded to 3.4.x, then to 3.5.x, and it seems with .X upgrade that the configuration for winbind and idmapping changes. This may be a bug in Solaris itself rather than samba. On 06/06/2011 02:28 PM, timothy mcdaniel wrote: I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandalgaiseric.van...@gmail.com To: Sambasamba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid --- I can use chown and other commands from solaris command line to grant rights to a user from the trusted domain. However, in a Windows machine in samba domain, when setting file permissions, I can not see the trusted domain. Any thoughts? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
This maybe related to idmap allocation - tho not sure how. Initially my PDC was running Samba 3.0.x.When I did getent passwd or getent group samba would create idmap entries for users and groups from trusted domains.There were some other things broken with idmap and samba that made it unstable for maintaining a trust with Active Directory, thus the move to 3.4 and then to 3.5. The 3.4 upgrade seems to have broken the automatic allocation. (This could just be a configuration error in my smb.conf) In my environment, that wasn't a huge deal since the number of users and groups in the trusted domain us quite small and stable. I could manually add an idmapping with the wbinfo or with an LDAP editor. This morning, getent group would show the trusted WINDOWS groups. I added another group in the WINDOWS domain to see if Samba would automatically create a group mapping (which it didn't) and to make sure that it at least showed up with wbinfo -g (which it did- so at least I wasn't working just from a cache.)But then getent group stopped listing WINDOWS groups. (getent group WINDOWS\\thenewgroup did work.) Once I manually created an idmap entry for the new group, getent group was able to list all the groups. So my guess is that samba or winbind chokes up when it finds a winbind user or group in a domain for which an idmap entry is missing and can't be created. I tried adding idmap entries for the few users in the WINDOWS domain who didn't have idmappings, but getent passwd still doesn't work. Original Message Subject:Re: [Samba] getent passwd does not list trusted users Date: Mon, 06 Jun 2011 15:16:28 -0400 From: Gaiseric Vandal gaiseric.van...@gmail.com Reply-To: gaiseric.van...@gmail.com To: samba@lists.samba.org I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common I looked in the /var/samba/locks directory - I have a winbindd_cache.tdb file that is current. I don't have a current idmap_cache.tdb file anymore. Not sure I need one. I initially stated with samba 3.0.x, then upgraded to 3.4.x, then to 3.5.x, and it seems with .X upgrade that the configuration for winbind and idmapping changes. This may be a bug in Solaris itself rather than samba. On 06/06/2011 02:28 PM, timothy mcdaniel wrote: I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandalgaiseric.van...@gmail.com To: Sambasamba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid
Re: [Samba] getent passwd does not list trusted users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, June 06, 2011, Gaiseric Vandal wrote: I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common Isn't that the expected behavior using the default smb.conf values of no for winbind enum users and winbind enum groups? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE 2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM =15SB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
my smb.conf includes winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes I did notice that some idmap entries are being created in the gencache.tdb file (specifically for LDAP groups that DON'T have a Samba SID) -I am guessing that is a symptom that idmap is trying to create idmap entries but can't post them to ldap. On 06/06/2011 03:26 PM, Frank Mori Hess wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, June 06, 2011, Gaiseric Vandal wrote: I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common Isn't that the expected behavior using the default smb.conf values of no for winbind enum users and winbind enum groups? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE 2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM =15SB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba