Re: [Samba] getent group by name fails
On Fri, 2013-10-11 at 14:06 -0400, Lee Allen wrote: Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve I don't think it works with winbind. If you really need it, the best way is to use sssd or nslcd. Is it important that it works for you? A script maybe? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, Oct 11, 2013 at 10:16:48AM -0400, Lee Allen wrote: Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind 'wbinfo -g' and 'getent group' successfully list all groups. 'getent group 10006' returns: domain users:x:10006: 'getent group domain users' fails with return code 2 partial log.winbind after above command: [2013/10/11 10:01:31.288199, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31911]: request interface version [2013/10/11 10:01:31.288288, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31911]: request location of privileged pipe [2013/10/11 10:01:31.288421, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam domain users [2013/10/11 10:01:31.288520, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=DOMAIN\USERS [2013/10/11 10:01:31.288547, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN if I specify the domain name, ie: 'getent group ALLENLAN\\domain users' it still fails... [2013/10/11 10:02:18.280728, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31925]: request interface version [2013/10/11 10:02:18.280823, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31925]: request location of privileged pipe [2013/10/11 10:02:18.280940, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam ALLENLAN\domain users [2013/10/11 10:02:18.281033, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS [2013/10/11 10:02:18.281060, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN Note the missing space in DOMAIN\USERS in the logs. I don't know whether this is relevant. 'getent passwd' does not have any such problems - it can query by UID or username smb.conf: [global] workgroup = ALLENLAN realm = allenlan.net password server = 192.168.0.13 preferred master = no server string = zone-samba3 security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes Please try without winbind use default domain = yes winbind nested groups = yes winbind separator = \ Just a wild guess: Can you try removing this line? \ is default. If that does not help, please send us full debug level 10 logs of that command together with the output of strace -ttT -s 1000 -o /tmp/getent.out getent group domain users Regards, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de * visit us on it-sa:IT security exhibitions in Nürnberg, Germany October 8th - 10th 2013, hall 12, booth 333 free tickets available via code 270691 on: www.it-sa.de/gutschein ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, 2013-10-11 at 10:16 -0400, Lee Allen wrote: Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind 'wbinfo -g' and 'getent group' successfully list all groups. 'getent group 10006' returns: domain users:x:10006: 'getent group domain users' fails with return code 2 partial log.winbind after above command: [2013/10/11 10:01:31.288199, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31911]: request interface version [2013/10/11 10:01:31.288288, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31911]: request location of privileged pipe [2013/10/11 10:01:31.288421, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam domain users [2013/10/11 10:01:31.288520, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=DOMAIN\USERS [2013/10/11 10:01:31.288547, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN if I specify the domain name, ie: 'getent group ALLENLAN\\domain users' it still fails... [2013/10/11 10:02:18.280728, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [31925]: request interface version [2013/10/11 10:02:18.280823, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [31925]: request location of privileged pipe [2013/10/11 10:02:18.280940, 3] winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) getgrnam ALLENLAN\domain users [2013/10/11 10:02:18.281033, 3] winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS [2013/10/11 10:02:18.281060, 3] winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN Note the missing space in DOMAIN\USERS in the logs. I don't know whether this is relevant. 'getent passwd' does not have any such problems - it can query by UID or username smb.conf: [global] workgroup = ALLENLAN realm = allenlan.net password server = 192.168.0.13 preferred master = no server string = zone-samba3 security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind separator = \ idmap config * : backend = ad idmap config * : range = 1-10 Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve -- *Lee Allen* email: l...@leecallen.com bus: (404) 698-1801 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On 11/10/13 19:06, Lee Allen wrote: Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve Hi, have you tried 'getent group Domain\ Users' ? Mind you if all else fails, ditch winbind and use sssd getent group root:x:0: . Domain Admins:*:27: Domain Guests:*:65534: Domain Users:*:100: linuxusers:*:1: getent group 100 users:x:100: getent group users users:x:100: getent group Domain\ Users Domain Users:*:100: getent group Domain Users Domain Users:*:100: getent group domain users The last one is the only one that failed Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
Those don't work for me: getent group domain users getent group Domain Users getent group Domain\ Users all fail, returning 2 I will look into sssd On Fri, Oct 11, 2013 at 2:36 PM, Rowland Penny rowlandpe...@googlemail.comwrote: On 11/10/13 19:06, Lee Allen wrote: Steve thank you for pointing that out. I made those changes and it does not effect the results. 'getent group UID' works 'getent group groupname' does not work, for the same group On Fri, Oct 11, 2013 at 12:25 PM, steve st...@steve-ss.com wrote: Quite a bit missing here. Try: idmap config * : backend = tdb idmap config * : range = 9800-9900 idmap config ALLENLAN : default = yes idmap config ALLENLAN : schema mode = rfc2307 idmap config ALLENLAN : backend = ad idmap config ALLENLAN : range = 1-100 HTH Steve Hi, have you tried 'getent group Domain\ Users' ? Mind you if all else fails, ditch winbind and use sssd getent group root:x:0: . Domain Admins:*:27: Domain Guests:*:65534: Domain Users:*:100: linuxusers:*:1: getent group 100 users:x:100: getent group users users:x:100: getent group Domain\ Users Domain Users:*:100: getent group Domain Users Domain Users:*:100: getent group domain users The last one is the only one that failed Rowland -- *Lee Allen* email: l...@leecallen.com bus: (404) 698-1801 home: (716) 773-2326 cell: (716) 880-0854 fax: (716) 408-8844 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group and net ads user info differs
Hai, maybe im wrong, but.. net ads user info lisanyurimicolta Domain Users TerminalServer politicas3 SIIF Comercial Comercial... getent group comercial Capital C ? so 2 different groups is what your talking about. Greetz, Louis -Oorspronkelijk bericht- Van: c...@asualcance.com [mailto:samba-boun...@lists.samba.org] Namens Cristian Saavedra Verzonden: donderdag 4 april 2013 16:45 Aan: samba@lists.samba.org Onderwerp: [Samba] getent group and net ads user info differs Hello I have a samba 4.0.3 pdc and a samba 3.5.10 as a fileserver and i am having an issue that i like to share with you. I have a share son the samba 3 setup like this [Comercial] browsable = Yes comment = Comercial path = /shares2/Comercial valid users = @Ingenieria, @Mercadeo, @Comercial, @SIIF, @Costos, administrador, backup write list = @Comercial, @Mercadeo, @Ingenieria, administrador, claudiavillegas, manuelaparicio read list = @Comercial, @SIIF, ,@Almacen, @Costos, @Uruguay, @Ingenieria, backup force create mode = 666 force directory mode = 777 veto files = /*.exe/*.com/*.dll/*.mp3/*.bat/ As you can see the Comercial group is authorized to read and write, so i have this user lisanyurimicolta she is on the Comercial group: [root@srvfs audit]# net ads user info lisanyurimicolta Domain Users TerminalServer politicas3 SIIF Comercial [root@srvfs audit]# srvfs is my samba 3.x server, but then she can't write on the share, so i'm executing a getent group to validate that she is on that group for the winbind, but i get this [root@srvfs audit]# getent group comercial comercial:*:16777233:claralibreros,christiancano,danilocampo,an abedoya,guillerminagarcia,humbertocardona,marthamurillo,pruebas,yoancanabal,andreasaa,adrianazapata,jhonrealpe,maryamgamboa,jasso naperador,adolfotrullo,christhianjimenez,mariaguerrero,mariomun era,mauricioperdomo,melbaorejuela,paolagomez,richardordonez,gin agarces,juanagudelo,adrianalopez,andrespossu,dianaolano,yulymej ia,edwinyepes,jenniferbazantes,ronaldduque,maribelgomez,linaban ol,lauramulcue,johncastillo,luzgallego,giovannysotomayor,andres gutierrez,arlexcardona,jonathangaviria,victorianavia,andrescampino Why is this happening? any suggestions? Thanks for your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group and net ads user info differs
Hello Kevin The group is on the samba AD and i don't have nis installed on this server, the nsswitch.conf is this. passwd: files winbind shadow: files winbind group: files winbind My OS is Centos 6.3 El 4/04/2013, a las 10:42, Shaw, Kevin kevin.s...@xerox.com escribió: Cristian, The group commercial is in /etc/group or NIS group? cat /etc/group | grep lisanyurimicolta ypcat -k group | grep lisanyurimicolta If group is configured correctly I would look at /etc/nsswitch.conf. I don't know what OS you are running, this is where name switching is configured in Solaris. HTH, -Kevin -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Cristian Saavedra Sent: Thursday, April 04, 2013 7:45 AM To: samba@lists.samba.org Subject: [Samba] getent group and net ads user info differs Hello I have a samba 4.0.3 pdc and a samba 3.5.10 as a fileserver and i am having an issue that i like to share with you. I have a share son the samba 3 setup like this [Comercial] browsable = Yes comment = Comercial path = /shares2/Comercial valid users = @Ingenieria, @Mercadeo, @Comercial, @SIIF, @Costos, administrador, backup write list = @Comercial, @Mercadeo, @Ingenieria, administrador, claudiavillegas, manuelaparicio read list = @Comercial, @SIIF, ,@Almacen, @Costos, @Uruguay, @Ingenieria, backup force create mode = 666 force directory mode = 777 veto files = /*.exe/*.com/*.dll/*.mp3/*.bat/ As you can see the Comercial group is authorized to read and write, so i have this user lisanyurimicolta she is on the Comercial group: [root@srvfs audit]# net ads user info lisanyurimicolta Domain Users TerminalServer politicas3 SIIF Comercial [root@srvfs audit]# srvfs is my samba 3.x server, but then she can't write on the share, so i'm executing a getent group to validate that she is on that group for the winbind, but i get this [root@srvfs audit]# getent group comercial comercial:*:16777233:claralibreros,christiancano,danilocampo,anabedoya,guillerminagarcia,humbertocardona,marthamurillo,pruebas,yoancanabal,andreasaa,adrianazapata,jhonrealpe,maryamgamboa,jassonaperador,adolfotrullo,christhianjimenez,mariaguerrero,mariomunera,mauricioperdomo,melbaorejuela,paolagomez,richardordonez,ginagarces,juanagudelo,adrianalopez,andrespossu,dianaolano,yulymejia,edwinyepes,jenniferbazantes,ronaldduque,maribelgomez,linabanol,lauramulcue,johncastillo,luzgallego,giovannysotomayor,andresgutierrez,arlexcardona,jonathangaviria,victorianavia,andrescampino Why is this happening? any suggestions? Thanks for your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group and net ads user info differs
Fixed! [root@dominio Policies]# samba-tool dbcheck Checking 1394 objects ERROR: orphaned backlink attribute 'memberOf' in CN=lisanyurimicolta,CN=Users,DC=forsa,DC=com,DC=co for link member in CN=SIIF,CN=Users,DC=forsa,DC=com,DC=co Not removing orphaned backlink member ERROR: orphaned backlink attribute 'memberOf' in CN=lisanyurimicolta,CN=Users,DC=forsa,DC=com,DC=co for link member in CN=Comercial,CN=Users,DC=forsa,DC=com,DC=co Not removing orphaned backlink member ERROR: incorrect DN string component for member in object CN=SIIF,CN=Users,DC=forsa,DC=com,DC=co - GUID=7ba58aea-6479-41a6-9e7c-cf69e62aad35;CN=lisanyurimicolta,CN=Users,DC=forsa,DC=com,DC=co Not fixing incorrect string version of DN ERROR: incorrect DN string component for member in object CN=Comercial,CN=Users,DC=forsa,DC=com,DC=co - GUID=7ba58aea-6479-41a6-9e7c-cf69e62aad35;CN=lisanyurimicolta,CN=Users,DC=forsa,DC=com,DC=co Not fixing incorrect string version of DN Please use --fix to fix these errors Checked 1394 objects (4 errors) So i re ran the process with --fix and now i can see the user. El 4/04/2013, a las 12:24, Cristian Saavedra c...@asualcance.com escribió: Hello Kevin The group is on the samba AD and i don't have nis installed on this server, the nsswitch.conf is this. passwd: files winbind shadow: files winbind group: files winbind My OS is Centos 6.3 El 4/04/2013, a las 10:42, Shaw, Kevin kevin.s...@xerox.com escribió: Cristian, The group commercial is in /etc/group or NIS group? cat /etc/group | grep lisanyurimicolta ypcat -k group | grep lisanyurimicolta If group is configured correctly I would look at /etc/nsswitch.conf. I don't know what OS you are running, this is where name switching is configured in Solaris. HTH, -Kevin -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Cristian Saavedra Sent: Thursday, April 04, 2013 7:45 AM To: samba@lists.samba.org Subject: [Samba] getent group and net ads user info differs Hello I have a samba 4.0.3 pdc and a samba 3.5.10 as a fileserver and i am having an issue that i like to share with you. I have a share son the samba 3 setup like this [Comercial] browsable = Yes comment = Comercial path = /shares2/Comercial valid users = @Ingenieria, @Mercadeo, @Comercial, @SIIF, @Costos, administrador, backup write list = @Comercial, @Mercadeo, @Ingenieria, administrador, claudiavillegas, manuelaparicio read list = @Comercial, @SIIF, ,@Almacen, @Costos, @Uruguay, @Ingenieria, backup force create mode = 666 force directory mode = 777 veto files = /*.exe/*.com/*.dll/*.mp3/*.bat/ As you can see the Comercial group is authorized to read and write, so i have this user lisanyurimicolta she is on the Comercial group: [root@srvfs audit]# net ads user info lisanyurimicolta Domain Users TerminalServer politicas3 SIIF Comercial [root@srvfs audit]# srvfs is my samba 3.x server, but then she can't write on the share, so i'm executing a getent group to validate that she is on that group for the winbind, but i get this [root@srvfs audit]# getent group comercial comercial:*:16777233:claralibreros,christiancano,danilocampo,anabedoya,guillerminagarcia,humbertocardona,marthamurillo,pruebas,yoancanabal,andreasaa,adrianazapata,jhonrealpe,maryamgamboa,jassonaperador,adolfotrullo,christhianjimenez,mariaguerrero,mariomunera,mauricioperdomo,melbaorejuela,paolagomez,richardordonez,ginagarces,juanagudelo,adrianalopez,andrespossu,dianaolano,yulymejia,edwinyepes,jenniferbazantes,ronaldduque,maribelgomez,linabanol,lauramulcue,johncastillo,luzgallego,giovannysotomayor,andresgutierrez,arlexcardona,jonathangaviria,victorianavia,andrescampino Why is this happening? any suggestions? Thanks for your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group return only local users
Yes I did. It was a idmap problem ... The command works withe the following lines in smb.conf : idmap *:backend = tdb idmap *:range = 70001-8 idmap config SC:backend = ad idmap config SC:schema_mode = rfc2307 idmap config SC:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes I've suppressed config in the first two lines ... But an explanation would be welcome. Thanks Le 20/02/2013 18:20, Ricky Nance a écrit : Did you make the appropriate symlinks for winbind.so ? I use Ubuntu and mine look like the following: root@server:/lib/x86_64-linux-gnu# ls -alh | grep winbind lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so - /usr/local/samba/lib/libnss_winbind.so.2 lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so.2 - /usr/local/samba/lib/libnss_winbind.so.2 However your distribution may store them in a different location, so first you need to find out where your other libnss files are at, and then cd to that directory (in my example, cd /lib/x86_64-linux-gnu ) and then do a ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./ ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./libnss_winbind.so (that is a lower case LN not IN) Ricky On Wed, Feb 20, 2013 at 8:24 AM, Hervé Hénoch h.hen...@isc84.org mailto:h.hen...@isc84.org wrote: Hello I use S4 file server with nsswitch.conf (ad server is another Linux with S4) : passwd: compat winbind group: compat winbind I wonder how it can be possible that : * getent passwd is ok * but getent group returns only local users (wbinfo -g is ok and gives domain user) Any idea ? Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group return only local users
Did you make the appropriate symlinks for winbind.so ? I use Ubuntu and mine look like the following: root@server:/lib/x86_64-linux-gnu# ls -alh | grep winbind lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so - /usr/local/samba/lib/libnss_winbind.so.2 lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so.2 - /usr/local/samba/lib/libnss_winbind.so.2 However your distribution may store them in a different location, so first you need to find out where your other libnss files are at, and then cd to that directory (in my example, cd /lib/x86_64-linux-gnu ) and then do a ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./ ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./libnss_winbind.so (that is a lower case LN not IN) Ricky On Wed, Feb 20, 2013 at 8:24 AM, Hervé Hénoch h.hen...@isc84.org wrote: Hello I use S4 file server with nsswitch.conf (ad server is another Linux with S4) : passwd: compat winbind group: compat winbind I wonder how it can be possible that : * getent passwd is ok * but getent group returns only local users (wbinfo -g is ok and gives domain user) Any idea ? Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd doesn`t work with samba 4
[global] dos charset = CP866 workgroup = ANON realm = anon.srv netbios name = SAMBA interfaces = eth1 server role = active directory domain controller map to guest = Never guest account = nobody guest ok = No server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes dcerpc endpoint servers = +winreg +srvsvc wins support = yes wins proxy = yes template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes idmap config HOME:schema_mode = rfc2307 idmap config HOME:range = 2-310 idmap config HOME:backend = ad idmap config *:range = 1100-2000 idmap config *:backend = tdb [netlogon] path = /usr/local/var/lib/samba/sysvol/reu.tld/scripts read only = No [sysvol] path = /usr/local/var/lib/samba/sysvol read only = No -- View this message in context: http://samba.2283325.n4.nabble.com/getent-passwd-doesn-t-work-with-samba-4-tp4642886p4642887.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 11:59, steve wrote: Hi Ubuntu 12.04 LTS client with 3.6.3 joined to the Samba4 AD domain. smb.conf winbind enum users = Yes winbind enum groups = Yes idmap config *:backend=tdb idmap config *:range=1-1 idmap config ALTEA:backend=ad idmap config ALTEA:range=2-4000 getent passwd and wbinfo -u returns all AD users correctly wbinfo -g returns all AD groups correctly getent group fails. Only local groups are returned. getent group works OK on the Samba4 DC. I have disabled firewalls at both ends and torn down apparmor at both ends. Any ideas anyone? Cheers, Steve Hi, I am also getting this on Xubuntu 12.04 against a Samba 4 domain, but 'getent group linuxusers' does return the following info, linuxusers:x:312: and you can create dirs and files and chgrp them to the domain group. My smb.conf idmap config * : backend = tdb idmap config * : range = 1100-2000 idmap config HOME : backend = ad idmap config HOME : range = 300-310 idmap config HOME : schema_mode = rfc2307 I do not understand why 'getent group' only returns local groups when 'getent group linuxusers' does returns the info. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 12:38, Rowland Penny wrote: On 08/08/12 11:59, steve wrote: Hi Ubuntu 12.04 LTS client with 3.6.3 joined to the Samba4 AD domain. smb.conf winbind enum users = Yes winbind enum groups = Yes idmap config *:backend=tdb idmap config *:range=1-1 idmap config ALTEA:backend=ad idmap config ALTEA:range=2-4000 getent passwd and wbinfo -u returns all AD users correctly wbinfo -g returns all AD groups correctly getent group fails. Only local groups are returned. getent group works OK on the Samba4 DC. I have disabled firewalls at both ends and torn down apparmor at both ends. Any ideas anyone? Cheers, Steve Hi, I am also getting this on Xubuntu 12.04 against a Samba 4 domain, but 'getent group linuxusers' does return the following info, linuxusers:x:312: and you can create dirs and files and chgrp them to the domain group. My smb.conf idmap config * : backend = tdb idmap config * : range = 1100-2000 idmap config HOME : backend = ad idmap config HOME : range = 300-310 idmap config HOME : schema_mode = rfc2307 I do not understand why 'getent group' only returns local groups when 'getent group linuxusers' does returns the info. Rowland More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 16:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. Rowland OK getent passwd works as does wbinfo -u/-g getent passwd doesn't My workgroup is ALTEA I create a group staff2 with posixGroup and gidNumber of 21114 This works: getent group ALTEA\\staff2 ALTEA\staff2:x:21114: Back on the Samba4 DC at debug 3 the getent group command gives around 50 of these: ldb: ldb: dnAttributes extended match not supported yet getent group (without specifying a WORKGROUP\\group) returns only local groups. Unfortunately the question remains the same. Why does getent group return only local users? Is this just Ubuntu 12.04 with Samba 3.6.3? Can anyone confirm that it works on other distros? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 15:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. You did make sure to nuke any DB's that Samba might have created locally when switching between the two? JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/12 16:58, Jonathan Buzzard wrote: On 08/08/12 15:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. You did make sure to nuke any DB's that Samba might have created locally when switching between the two? JAB. Well no I didn't, but I have now, and it did not make any difference, exactly the same set of results. Why does 'getent group' on the samba4 server return all the users (local domain) and 'getent group' from 3.6.3 on the client only return local users? Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not working
On 08/08/2012 05:58 PM, Jonathan Buzzard wrote: On 08/08/12 15:13, Rowland Penny wrote: On 08/08/12 14:45, Jonathan Buzzard wrote: On 08/08/12 13:36, Rowland Penny wrote: [SNIP] More info, with 'winbind use default domain = yes' in smb.conf on the client, 'getent group linuxusers' returns the info. Remove 'winbind use default domain = yes' from smb.conf and restart nmbd,smbd winbind, 'getent group linuxusers' now returns nothing, put the line back restart the daemons and the info comes back. Why does one line in smb.conf make such a big difference? Remove it and do a 'getent group HOME\\linuxusers' and see if that works. Should explain why you need the user default domain in there. JAB. ok, I removed the line and ran 'getent group HOME\\linuxusers' This returned 'HOME\linuxusers:x:312:', this is just the same as before but with the domain name stuck on the front, 'getent group' still returns nothing. So as I see it, with ''winbind use default domain = yes' in smb.conf, you do not need to give the domain name, but without it you do. I still do not see why 'getent group' does not return anything but local groups. You did make sure to nuke any DB's that Samba might have created locally when switching between the two? Hi I just physically removed /var/lib/samba and /var/cache/samba and did apt-get purge samba winbind samba-common. Then reinstalled over bare metal. _Still_ only local groups from getent group. It works fine. We can login and files are shown as being owned by e.g. WORKGROUP\steve WORKGROUP\domain users It would just be nice to be able to see the groups listed by getent group. That's all. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14
I know this thread is long dead, but for anyone who was wondering, the issue was a faulty compile of the net/samba34 port. Turning the log level to 3 in smb.conf, showed the following: Error loading module '/usr/local/lib/samba34/idmap/ad.so': Cannot open /usr/local/lib/samba34/idmap/ad.so Oops. Recompiling resulted in a perfectly functioning SAMBA install inside the jail. I guess the moral of the story is to turn up logging verbosity when confronted with a problem? Thanks, Kamil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
I had this same problem on Ubuntu 10.04; did you run pam-auth-update? Do these files exist?: /lib/libnss_winbind.so /lib/libnss_winbind.so.2 /lib/security/pam_winbind.so /usr/share/pam-configs/winbind /usr/share/pam-configs/krb5 On 11/8/2011 7:56 AM, James Chase wrote: Yes, definitely On 11/8/2011 10:55 AM, Eddy Sturg wrote: Does nsswitch.conf have winbind listed? On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net mailto:ja...@chasecomputers.net wrote: I tried a second install of CentOS with X, thinking perhaps the GUI setup might do something that I was missing in terms of getting samba connected to active directory. However I still can't get this to work (now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14. Then I tried a Ubuntu 11 install and followed their instructions from the wiki: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto And it worked! I tried to apply the same settings to CentOS setup but I still get no output from 'getent passwd'. Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there any critical flags that need to be set during the configuration to make sure samba will work with active directory/winbind? James I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
A few more thoughts... for your smb.conf shouldn't it be: workgroup = SHAMOFFICE realm = SHAMOFFICE.LOCAL or: workgroup = SHAMBHALA-OFFICE realm = SHAMBHALA-OFFICE.LOCAL or maybe: workgroup = SHAMOFFICE realm = SHAMOFFICE.SHAMBHALA-OFFICE.LOCAL For my setup I found having my domain being *.local problematic I ended up using *.lan On 11/8/2011 7:56 AM, James Chase wrote: Yes, definitely On 11/8/2011 10:55 AM, Eddy Sturg wrote: Does nsswitch.conf have winbind listed? On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net mailto:ja...@chasecomputers.net wrote: I tried a second install of CentOS with X, thinking perhaps the GUI setup might do something that I was missing in terms of getting samba connected to active directory. However I still can't get this to work (now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14. Then I tried a Ubuntu 11 install and followed their instructions from the wiki: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto And it worked! I tried to apply the same settings to CentOS setup but I still get no output from 'getent passwd'. Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there any critical flags that need to be set during the configuration to make sure samba will work with active directory/winbind? James I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
Does nsswitch.conf have winbind listed? On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.netwrote: I tried a second install of CentOS with X, thinking perhaps the GUI setup might do something that I was missing in terms of getting samba connected to active directory. However I still can't get this to work (now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14. Then I tried a Ubuntu 11 install and followed their instructions from the wiki: https://help.ubuntu.com/**community/**ActiveDirectoryWinbindHowtohttps://help.ubuntu.com/community/ActiveDirectoryWinbindHowto And it worked! I tried to apply the same settings to CentOS setup but I still get no output from 'getent passwd'. Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there any critical flags that need to be set during the configuration to make sure samba will work with active directory/winbind? James I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
Yes, definitely On 11/8/2011 10:55 AM, Eddy Sturg wrote: Does nsswitch.conf have winbind listed? On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net mailto:ja...@chasecomputers.net wrote: I tried a second install of CentOS with X, thinking perhaps the GUI setup might do something that I was missing in terms of getting samba connected to active directory. However I still can't get this to work (now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14. Then I tried a Ubuntu 11 install and followed their instructions from the wiki: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto And it worked! I tried to apply the same settings to CentOS setup but I still get no output from 'getent passwd'. Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there any critical flags that need to be set during the configuration to make sure samba will work with active directory/winbind? James I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
I tried a second install of CentOS with X, thinking perhaps the GUI setup might do something that I was missing in terms of getting samba connected to active directory. However I still can't get this to work (now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14. Then I tried a Ubuntu 11 install and followed their instructions from the wiki: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto And it worked! I tried to apply the same settings to CentOS setup but I still get no output from 'getent passwd'. Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there any critical flags that need to be set during the configuration to make sure samba will work with active directory/winbind? James I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd not returning users/groups
Shot in the dark.. is nscd running? I have been bitten by that a few times. On 11/1/2011 5:04 PM, James Chase wrote: I'm trying to get my CentOS 5.6 machine setup as a Active Directory Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried this before. I can successfully join the domain and return users using 'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local users. I'm not sure what element that indicates is failing in the process. I'm not confident in my pam.d/ setup since different guides show different methods of setting this up. The /etc/nsswitch.conf file has been edited to include winbind as a source for passwd/shadow/group. The only insightful error message I see in the samba logs is this (repeated over and over in all the logs) but I haven't found the solution. Is this the cause of my problems? How do I disable spinlocks? I'm using a prebuilt package from sernet [2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported Here is my samba configuration dumped from smbtest: [root@sambatest ~]# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Processing section [test] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = SHAMOFFICE realm = SHAMBHALA-OFFICE.LOCAL interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS printcap name = cups idmap backend = ad idmap uid = 1-2 idmap gid = 3-4 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config SHAMOFFICE : schema_mode = rfc2307 idmap config SHAMOFFICE : range = 4000-5000 idmap config SHAMOFFICE : backend = ad idmap config * : range = 2000-3000 idmap config * : backend = tdb [test] comment = Directory for storing pictures by jims users path = /local/test read only = No guest ok = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14
Doing what you're doing is using the wrong machine name when making the query. I presume that ABPSVC-UNIX2 is your server and your client is in the jail on that machine. You'd need a separate configuration instead of a copy from the server so that the jail appears to be a separate client. I've never done this. On 22 September 2011 15:09, Kamil Choudhury kamil.choudh...@anserinae.netwrote: I've been messing around with running samba 3.4.14 inside a freebsd jail over the last couple of days, and am running into an odd problem where wbinfo -u and wbinfo -g succeed, but getent passwd fails (insofar that it shows only local users, but none of the domain users). Here's my smb.conf: [global] interfaces =192.168.0.16/32 bind interfaces only =yes security =ads realm =domain.net password server=awpsvc-win1.domain.net workgroup =DOMAIN idmap uid =1-2 idmap gid =1-2 idmap config DOMAIN: backend = ad idmap config DOMAIN : range = 4-6 winbind nss info =rfc2307 winbind enum users =yes winbind enum groups=yes winbind nested groups =yes winbind expand groups =1 template homedir =/home/%D/%U template shell =/usr/local/bin/bash client use spnego =yes client ntlmv2 auth =yes encrypt passwords =yes winbind use default domain =yes restrict anonymous =2 acl check permissions =yes follow symlinks=yes wide links =yes unix extensions=no And my /etc/nsswitch.conf file: group: winbind files group_compat: nis hosts: files dns networks: files passwd: winbind files passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files Doing a getent passwd results in the following output to log.winbindd: [2011/09/22 00:22:00, 1] winbindd/winbindd_group.c:1366(winbindd_getgrent) could not look up gid for group ExchangeLegacyInterop [2011/09/22 00:22:00, 1] winbindd/winbindd_group.c:1366(winbindd_getgrent) could not look up gid for group Schema Admins [2011/09/22 00:22:00, 1] winbindd/winbindd_group.c:1366(winbindd_getgrent) could not look up gid for group Enterprise Admins [2011/09/22 00:22:00, 1] winbindd/winbindd_group.c:1366(winbindd_getgrent) could not look up gid for group Enterprise Read-only Domain Controllers ... ...and the following in log.nbmd: [2011/09/22 00:29:46, 0] nmbd/nmbd_packets.c:1079(process_browse_packet) process_browse_packet: Discarding datagram from IP 192.168.0.16. Source name ABPSVC-UNIX200 is one of our names ! [2011/09/22 00:29:46, 0] nmbd/nmbd_packets.c:1079(process_browse_packet) process_browse_packet: Discarding datagram from IP 192.168.0.16. Source name ABPSVC-UNIX200 is one of our names ! The configuration is known to work *outside* a jail -- is there something I should be doing differently in order to get winbind to work cleanly? Thanks in advance, Kamil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14
I presume that ABPSVC-UNIX2 is your server and your client is in the jail on that machine. Actually, abpsvc-unix2 is the client at 192.168.0.16; it's hosted on a server called called serenity , which is at 192.168.0.1. If it matters, serenity is running a samba client successfully. Both are authenticating against AD server awpsvc-win1.anserinae.net at 192.168.12. I'm new to all of this, so perhaps I'm asking the wrong question: is winbind the right tool to be using to map AD users to the jail? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group not listing domain groups / wbinfo -r not working
Update. Ugly hacks abound, be warned. As far as I can tell, nsswitch.conf is also configured properly, since `getent passwd` dumps local users, waits about .2 seconds, and dumps domain users: sasa.sokolova:*:10283:10001:Sasa Sokolova:/home/LIONSK/sasa.sokolova:/bin/false adam.szabados:*:10284:10001:Adam Szabados:/home/LIONSK/adam.szabados:/bin/false (All domain users are members of group '10001', is this normal?) As I've found out, the `getent passwd` lists users and their *primary* AD group, which is 'Domain Users' by default. After changing the user's primary group (and restarting the whole server, unsure how often wbinfo refreshes its data), `getent passwd` shows users along with their new primary group (the one I'm actually looking for). Please note that at my organization, there is very little to no overlap between different AD groups, so this ugly ha^H^H^H fix may not necessarily work out for you. I'm using 'plain' AD - UID/GID identity mapping, and you might want to use idmap_rid backend. Since `wbinfo -r user` still fails however, I've resorted to altering the wbinfo_group.pl script shipped with squid (it's used to check whether a user belongs to a group). Patch attached; don't laugh : I understand that this could result in a large performance hit (among other things), but so far it's working as intended. Please don't hesitate to point out the flaws. --- /usr/lib/squid3/wbinfo_group.pl 2011-02-22 17:23:47.0 +0100 +++ /etc/squid3/ad_group.pl 2011-09-21 15:52:20.089463160 +0200 @@ -57,8 +26,9 @@ chop $groupGID; debug( User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-); return 'ERR' if($groupGID eq ); # Verify if groupGID variable is empty. -return 'ERR' if(`wbinfo -r \Q$user\E` eq ); # Verify if wbinfo -r command returns no value. -return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); +return 'OK' if(`getent passwd | grep $user | grep -o $groupGID` =~ /^$groupGID$/m); return 'ERR'; } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group fails - fixed
On 06/24/2011 2:56 AM, Dermot wrote: On 24 June 2011 05:48, Christian PERRIERbubu...@debian.org wrote: Quoting Dermot (paik...@googlemail.com): Perhaps I am not understanding you correctly because that runs counter my experience. The settings in my /etc/ldap/ldap.conf were correct whereas the ones in /etc/libnss-ldap.conf were not. It was the search filters from libnss-ldap.conf that were being used when I did `getent group`. I think your telling me that getent is tied to the nss framework so would use that config because that's what I told nsswitch.conf to do. I would have thought, but I am no expert, that samba would have used the config from smb.conf and that ldapsearch (and anything else that didn't have hooks else where) would use /etc/ldap/ldap.conf. Please note that Debian has *two* packages for nss-ldap: mykerinos:/home/cperrier# apt-cache search nss ldap naming service libnss-ldap - NSS module for using LDAP as a naming service libnss-ldapd - NSS module for using LDAP as a naming service IIRC (but you probably want to check this), the latter is more actively maintained than the former. I asked about that on the samba IRC two days ago: (14:33:17): On my distro (Debian), I have two options for NSS 1) libnss_ldap and 2) libnss_ldapd (Source: nss-pam-ldapd) . Does anyone know which one I should use? now I have my answer but it looks like I installed the lesser maintained version :/ libnss_ldap.so.2 (libc6,x86-64) = /lib/libnss_ldap.so.2 libnss_ldap.so (libc6,x86-64) = /usr/lib/libnss_ldap.so libnss_ldap-2.7.so (libc6,x86-64) = /lib/libnss_ldap-2.7.so Thanks, Dermot. Looks like there's a migration happening. On the libnss-ldap package webpage ( http://packages.debian.org/squeeze/libnss-ldap ) it says: Packages providing libnss-ldap libnss-ldapd Under experimental, it describes libnss-ldap as a virtual package: http://packages.debian.org/experimental/libnss-ldap One way or another, you will eventually have libnss-ldapd. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandal gaiseric.van...@gmail.com To: Samba samba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid --- I can use chown and other commands from solaris command line to grant rights to a user from the trusted domain. However, in a Windows machine in samba domain, when setting file permissions, I can not see the trusted domain. Any thoughts? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common I looked in the /var/samba/locks directory - I have a winbindd_cache.tdb file that is current. I don't have a current idmap_cache.tdb file anymore. Not sure I need one. I initially stated with samba 3.0.x, then upgraded to 3.4.x, then to 3.5.x, and it seems with .X upgrade that the configuration for winbind and idmapping changes. This may be a bug in Solaris itself rather than samba. On 06/06/2011 02:28 PM, timothy mcdaniel wrote: I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandalgaiseric.van...@gmail.com To: Sambasamba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid --- I can use chown and other commands from solaris command line to grant rights to a user from the trusted domain. However, in a Windows machine in samba domain, when setting file permissions, I can not see the trusted domain. Any thoughts? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
This maybe related to idmap allocation - tho not sure how. Initially my PDC was running Samba 3.0.x.When I did getent passwd or getent group samba would create idmap entries for users and groups from trusted domains.There were some other things broken with idmap and samba that made it unstable for maintaining a trust with Active Directory, thus the move to 3.4 and then to 3.5. The 3.4 upgrade seems to have broken the automatic allocation. (This could just be a configuration error in my smb.conf) In my environment, that wasn't a huge deal since the number of users and groups in the trusted domain us quite small and stable. I could manually add an idmapping with the wbinfo or with an LDAP editor. This morning, getent group would show the trusted WINDOWS groups. I added another group in the WINDOWS domain to see if Samba would automatically create a group mapping (which it didn't) and to make sure that it at least showed up with wbinfo -g (which it did- so at least I wasn't working just from a cache.)But then getent group stopped listing WINDOWS groups. (getent group WINDOWS\\thenewgroup did work.) Once I manually created an idmap entry for the new group, getent group was able to list all the groups. So my guess is that samba or winbind chokes up when it finds a winbind user or group in a domain for which an idmap entry is missing and can't be created. I tried adding idmap entries for the few users in the WINDOWS domain who didn't have idmappings, but getent passwd still doesn't work. Original Message Subject:Re: [Samba] getent passwd does not list trusted users Date: Mon, 06 Jun 2011 15:16:28 -0400 From: Gaiseric Vandal gaiseric.van...@gmail.com Reply-To: gaiseric.van...@gmail.com To: samba@lists.samba.org I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common I looked in the /var/samba/locks directory - I have a winbindd_cache.tdb file that is current. I don't have a current idmap_cache.tdb file anymore. Not sure I need one. I initially stated with samba 3.0.x, then upgraded to 3.4.x, then to 3.5.x, and it seems with .X upgrade that the configuration for winbind and idmapping changes. This may be a bug in Solaris itself rather than samba. On 06/06/2011 02:28 PM, timothy mcdaniel wrote: I have been looking at http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html and I think that if you add this in your nsswitch.conf like it says in the website above: if you already have the passwd: files ldap and group: files ldap in your nsswitch.conf then just add winbind to the end of the lines of the passwd and group lines. just like it is shown below: If you need any more help just email me back, and I will try to help you. *passwd*: files ldap winbind group: files ldap winbind -- Forwarded message -- From: Gaiseric Vandalgaiseric.van...@gmail.com To: Sambasamba@lists.samba.org Date: Mon, 06 Jun 2011 12:04:14 -0400 Subject: [Samba] getent passwd does not list trusted users I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle provided build. I have an ldap backend for everything (unix+samba accounts, idmapping for domain trusts.) The Samba server is a PDC for a domain we can call SAMBA.Each samba account is tied to a unix account. I have a one-way domain trust setup with a Windows 2003 domain which we can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent group seem to fundamentally be working (depending on syntax) BUT getent passwd does NOT list trusted users. On the solaris machine: --- wbinfo -u and wbinfo -glists all users in this domain + the WIN2003 domain. For the SAMBA users, the domain name is stripped out. getent passwd - lists all unix users (in ldap or /etc/passwd.) It does not list the samba users - which is the expected and desired behaviour. I had expected it to list users from the WIN2003 domain. getent group - lists all unix groups (in ldap or /etc/passwd) It does not listed the SAMBA groups - which is the expected and desired behaviour. It does list WIN2003 groups- which is also the expected and desired behaviour. getent passwd SAMBA\\user - shows uid, gid, home directory, shell getent passwd WIN2003\\user - shows uid, gid, home directory, shell getent group SAMBA\\group - shows gid, members getent group WIN2003\\group - shows gid, members id SAMBA\\user - shows uid and gid id WIN2003 \\user - shows uid and gid
Re: [Samba] getent passwd does not list trusted users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, June 06, 2011, Gaiseric Vandal wrote: I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common Isn't that the expected behavior using the default smb.conf values of no for winbind enum users and winbind enum groups? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE 2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM =15SB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd does not list trusted users
my smb.conf includes winbind use default domain = Yes winbind enum users = Yes winbind enum groups = Yes I did notice that some idmap entries are being created in the gencache.tdb file (specifically for LDAP groups that DON'T have a Samba SID) -I am guessing that is a symptom that idmap is trying to create idmap entries but can't post them to ldap. On 06/06/2011 03:26 PM, Frank Mori Hess wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday, June 06, 2011, Gaiseric Vandal wrote: I do have the entries in /etc/nswitch.conf The getent passwd won't list the winbind users although I can get details on a specific user with the getent passwd SOMEDOMAIN\\someuser common Isn't that the expected behavior using the default smb.conf values of no for winbind enum users and winbind enum groups? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE 2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM =15SB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Good morning people I have installed samba from sernet repositories and currently it's working perfectly. If you have a Debian-based, RHEL (or CentOS) or Suse Enterprise (or openSuse) browse this FTP ftp://ftp.sernet.de/pub/samba/3.4/ or the web http://enterprisesamba.com/ in order to find the appropiate package for your distribution. Good luck El lun, 11-04-2011 a las 12:25 +0200, Zabel, Daniel escribió: Hi Noé, thank you for your quick reply. cvadmin is a domain user. Interesting that you have no problems using the old schema. If I try in /etc/samba/smb.conf [global] workgroup = MYDOMAIN password server = ldap.mydomain.com realm = MYDOMAIN.COM security = ads idmap uid = 100-50 idmap gid = 100-50 idmap backend = ad winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = true winbind offline logon = false winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes No domainuser could be resolved anymore. Same config work on our other samba servers. /var/log/samba/log.winbind-idmap shows: [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * [2011/04/11 12:24:13.560365, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1119(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name *0x1c [2011/04/11 12:24:13.560467, 3, effective(0, 0), real(0, 0)] libsmb/namequery_dc.c:169(rpc_dc_name) Could not look up dc's for domain * [2011/04/11 12:24:13.560487, 0, effective(0, 0), real(0, 0)] libads/ldap.c:337(ads_find_dc) ads_find_dc: no realm or workgroup! Don't know what to do [2011/04/11 12:24:13.560505, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal) ad_idmap_init: failed to connect to AD [2011/04/11 12:24:13.560518, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids) ADS uninitialized: Invalid parameter [2011/04/11 12:24:13.560564, 3, effective(0, 0), real(0, 0)] winbindd/idmap.c:684(idmap_new_mapping) default domain not writable Cheers, Daniel Von: Noé Puyal [mailto:npu...@valls.cat] Gesendet: Montag, 11. April 2011 10:41 An: Zabel, Daniel Betreff: Re: [Samba] getent passwd strange behavior Hi Daniel First of all, one question, cvadmin is a domain user or local user? If cvadmin is a local user you should raise the 100 to a number after the last UID and GID. Also, as you said, I have all my samba servers with old idmap schema working properly. Good morning El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió: idmap uid = 100-50 idmap gid = 100-50 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Good morning Just after telling you I had no problems with getent I updated to 3.5.6 and I am having similar issues as the ones you have described. I will give a try to Sernet-Samba 3.4.12 and I will tell my experience. El lun, 11-04-2011 a las 12:25 +0200, Zabel, Daniel escribió: Hi Noé, thank you for your quick reply. cvadmin is a domain user. Interesting that you have no problems using the old schema. If I try in /etc/samba/smb.conf [global] workgroup = MYDOMAIN password server = ldap.mydomain.com realm = MYDOMAIN.COM security = ads idmap uid = 100-50 idmap gid = 100-50 idmap backend = ad winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = true winbind offline logon = false winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes No domainuser could be resolved anymore. Same config work on our other samba servers. /var/log/samba/log.winbind-idmap shows: [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * [2011/04/11 12:24:13.560365, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1119(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name *0x1c [2011/04/11 12:24:13.560467, 3, effective(0, 0), real(0, 0)] libsmb/namequery_dc.c:169(rpc_dc_name) Could not look up dc's for domain * [2011/04/11 12:24:13.560487, 0, effective(0, 0), real(0, 0)] libads/ldap.c:337(ads_find_dc) ads_find_dc: no realm or workgroup! Don't know what to do [2011/04/11 12:24:13.560505, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal) ad_idmap_init: failed to connect to AD [2011/04/11 12:24:13.560518, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids) ADS uninitialized: Invalid parameter [2011/04/11 12:24:13.560564, 3, effective(0, 0), real(0, 0)] winbindd/idmap.c:684(idmap_new_mapping) default domain not writable Cheers, Daniel Von: Noé Puyal [mailto:npu...@valls.cat] Gesendet: Montag, 11. April 2011 10:41 An: Zabel, Daniel Betreff: Re: [Samba] getent passwd strange behavior Hi Daniel First of all, one question, cvadmin is a domain user or local user? If cvadmin is a local user you should raise the 100 to a number after the last UID and GID. Also, as you said, I have all my samba servers with old idmap schema working properly. Good morning El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió: idmap uid = 100-50 idmap gid = 100-50 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Can anybody give me a hint where get_dc_list fetches the entries. Because - [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * - seems to be wrong. Cheers, Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd strange behavior
Hi Noé, thank you for your quick reply. cvadmin is a domain user. Interesting that you have no problems using the old schema. If I try in /etc/samba/smb.conf [global] workgroup = MYDOMAIN password server = ldap.mydomain.com realm = MYDOMAIN.COM security = ads idmap uid = 100-50 idmap gid = 100-50 idmap backend = ad winbind nss info = rfc2307 winbind normalize names = yes winbind use default domain = true winbind offline logon = false winbind cache time = 180 winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes No domainuser could be resolved anymore. Same config work on our other samba servers. /var/log/samba/log.winbind-idmap shows: [2011/04/11 12:24:13.560317, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1880(get_dc_list) get_dc_list: preferred server list: , * [2011/04/11 12:24:13.560365, 3, effective(0, 0), real(0, 0)] libsmb/namequery.c:1119(resolve_lmhosts) resolve_lmhosts: Attempting lmhosts lookup for name *0x1c [2011/04/11 12:24:13.560467, 3, effective(0, 0), real(0, 0)] libsmb/namequery_dc.c:169(rpc_dc_name) Could not look up dc's for domain * [2011/04/11 12:24:13.560487, 0, effective(0, 0), real(0, 0)] libads/ldap.c:337(ads_find_dc) ads_find_dc: no realm or workgroup! Don't know what to do [2011/04/11 12:24:13.560505, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal) ad_idmap_init: failed to connect to AD [2011/04/11 12:24:13.560518, 1, effective(0, 0), real(0, 0)] winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids) ADS uninitialized: Invalid parameter [2011/04/11 12:24:13.560564, 3, effective(0, 0), real(0, 0)] winbindd/idmap.c:684(idmap_new_mapping) default domain not writable Cheers, Daniel Von: Noé Puyal [mailto:npu...@valls.cat] Gesendet: Montag, 11. April 2011 10:41 An: Zabel, Daniel Betreff: Re: [Samba] getent passwd strange behavior Hi Daniel First of all, one question, cvadmin is a domain user or local user? If cvadmin is a local user you should raise the 100 to a number after the last UID and GID. Also, as you said, I have all my samba servers with old idmap schema working properly. Good morning El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió: idmap uid = 100-50 idmap gid = 100-50 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group fails on member server after upgrade to 3.5.5
Neil, Winbind 3.5.5 is not working properly in Squeeze either. Using idmap backend rid with ads security, It will work for a while, but eventually becomes unresponsive. I tried to report this yesterday, but I assume the zipped log file I attached caused it to be rejected. I tried 3.5.6 on a system this morning, and there is no improvement. My primary error message was and still is [2010/10/21 11:26:06.806089, 1] winbindd/winbindd_util.c:289(trustdom_recv) Could not receive trustdoms Lately, there seems to be more than the usual number of winbind problems. http://lists.samba.org/archive/samba/2010-October/158883.html Dale On 10/21/2010 7:44 AM, Neil Price wrote: I have a member server joined to a samba 3 domain. It was working fine with 3.4.8 but after an upgrade to 3.5.5 (debian lenny with backports) getent group no longer works. getent passwd works fine, wbinfo -u and wbinfo -g work fine I upgraded some other servers which are DC's and those work fine. winbind.log shows [2010/10/21 14:06:13.918006, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [16709]: request interface version [2010/10/21 14:06:13.918103, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [16709]: request location of privileged pipe [2010/10/21 14:06:13.918288, 3] winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send) [16709]: getgrent [2010/10/21 14:06:14.618332, 5] winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv) getgrent failed: NT_STATUS_NONE_MAPPED Relevant parts of smb.conf security = domain ldap ssl = Off idmap backend = ldap:ldap://170.130.105.39 idmap uid = 8-9 idmap gid = 8-9 idmap alloc backend = ldap idmap alloc config: ldap_url = ldap://170.130.105.39 idmap alloc config: ldap_base_dn = ou=idmap,dc=gibb,dc=co,dc=za idmap alloc config: ldap_user_dn = cn=admin,ou=people,dc=gibb,dc=co,dc=za idmap alloc config: range = 8-9 password server = * winbind enum groups = yes winbind enum users = yes Relevant part of nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files dns wins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent and a lot of users
Hello, On 16 August 2010 14:38, raveenpl ravee...@gmail.com wrote: Hi, In my environment I have windows ads domain with 180k users. I use Samba 3.5.4 and I noticed that not always all users are returned when I use getent command (sometimes it is half of whole list, sometimes this list is empty). Anybody has similar problem? ads domain - where do you pull your data from? Is it OpenLDAP or AD? Check if it's not your backend that limits the size of the answer. OpenLDAP has a configuration directive called sizelimit (more in man slapd.conf). That would be my first suggestion. I also recommend ngrep for checking things up. Regards, Michal -- View this message in context: http://old.nabble.com/getent-and-a-lot-of-users-tp29449147p29449147.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hello Nico, I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. I cannot tell for 2008R2, we don't have this version yet ... - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I just filled it up properly, but did not mention Kerberos in any way in smb.conf Best regards --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:robert.gra...@cedrat.com --- Support service : mailto:supp...@cedrat.com Commercial service : mailto:ced...@cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
I just filled it up properly, but did not mention Kerberos in any way in smb.conf Doh, that's what I have too. Any chance you could send me a copy of your smb.conf? well, no problem, I am sure it is not a great piece of smb.conf, actually : here it is : it is the one for my desktop : I removed the comments and our private names and IPs : [global] netbios name = short workgroup = WG realm = WG.LAN server string = Samba Server - long_name hosts allow = 10.0. 127. smb ports = 445 #printcap name = /etc/printcap printcap name = cups load printers = yes printing = cups cups options = raw log level = 1 log file = /var/log/samba/%m.log max log size = 1 security = ADS password server = s1,s2 encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no name resolve order = wins bcast wins server = IP1 IP2 dns proxy = yes idmap domains = ALLDOMAINS idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:schema_mode = sfu idmap config ALLDOMAINS:range = 500 - 2 template homedir = /home/%U winbind use default domain = yes winbind separator = + winbind enum users = yes winbind enum groups = yes winbind nss info = template sfu winbind offline logon = true winbind refresh tickets = true Some comments : - I used netbios name, as my desktop Unix name is longer than 15 characters - Windows or Samba did not like it ... - we have two names for our AD domain - our winadmin did not solve this issue so far, thus I put one name as the workgroup and the other name as the kerberos realm ... - I let template homedir in smb.conf by sheer lazyness, with SFU I don't use it - I used to set winbind offline logon and winbind refresh tickets when my Samba was unstable, they were tests - then, once I found the true solution, lazyness again ... Hope this helps --- Robert GRASSO System Engineer CEDRAT 15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09 mailto:robert.gra...@cedrat.com --- Support service : mailto:supp...@cedrat.com Commercial service : mailto:ced...@cedrat.com Web site : http://www.cedrat.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hi Robert, thanks for your reply. On Fri, 2010-07-30 at 17:45 +0200, Robert Grasso wrote: Hello, I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : - I stated clearly my password server = in smb.conf I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I am running on CentOS 5.5, samba 3.0.33. Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd username yields a result for the accounts which have an Unix account declared in AD through the Unix attributes, and only for these ones (?). I think that's expected behaviour. idmap_ad looks upo uid/gid from AD but doesn't create its own mapping if it doesn't find one. So any user that doesn't have a proper unix uid/gid field won't show up. I also noticed idmap_ad looks at the Windows Primary Group as gid in stead of the group field on the unix tab. Therefor the Windows Primary Group also needs to have a valid unix id assigned. Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hi Robert, On Mon, 2010-08-02 at 11:32 +0200, Robert Grasso wrote: Hello Nico, I am unsure I will be able to help you further with this topic, I am not a Samba nor AD master ... Thanks for trying anyway. Very much appreciated :-) I already list my servers in password server =, altough I do have the impression that Samba may have problems with my 2008R2 servers. I'll try playing with the settings. I cannot tell for 2008R2, we don't have this version yet ... - I stated clearly my /etc/krb5.conf Do you mean fill in /etc/krb5.conf properly or should I refer to it somewhere in the smb.conf file? I'm sure my krb5.conf is correct is I was using it in my old setup using kerberos+ldap authentication. I found some reference on the Internet to an smb.conf variable use kerberos keytab = yes however this doesn't seem to be accepted for Samba 3.4.7 I just filled it up properly, but did not mention Kerberos in any way in smb.conf Doh, that's what I have too. Any chance you could send me a copy of your smb.conf? Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent acting unreliable with idmap_ad
Hello, I personally solved my stability issues when, rather than letting Samba find automatically the AD servers, I stated them clearly : - I stated clearly my password server = in smb.conf - I stated clearly my /etc/krb5.conf I am running on CentOS 5.5, samba 3.0.33. Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it seems that getent passwd username yields a result for the accounts which have an Unix account declared in AD through the Unix attributes, and only for these ones (?). Regards --- Robert GRASSO System engineer CEDRAT S.A. 15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30 mailto:robert.gra...@cedrat.com - http://www.cedrat.com -Message d'origine- De : samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] De la part de Nico De Ranter Envoyé : 30 juillet 2010 13:44 À : samba@lists.samba.org Objet : [Samba] getent acting unreliable with idmap_ad I'm trying to get my linux boxes to authenticate to AD using winbind. I need to get my uid's from AD so I'm using idmap_ad. I got to the point where 'getent passwd' shows me the list of unix users from AD with all correct details, however when I do 'getent passwd username' for any username from the list returned by 'getent passwd' I get an empty reply (getent returns error code 2) and I can't login using those users. As a matter of fact on one of my testmachines it works sometimes. 'getent passwd nico' will return my user details and I can logon properly but when the system has been quiet for some time it seems to forget about the account again. Anybody seen this before? Any suggestions on how to debug this? I'm trying this on Ubuntu 9.10 and 10.04. Thanks in advance, Nico -- With kind regards Nico De Ranter Senior System Administrator Techsoft Centre Technology and Software Centre Europe The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium Phone:+32 (0)2 700 8641 Fax: +32 (0)2 700 8622 E-mail:nico.deran...@eu.sony.com A division of Sony Europe (Belgium) N.V. VAT BE 0413.825.160 - RPR Brussels Fortis - BIC GEBABEBB - IBAN BE41293037680010 ** ** The information contained in this message or any of its attachments may be confidential and is intended for the exclusive use of the addressee(s). Any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited without the express permission of the sender. The views expressed in this email are those of the individual and not necessarily those of Sony or Sony affiliated companies. Sony email is for business use only. This email and any response may be monitored by Sony to be in compliance with Sony's global policies and standards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent behavior since 3.5.x
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Steve Chupack Sent: Saturday, June 26, 2010 6:18 PM To: samba@lists.samba.org Subject: Re: [Samba] getent behavior since 3.5.x I can confirm that I've always had to manually replace the system's libnss_windbind files with those in [samba source]/nssswitch. On Sat, 26 Jun 2010 16:39:42 -0400 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Are you use the nss_winbind or winbind_nss files compiled? They may be in a separate directory or explicitly require make nsswitch command. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Boyd Sent: Friday, June 25, 2010 12:44 PM To: sa...@samba.org Subject: [Samba] getent behavior since 3.5.x Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba group or user entries displaying only the local unix group and password data. wbinfo -u and wbinfo -g seem to work just fine. No smb.conf changes were made during the upgrades. Falling back to samba 3.4.8 resolves this issue. Logins using the samba credentials always work without regard to version. Several bug reports exist which describe these problems although not specifically for FreeBSD. Is this expected behavior? I realize that getent isn't a samba utility. Should another bug report be submitted? What info? debug level? Thanks for any reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Existing bug: https://bugzilla.samba.org/show_bug.cgi?id=7355 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent behavior since 3.5.x
Are you use the nss_winbind or winbind_nss files compiled? They may be in a separate directory or explicitly require make nsswitch command. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Boyd Sent: Friday, June 25, 2010 12:44 PM To: sa...@samba.org Subject: [Samba] getent behavior since 3.5.x Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba group or user entries displaying only the local unix group and password data. wbinfo -u and wbinfo -g seem to work just fine. No smb.conf changes were made during the upgrades. Falling back to samba 3.4.8 resolves this issue. Logins using the samba credentials always work without regard to version. Several bug reports exist which describe these problems although not specifically for FreeBSD. Is this expected behavior? I realize that getent isn't a samba utility. Should another bug report be submitted? What info? debug level? Thanks for any reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent behavior since 3.5.x
I can confirm that I've always had to manually replace the system's libnss_windbind files with those in [samba source]/nssswitch. On Sat, 26 Jun 2010 16:39:42 -0400 Gaiseric Vandal gaiseric.van...@gmail.com wrote: Are you use the nss_winbind or winbind_nss files compiled? They may be in a separate directory or explicitly require make nsswitch command. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Boyd Sent: Friday, June 25, 2010 12:44 PM To: sa...@samba.org Subject: [Samba] getent behavior since 3.5.x Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba group or user entries displaying only the local unix group and password data. wbinfo -u and wbinfo -g seem to work just fine. No smb.conf changes were made during the upgrades. Falling back to samba 3.4.8 resolves this issue. Logins using the samba credentials always work without regard to version. Several bug reports exist which describe these problems although not specifically for FreeBSD. Is this expected behavior? I realize that getent isn't a samba utility. Should another bug report be submitted? What info? debug level? Thanks for any reply. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
I have investigated further and compared the behaviour of samba 3.3 and samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I noticed that there are a few kerberos params that have changed in 3.5 but I just can't get 3.5 to work as expected: sles9test3:~ # testparm Load smb config files from /etc/samba/smb.conf rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) Unknown parameter encountered: use kerberos keytab Ignoring unknown parameter use kerberos keytab Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions For example I can run getent passwd and getent group fine under 3.3 but not under 3.5. Also I created a user in AD tuser2 this user is visible within 1 minute under 3.3 under 3.5 it's not even visible after a reboot. Also group memberships of AD users are not updated under 3.5.2. I'm not sure if this is a bug. I tried a lot of things in smb.conf but it just doesn't work. At the moment I have to consider going back to 3.3. I googled a lot in the past days to find a correct smb.conf for 3.5 and idmap_ad but it's really hard to find a well documented howto. I would really appreciate if someone has a look on this. Here is my smb.conf: [global] netbios name = sles9test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = dc.somedomain.net os level = 20 idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log level = 10 log file = /var/log/samba/log.%m dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = no client use spnego = Yes use kerberos keytab = true winbind refresh tickets = yes idmap cache time = 1 winbind cache time = 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Im really totally lost about this problem. I tried a lot of things in smb.conf but it just doesn't work. I mean it is working fine on 3.3.2 so I don't think this is a problem in AD. It must be something that has changed in the config of 3.5.2 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann Sent: Dienstag, 4. Mai 2010 10:21 To: samba@lists.samba.org Subject: [Samba] Getent passwd and getent group fail / Samba 3.5.2 Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: [global] netbios name = sles11test1 realm = SOMEDOMAIN.NET workgroup = SOMEDOMAIN security = ADS encrypt passwords = yes password server = someserver.somedomain.net idmap backend = ad idmap config SOMEDOMAIN : backend = ad idmap config SOMEDOMAIN : schema_mode = sfu idmap config SOMEDOMAIN : range = 0- winbind nss info = sfu winbind enum users = yes winbind enum groups = yes winbind offline logon = yes preferred master = no winbind nested groups = Yes winbind use default domain = Yes max log size = 50 log file = /var/log/samba/log.%m log level = 3 dns proxy = no wins server = 172.20.200.18 172.18.200.20 allow trusted domains = No client use spnego = Yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab winbind refresh tickets = true idmap cache time = 1 idmap negative cache time = 1 winbind cache time = 1 In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Getent group and passwd works fine e.g. on an old ubuntu install with samba 3.3.2. So far I have this problem on SLES9 and SLES11. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2
On 5/4/2010 4:20 AM, Oliver Weinmann had this to say: Hi all, I just stepped over a problem where I can't add a local user to an AD group. Running getent passwd and getent group doesn't display the AD users. Wbinfo -g and -u work fine. Here is my smb.conf: snip In the log I get this error when running getent group: tail -f /var/log/samba/log.winbindd-idmap Could not get unix ID [2010/05/04 10:15:29.444783, 1] winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids) Could not get unix ID Doesn't that indicate that Samba thinks the SFU extensions aren't installed? What is the version of AD? Is it 2003 R2, or 2003 with SFU installed? -- Michael J. Leone, mailto:tur...@mike-leone.com PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF Photo Gallery: http://www.flickr.com/photos/mikeleonephotos USER ERROR: replace user and press any key to continue. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd problem
Hi, I have replicated this on a test box, if you do a net cache flush, then restart samba and winbind, run getent passwd (only displays local users) then net cache list (will display all cache of remote users) The only way i know to fix this is to rename idmap config name and restart samba/winbind... but a week later the problem will be back.. seems strange to me, is this a bug with 3.3.9 or am i missing something here ? Thanks, Wasim 2009/12/22 Gaiseric Vandal gaiseric.van...@gmail.com I have similar issues with samba 3.0.37 on Solaris 10.I use winbind and ldap for domain trusts (not for the users with in the domain.) Increasing idmap cache time may reduce how often you need to reset things. When the cache time expires I have to zap idmap entries from ldap and zap the idmap cache tbd files. It appears samba can create the cache info but not properly update or reread it once the cache has expired. I have been testing 3.4.3 and it seems better but I can't say for sure yet. (Getting samba compiled with ldap and zfs support for Solaris is tricky.) On 12/22/09 10:44, Wasim Bashir wrote: Hi, I am having a weird issue with samba where once a week approximately at the same time users will lose connectivity, if i run wbinfo -u all users are displayed wbinfo -g all groups are displayed However running getent passwd only shows local-users, no remote users are shown.. To fix the issue I have to change the name of my idmap config and restart samba and winbind and everything works fine for a week... Am I missing something obvious here ? I have attached my config below : [global] security = ads max mux = 16384 log file = /home/sites/samba-log/log.%m ldap timeout = 45 ldap connection timeout = 30 max open files = 10 realm = merlin.internaloffice.co.uk password server = 10.0.9.0 workgroup = WEBHOSTING idmap backend = tdb idmap uid = 500-200 idmap gid = 500-200 winbind enum users = yes winbind enum groups = yes template homedir = /home/sites/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes winbind nss info = template rfc2307 restrict anonymous = 2 idmap config WEBHOSTING : schema_mode = rfc2307 idmap config WEBHOSTING : backend = ad idmap config WEBHOSTING : range= 500 - 3 [home] hide dot files = no path = /home/sites read only = no dos filetime resolution = yes I am using samba 3.3.9, do we know whether this issue has been fixed in samba 3.4.x ? Any help greatly appreciated. Thanks, Wasim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent passwd problem
Wasim Bashir wrote: I am having a weird issue with samba where once a week approximately at the same time users will lose connectivity, if i run wbinfo -u all users are displayed wbinfo -g all groups are displayed However running getent passwd only shows local-users, no remote users are shown.. To fix the issue I have to change the name of my idmap config and restart samba and winbind and everything works fine for a week... Am I missing something obvious here ? I have attached my config below : [global] security = ads max mux = 16384 log file = /home/sites/samba-log/log.%m ldap timeout = 45 ldap connection timeout = 30 max open files = 10 realm = merlin.internaloffice.co.uk password server = 10.0.9.0 workgroup = WEBHOSTING idmap backend = tdb idmap uid = 500-200 idmap gid = 500-200 winbind enum users = yes winbind enum groups = yes template homedir = /home/sites/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes winbind nss info = template rfc2307 restrict anonymous = 2 idmap config WEBHOSTING : schema_mode = rfc2307 idmap config WEBHOSTING : backend = ad idmap config WEBHOSTING : range= 500 - 3 [home] hide dot files = no path = /home/sites read only = no dos filetime resolution = yes I am using samba 3.3.9, do we know whether this issue has been fixed in samba 3.4.x ? Any help greatly appreciated. Thanks, Wasim Could it be a network issue rather than Samba itself - a switch being turned off briefly, IP address being refreshed, DNS issue - that breaks the communication with kerberos or PDC? I heard of one site whose network was interrupted at the same time each day, which they eventually traced to a heavy delivery lorry crushing a badly-installed underground cable. Moray. To err is human. To purr, feline -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent doesnt't list group - resolved
Thank you very much, it's one week which I was trying to resolve this problem :-) Perhaps use 'winbind' instead of 'windind' :-) Bye Massimo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent doesnt't list group - resolved
Perhaps use 'winbind' instead of 'windind' :-) Thank you very much, it's one week which I was trying to resolve this problem :-) Bye Massimo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent doesnt't list group
my nssswitch.conf passwd: compat winbind group: compat windind Perhaps use 'winbind' instead of 'windind' :-) Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group fails
Hello Kevin, make sure you don't have winbind enum users = yes winbind enum groups = yes turned off in your configuration; it's however set to yes as default. Regards, -sd 2009/6/17 Kevin Blackwell akblack...@gmail.com: Hi, Well, I'll try to start at what I think the root of my problems are. When I do a getent group, I only get a list of the BUILTIN groups. BUILTIN+administrators BUILTIN+users But if I do a wbinfo -g, all the AD groups show up. This alone is not the overall problem, but it is creating a problem because I need getent to return the groups for logging different AD groups to different log files in squid. Another problem is the wbinfo_group.pl and I know this is a squid app, but from what I understand it used wbinfo. /usr/lib/squid/wbinfo_group.pl tuser password Could not get groups for user tuser I can provice config data and anything else necessary. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group shows AD groups; getent passwd only shows local users
Brian Gregorcy schrieb: In log.winbindd I can see errors like: [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696) ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) - Operations error [2009/01/22 10:44:55, 3] libads/ldap_utils.c:ads_do_search_retry_internal(76) Reopening ads connection to realm 'GEORGIANUT.COM' after error Operations error [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677) sitename_fetch: Returning sitename for georgianut.com: Default-First-Site-Name [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'georgianut.com' [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name georgianut.com (sitename Default-First-Site-Name) using [ads] check that your clock on the linux box matches the clock on the DC. Just being curios: what time difference is acceptable? I.e. up to 5 seconds, 5 minutes? That being said, the clocks are in sync. When I use tcpdump to see what happens when doing getent passwd, I can see such error message: 5012 DIR_ERROR Google suggest such causes for this error: i.e. LDAP troubleshooting kb.adobe.com/selfservice/viewContent.do?externalId=tn_19576 Cause: The DN specified in the User Search tab is incorrect, wrong, or incorrectly formatted. Cause: User could not be found. Most likely due to DN settings in the User Search tab or the suffix or prefix fields in the Settings tab. Cause: Most likely caused by a bad username or password. Common cause of this error is a user trying to login with DOMAIN\login instead of just login. However, this doesn't explain why getent group works, and getent passwd doesn't. -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent group shows AD groups; getent passwd only shows local users
check that your clock on the linux box matches the clock on the DC. Just being curios: what time difference is acceptable? I.e. up to 5 seconds, 5 minutes? That being said, the clocks are in sync. I think the default is 5 minutes. We have seen odd problems like this when our Linux boxes clock skew to far from our DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent group shows AD groups; getent passwd only shows local users
Tomasz Chmielewski wrote: I had winbind configured so that it could fetch users from AD. Everything was working properly, but something happened in the past couple of days (no change in the Samba config) I'm not able to diagnose. getent group enumerates groups, getent passwd doesn't. wbinfo -g returns groups, whereas I get this error when trying to get users: # wbinfo -u Error looking up domain users # net rpc join -S GNCNET -U user_linux Password: Joined domain NUT. # net ads join -S GNCNET -U user_linux user_linux's password: [2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286) ads_connect: No logon servers Failed to join domain: No logon servers I see the Samba machine sends and receives packets on port 389 when I do getent passwd, but just no users are returned. Ideas? This is my smb.conf: workgroup = NUT password server = GNCNET realm = GNCNET.GEORGIANUT.COM security = ads idmap uid = 1-2 idmap gid = 1-2 winbind separator = + template homedir = /home/%D/cbl template shell = /bin/bash winbind use default domain = true winbind offline logon = false server string = Samba Server %v encrypt passwords = Yes log file = /var/log/samba/log.%m max log size = 100 log level = 8 os level = 18 local master = No dns proxy = No winbind enum users = yes winbind enum groups = yes In log.winbindd I can see errors like: [2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696) ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) - Operations error [2009/01/22 10:44:55, 3] libads/ldap_utils.c:ads_do_search_retry_internal(76) Reopening ads connection to realm 'GEORGIANUT.COM' after error Operations error [2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677) sitename_fetch: Returning sitename for georgianut.com: Default-First-Site-Name [2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294) ads_find_dc: looking for realm 'georgianut.com' [2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626) get_sorted_dc_list: attempting lookup for name georgianut.com (sitename Default-First-Site-Name) using [ads] check that your clock on the linux box matches the clock on the DC. --Brian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'getent passwd' shows duplicate user accounts
Hi, David Collins schrieb: Hello, I am setting up an LDAP Samba server, and have migrated all the local posix account info into it as well as creating the smb account info. I have now set up this server to use LDAP for authentication (rather than /etc/passwd, etc.) like so ... sudo apt-get --yes install ldap-auth-client sudo auth-client-config -a -p lac_ldap When testing the result with 'getent passwd', I see all the LDAP user accounts, but it seems the info in /etc/passwd file is also reported. Is this normal? Have a look at your /etc/nsswitch.conf. If it contains something like this: passwd: files ldap group: files ldap shadow: files ldap (while 'files' could also read 'compat') it is indeed normal and normally it should be left this way so you have authentication during system startup before ldap becomes available. Cheers, André -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 'getent passwd' shows duplicate user accounts
Thanks for the advice, Andre. Yes, the lines do say 'files ldap'. I will leave it as is. On Mon, 2008-08-11 at 08:52 +0200, André Welter wrote: Hi, David Collins schrieb: Hello, I am setting up an LDAP Samba server, and have migrated all the local posix account info into it as well as creating the smb account info. I have now set up this server to use LDAP for authentication (rather than /etc/passwd, etc.) like so ... sudo apt-get --yes install ldap-auth-client sudo auth-client-config -a -p lac_ldap When testing the result with 'getent passwd', I see all the LDAP user accounts, but it seems the info in /etc/passwd file is also reported. Is this normal? Have a look at your /etc/nsswitch.conf. If it contains something like this: passwd: files ldap group: files ldap shadow: files ldap (while 'files' could also read 'compat') it is indeed normal and normally it should be left this way so you have authentication during system startup before ldap becomes available. Cheers, Andr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getent troubles.
On Mon, Jul 14, 2008 at 12:20:01PM -0500, [EMAIL PROTECTED] wrote: I've joined a box to my windows 2003 ad domain. I can use wbinfo u/g with no problems. I can also run getent passwd and it returns local and domain accounts. However, when I run getent group it hangs. Not sure why. I have to restart windbind after this, also. Anybody have any ideas or pointer? What version of Samba ? What OS is it running on ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent not listing ADS users ctdb samba
Did you copy the libnss_winbind.so to /lib and make a libnss_winbind.so.2 link out of it ? Hi, I am setting up ctdb samba, and have hit a brick wall trying to solve the following issue. 1.getent does not retrieve the list of domain users or groups (wbinfo works fine) I'm not sure what I'm missing but I've almost spent the whole day trying to resolve this one and haven't made any progress :-( Any help or suggestions are appreciated My configuration is as follows Installed pre-built RHEL binaries from ctdb.samba ctdb-1.0-41.src.rpm ctdb-1.0-41.x86_64.rpm ctdb-debuginfo-1.0-41.x86_64.rpm samba-3.0.25-ctdb.16.src.rpm samba-3.0.25-ctdb.16.x86_64.rpm samba-client-3.0.25-ctdb.16.x86_64.rpm samba-common-3.0.25-ctdb.16.x86_64.rpm samba-debuginfo-3.0.25-ctdb.16.x86_64.rpm samba-doc-3.0.25-ctdb.16.x86_64.rpm samba-swat-3.0.25-ctdb.16.x86_64.rpm samba-winbind-32bit-3.0.25-ctdb.16.i386.rpm SMB.CONF [global] workgroup = PLANET realm = PLANET.AD netbios name = CTDBSAMBA server string = CTDB Samba Server security = ADS private dir = /gpfs/gpfs0/SMBDconfig log file = /usr/local/samba/var/log.%m max log size = 50 clustering = Yes dns proxy = No ldap ssl = no idmap backend = tdb2 idmap uid = 1-2 idmap gid = 1-2 winbind separator = + [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [GPFSGLOBAL] comment = GPFS Global Share path = /gpfs/gpfs0/GLOBALSHARE read only = No force unknown acl user = Yes vfs objects = gpfs nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special gpfs:sharemodes = No fileid:mapping = fsname KRB5.CONF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PLANET.AD [realms] PLANET.AD = { kdc = msad2k3.planet.ad admin_server = msad2k3 } [domain_realm] .msad2k3.planet.ad = PLANET.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } NSSWITCH.CONF passwd: files winbind shadow: files group: files winbind SYSTEM-AUTH #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so ### WINBIND AUTH ### authsufficient /lib/security/pam_winbind.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authrequired pam_deny.so ### WINBIND AUTH ### accountsufficient /lib/security/pam_winbind.so account required pam_unix.so account sufficientpam_succeed_if.so uid 500 quiet account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Message scanned by ClamAV engine (http://www.clamav.net) -- François Legal Message scanned by ClamAV engine (http://www.clamav.net) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent not listing ADS users ctdb samba
this seems to have been created during the rpm install, see below [EMAIL PROTECTED] samba]# rpm -ql samba-winbind-32bit-3.0.25-ctdb.16 /lib/libnss_winbind.so /lib/libnss_winbind.so.2 /lib/libnss_wins.so /lib/libnss_wins.so.2 /lib/security/pam_winbind.so [EMAIL PROTECTED] samba]# ls -lasp /lib | grep libnss 40 -rwxr-xr-x 1 root root 36340 Jul 5 2007 libnss_compat-2.5.so 4 lrwxrwxrwx 1 root root 20 May 26 08:37 libnss_compat.so.2 - libnss_compat-2.5.so 816 -rwxr-xr-x 1 root root 824900 Jul 13 2006 libnss_db-2.2.so 4 lrwxrwxrwx 1 root root 16 May 26 08:39 libnss_db.so.2 - libnss_db-2.2.so 28 -rwxr-xr-x 1 root root 21848 Jul 5 2007 libnss_dns-2.5.so 4 lrwxrwxrwx 1 root root 17 May 26 08:37 libnss_dns.so.2 - libnss_dns-2.5.so 52 -rwxr-xr-x 1 root root 46740 Jul 5 2007 libnss_files-2.5.so 4 lrwxrwxrwx 1 root root 19 May 26 08:37 libnss_files.so.2 - libnss_files-2.5.so 28 -rwxr-xr-x 1 root root 22752 Jul 5 2007 libnss_hesiod-2.5.so 4 lrwxrwxrwx 1 root root 20 May 26 08:37 libnss_hesiod.so.2 - libnss_hesiod-2.5.so 3036 -rwxr-xr-x 1 root root 3099444 Jul 6 2007 libnss_ldap-2.5.so 4 lrwxrwxrwx 1 root root 18 May 26 08:40 libnss_ldap.so.2 - libnss_ldap-2.5.so 48 -rwxr-xr-x 1 root root 42368 Jul 5 2007 libnss_nis-2.5.so 60 -rwxr-xr-x 1 root root 51696 Jul 5 2007 libnss_nisplus-2.5.so 4 lrwxrwxrwx 1 root root 21 May 26 08:37 libnss_nisplus.so.2 - libnss_nisplus-2.5.so 4 lrwxrwxrwx 1 root root 17 May 26 08:37 libnss_nis.so.2 - libnss_nis-2.5.so 20 -rwxr-xr-x 1 root root 19408 Jan 31 10:30 libnss_winbind.so 0 lrwxrwxrwx 1 root root 17 Jun 3 18:36 libnss_winbind.so.2 - libnss_winbind.so 1016 -rwxr-xr-x 1 root root 1032916 Jan 31 10:30 libnss_wins.so 0 lrwxrwxrwx 1 root root 14 Jun 3 18:36 libnss_wins.so.2 - libnss_wins.so -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Evan Koutsandreou Sent: Tuesday, 3 June 2008 7:09 PM To: samba@lists.samba.org Subject: [Samba] getent not listing ADS users ctdb samba Hi, I am setting up ctdb samba, and have hit a brick wall trying to solve the following issue. 1. getent does not retrieve the list of domain users or groups (wbinfo works fine) I'm not sure what I'm missing but I've almost spent the whole day trying to resolve this one and haven't made any progress :-( Any help or suggestions are appreciated My configuration is as follows Installed pre-built RHEL binaries from ctdb.samba ctdb-1.0-41.src.rpm ctdb-1.0-41.x86_64.rpm ctdb-debuginfo-1.0-41.x86_64.rpm samba-3.0.25-ctdb.16.src.rpm samba-3.0.25-ctdb.16.x86_64.rpm samba-client-3.0.25-ctdb.16.x86_64.rpm samba-common-3.0.25-ctdb.16.x86_64.rpm samba-debuginfo-3.0.25-ctdb.16.x86_64.rpm samba-doc-3.0.25-ctdb.16.x86_64.rpm samba-swat-3.0.25-ctdb.16.x86_64.rpm samba-winbind-32bit-3.0.25-ctdb.16.i386.rpm SMB.CONF [global] workgroup = PLANET realm = PLANET.AD netbios name = CTDBSAMBA server string = CTDB Samba Server security = ADS private dir = /gpfs/gpfs0/SMBDconfig log file = /usr/local/samba/var/log.%m max log size = 50 clustering = Yes dns proxy = No ldap ssl = no idmap backend = tdb2 idmap uid = 1-2 idmap gid = 1-2 winbind separator = + [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /usr/spool/samba printable = Yes browseable = No [GPFSGLOBAL] comment = GPFS Global Share path = /gpfs/gpfs0/GLOBALSHARE read only = No force unknown acl user = Yes vfs objects = gpfs nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special gpfs:sharemodes = No fileid:mapping = fsname KRB5.CONF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = PLANET.AD [realms] PLANET.AD = { kdc = msad2k3.planet.ad admin_server = msad2k3 } [domain_realm] .msad2k3.planet.ad = PLANET.AD [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } NSSWITCH.CONF passwd: files winbind shadow: files group: files winbind SYSTEM-AUTH #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so ### WINBIND AUTH ### authsufficient /lib/security/pam_winbind.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet auth
Re: [Samba] getent not listing ADS users ctdb samba
On Tue, 3 Jun 2008, Evan Koutsandreou wrote: 1. getent does not retrieve the list of domain users or groups (wbinfo works fine) Do you mean getent passwd, or getent passwd foo? If you mean the former, then you need: winbind enum groups = yes winbind enum users = yes jh -- Woman was God's second mistake.-- Nietzsche -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent not listing ADS users ctdb samba
That's worked, thanks a million!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Hodrien Sent: Tuesday, 3 June 2008 8:11 PM Cc: samba@lists.samba.org Subject: Re: [Samba] getent not listing ADS users ctdb samba On Tue, 3 Jun 2008, Evan Koutsandreou wrote: 1.getent does not retrieve the list of domain users or groups (wbinfo works fine) Do you mean getent passwd, or getent passwd foo? If you mean the former, then you need: winbind enum groups = yes winbind enum users = yes jh -- Woman was God's second mistake.-- Nietzsche -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd not adding users
You need to add idmap uid with the same range as the gid, well at least that is what I've always have done. Jamie Gordon wrote: I'm running Samba version Version 3.0.25b-1.el5_1.2 on RH Enterprise Linux 5. I've configured the SMB server to get users from a Windows 2003 Server Active Directory tree. I was able to join the machine to the domain with no problem. Here's the smb.conf Quote: [global] idmap gid = 6-9 winbind trusted domains only = yes encrypt passwords = yes show add printer wizard = No winbind use default domain = Yes realm = domain netbios name = servername printing = cups idmap uid = 1-5 password server = dcname workgroup = domain os level = 20 printcap name = cups security = domain winbind separator = \ disable spoolss = Yes winbind enum groups = yes winbind enum users = yes My nsswitch.conf has the following; Quote: passwd: files winbind shadow: files group: files winbind wbinfo -u and wbinfo-g work well, returning a list of users and groups. However, when I issue 'getent passwd' my winbind log (/var/log/samba/winbindd.log) shows a long list of the following and no users are added to the passwd db; Quote: [2007/12/04 12:11:03, 1] nsswitch/winbindd_ads.c:query_user_list(209) Not a user account? atype=0x3000 Not sure where to go from here. Any help or hints would be appreciated. Jamie Gordon QA Manager WideOrbit [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] You can't make what you can't measure, 'cause you don't know when you've got it made. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd not adding users
Thanks Nathan. Perhaps I misspoke. My understanding is that if winbind is configured correctly, if I issue 'getent passwd' then I should see local and domain users listed. I only see local users and my windbindd log has the aforementioned errors. Jamie Gordon QA Manager WideOrbit [EMAIL PROTECTED] You can't make what you can't measure, 'cause you don't know when you've got it made. -Original Message- From: Nathan VanHoudnos [mailto:[EMAIL PROTECTED] Sent: Friday, December 07, 2007 12:32 PM To: Jamie Gordon Cc: samba Subject: Re: [Samba] getent passwd not adding users wbinfo -u and wbinfo-g work well, returning a list of users and groups. However, when I issue 'getent passwd' my winbind log (/var/log/samba/winbindd.log) shows a long list of the following and no users are added to the passwd db; Perhaps I misunderstand you, but getent is a query tool, not something that you use to add entries to /etc/passwd or /etc/group. If you wanted to use it to add entries, you'd need to do something like: getent passwd | grep YOURDOMAIN+ /etc/passwd But, then that would defeat the purpose of using winbind anyway. Hope this helps, Nathan VanHoudnos -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd not adding users
wbinfo -u and wbinfo-g work well, returning a list of users and groups. However, when I issue 'getent passwd' my winbind log (/var/log/samba/winbindd.log) shows a long list of the following and no users are added to the passwd db; Perhaps I misunderstand you, but getent is a query tool, not something that you use to add entries to /etc/passwd or /etc/group. If you wanted to use it to add entries, you'd need to do something like: getent passwd | grep YOURDOMAIN+ /etc/passwd But, then that would defeat the purpose of using winbind anyway. Hope this helps, Nathan VanHoudnos -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd not adding users
(forgot to copy list) Thanks Nathan. Perhaps I misspoke. My understanding is that if winbind is configured correctly, if I issue 'getent passwd' then I should see local and domain users listed. I only see local users and my windbindd log has the aforementioned errors. Yes, that's true. I noticed that your config file has security = domain If you change that to security = ads It might work. I don't know, I'm not a samba expert! The other thing I might try is to change your winbind seperator from / to +. Perhaps getent can't handle / in a username, but why it would give you that winbind error, I don't know. I do know, however, that + works. The other thing your error message makes me think of is the service account that you may or may not have set as windbind's authorized user. But, that wouldn't make much sense, since you reported that wbinfo -u and wbinfo -g work well. To check it, try: wbinfo --get-auth-user One thing though, that will echo your service accounts password to the screen in plain text. So, you have to run it as root, and you have to be careful who's behind you. Cheers, Nathan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd not listing domain users, nsswitch.conf is configured
This is one that took me a while to figure out. By default, the newer versions of samba tell winbind not to enumerate users or groups, because this could cause a performance drop for large (1+ users I believe) networks. The way to fix this is to set these two options in smb.conf: winbind enum users = yes winbind enum groups = yes Hope that helps some. Date: Wed, 17 Oct 2007 11:03:13 -0600 From: [EMAIL PROTECTED] To: samba@lists.samba.org Subject: [Samba] getent passwd not listing domain users, nsswitch.conf is configured Using Samba 3.0.25c on OpenSolaris nv72. wbinfo -u lists domain users as expected. getent passwd only lists local users. nsswitch.conf has the following lines: passwd: files winbind group: files winbind My smb.conf is below. Where should I start to troubleshoot? [global] realm = FNB.LOCAL workgroup = FNB security = ADS use kerberos keytab = true ; password server = my-server.fnb.local encrypt passwords = yes server string = Samba ADS client use spnego = yes # winbind configuration: winbind use default domain = yes winbind nested groups = yes idmap backend = ad winbind nss info = rfc2307 winbind separator = / winbind enum users = yes winbind enum groups = yes # idmap uid = 1-2 # idmap gid = 1-2 ; template homedir = /samba/pchome/%D/%U # idmap domains = FNB # idmap config FNB:default = yes # idmap config FNB:backend = tdb # idmap config FNB:range = 1-2 # this tells Samba to use a separate log file for each machine # that connects log file = /var/samba/log/log.%m log level = 10 # Put a capping on the size of the log files (in Kb). max log size = 1024 # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. ; socket options = TCP_NODELAY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba _ Climb to the top of the charts! Play Star Shuffle: the word scramble challenge with star power. http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd not listing domain users, nsswitch.conf is configured
On 10/17/07, Peter Baumgartner [EMAIL PROTECTED] wrote: Using Samba 3.0.25c on OpenSolaris nv72. wbinfo -u lists domain users as expected. getent passwd only lists local users. nsswitch.conf has the following lines: passwd: files winbind group: files winbind My smb.conf is below. Where should I start to troubleshoot? Hi, this also recently came up in a thread I started (called default kerberos realm??). It may have multiple reasons. -- Frank Van Damme A: Because it destroys the flow of the conversation Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mails or on usenet? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent returns HEX number instead of username
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen Carville wrote: Not for all users but for some. I'm using samba 3.0.20 running on Fedora Core 3. Security = ADS, winbind works and getent passwd returns local unix accounts plus the domain accounts as expected. It also returns a lot of entries like: 6811ff15281f4d19bdc:x:18004:1:Anel Susana Esquivel:/export/private/6811ff15281f4d19bdc:/sbin/nologin I suspect these are accounts in a trusted domain. AFAIK, they are not causing any problems but I'm wondering if this is normal (and harmless) or an indication I messed up something. Could the owner of the hex numbered account access any shares on my server? Ideally no one outside the domain designated in the smb.conf file should be able to access any shares on this server. Never seen that. Sorry. What is the name supposed to be? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5mVBIR7qMdg1EfYRAmw5AJwPlYC8a5p+ky/kn02atna00VMBswCggJdC nmOXY3JX3MZFgSzfYBfXDu0= =l+9s -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel Quigley-Skillin wrote: Three users out of about 50 get no result using the getent passwd command. The accounts are in good standing and can access all other network services. The accounts are similar to other accounts which are working. The accounts do show up in a getent group, and with wbinfo -u Upgrading/Downgrading Samba isn't a possibility. Do you really need user/group enumeration? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFVNH8IR7qMdg1EfYRAunoAJ9wuAOv3/uML0OAM1FYmfoLS50NrwCgwWGK LS+Xfwo2scXQVvb0O0w9cMU= =XVHI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd
Due to access requirements, yes. -Original Message- From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: Daniel Quigley-Skillin [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: 11/10/06 2:24 PM Subject: Re: [Samba] getent passwd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd
Stopping smbd and winbindd, moving the winbind_*.tdb files, then starting smbd and winbindd again resolved the problem. On 11/10/06, Daniel Quigley-Skillin [EMAIL PROTECTED] wrote: Due to access requirements, yes. -Original Message- From: Gerald (Jerry) Carter [EMAIL PROTECTED] To: Daniel Quigley-Skillin [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: 11/10/06 2:24 PM Subject: Re: [Samba] getent passwd -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent not working (again)
'getent passwd' imposes an overall timeout of 30 seconds on the reply from winbindd. Maybe that's biting you? See Bugzillas 3660, 3024. Bob G -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Horchler, Joerg Sent: 21 April 2006 11:06 To: samba@lists.samba.org Subject: [Samba] getent not working (again) Hi all, after I searched the internet about a week now I can't find an answer to my problem: The company I work for is using a Windows 2003 Domain using the Windows Services for UNIX (SFU) and NIS. We are using two Domain Controllers that are hosting the ADS. Now I want to use Samba and NFS to implement a file server for our mixed client enviroment: There will be Linux, HP UNIX, Solaris, AIX and Windows clients accessing this server. The Linux/UNIX clients will use NFS (no problem). The Windows clients will use Samba. = I compiled Samba 3.0.22 with: ./configure \ --with-ldap \ --with-ads \ --with-pam \ --with-quotas \ --with-acl-support \ --with-aio-support \ --with-sendfile-support \ --with-winbind \ --with-shared-modules=idmap_ad The last option was the only way to get idmap_ad compiled and installed. I need this to use 'idmap backend = ad' = After installation I copied libnss_winbind.so and libnss_wins.so to /lib and run ldconfig [EMAIL PROTECTED] source]# ldconfig -v | grep libnss libnss_winbind.so.2 - libnss_winbind.so libnss_wins.so.2 - libnss_wins.so [EMAIL PROTECTED] source]# = My smb.conf is [EMAIL PROTECTED] source]# cat /usr/local/samba/lib/smb.conf [global] unix charset = UTF8 display charset = UTF8 workgroup = XYZ realm = ABC.COM server string = linux fileserver %h (Samba %v) security = ADS auth methods = winbind allow trusted domains = No lanman auth = No log level = 0 smb:1 auth:1 winbind:1 idmap:1 acls:1 log file = /var/log/samba/%m.log disable netbios = Yes reset on zero vc = Yes deadtime = 10 os level = 0 preferred master = No local master = No domain master = No wins server = a.b.c.d, a.b.c.e ldap ssl = no pid directory = /var/run idmap backend = ad idmap uid = 100-10 idmap gid = 100-10 winbind use default domain = Yes winbind nested groups = Yes winbind nss info = sfu acl group control = Yes acl map full control = No inherit owner = Yes ea support = Yes map acl inherit = Yes use sendfile = Yes hide special files = Yes map readonly = permissions strict locking = No dos filemode = Yes [EMAIL PROTECTED] source]# I configured no shares at the moment. Could that be a problem? = My /etc/krb5.conf [EMAIL PROTECTED] source]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = ABC.COM [realms] ABC.COM = { default_domain = abc.com } [domain_realm] .abc.com = ABC.COM abc.com = ABC.COM [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } [EMAIL PROTECTED] source]# = My /etc/nsswitch.conf [EMAIL PROTECTED] source]# cat /etc/nsswitch.conf # # /etc/nsswitch.conf [...] passwd: files winbind shadow: files winbind group: files winbind #hosts: db files ldap nis dns hosts: files dns wins [...] = Then I joined the domain successfully: [EMAIL PROTECTED] source]# net ads join -Uruth Servers [EMAIL PROTECTED] source]# wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] source]# [EMAIL PROTECTED] source]# net ads info LDAP server: a.b.c.d LDAP server name: uranus Realm: ABC.COM Bind Path: dc=ABC,dc=COM LDAP port: 389 Server time: Fri, 21 Apr 2006 11:59:54 CEST KDC server: a.b.c.d Server time offset: 55 [EMAIL PROTECTED] source]# = After starting nmbd, smbd and winbindd I can successfully list my domain users and group with wbinfo. But when I try to get a list via getent it doesn't work. [EMAIL PROTECTED] source]# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
Re: [Samba] Getent Not Working
Jon Parkins wrote: I hope I'm submitting this to the right place Hello All, I've been pouring over the groups for a couple of days now, and found a few problems and setups similiar to mine, but I'm not having much luck trying to resolve the issue. My setup currently is a RHFC4 Box running Samba 3.0.21a-1 on a Win2k AD Domain. Now I have no problem running wbinfo -t -u or -g I get listings of groups and users. When I run getent passwd though all I get are the local users. I have all the symbolic links and libnss_winbind.so files in /lib. I get no errors in the winbindd log, I did notice the following error in the smbd.log file in /var/logs/samba/ But I'm not sure what the deal is. I updated GCC, Krb5 just in case with yum. I had no problem adding the machine to the domain, I just can't use getent to pull a listing or access the share from any of the domain worstations without having a local account on the RH box. In the past using RHFC4 and a Win2k3 domain I've had no problems. So I'm just baffeled right now. Maybe I've overlooked something. Maybe it's something with the 2K domain. Any help is appriciated. If more info is needed, or I'm way in left field just let me know. I'll post my conf files below. Thanks. /var/log/samba/smbd.log snippet [2006/02/06 16:30:28, 0] lib/util_sock.c:open_socket_in(823) bind failed on port 445 socket_addr = 0.0.0.0. Error = Address already in use *** glibc detected *** smbd: free(): invalid pointer: 0x00f4cdb0 *** === Backtrace: = /lib/libc.so.6[0x58f424] /lib/libc.so.6(__libc_free+0x77)[0x58f95f] /lib/libcom_err.so.2(remove_error_table+0x4b)[0x131abb] /usr/lib/libkrb5.so.3[0xeea8c4] /usr/lib/libkrb5.so.3[0xeea5c7] /usr/lib/libkrb5.so.3[0xf3b9da] /lib/ld-linux.so.2[0x11f058] /lib/libc.so.6(exit+0xc5)[0x556c69] smbd(main+0x697)[0xa1a323] /lib/libc.so.6(__libc_start_main+0xc6)[0x540de6] smbd[0x7d5081] === Memory map: /etc/samba/smb.conf (minimal setup to test) [global] workgroup = DOMAIN realm = DOMAIN.LOCAL server string = Samba Server security = ADS password server = 192.168.0.4 log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind use default domain = Yes Have you tried to increase the debug level? smbcontrol smbd debug 5 That might be too high or too low. --Dennis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Getent Not Working
*** glibc detected *** smbd: free(): invalid pointer: 0x00f4cdb0 *** I've seen this error before when I compiled a program on one PC, then copied it across to another PC without recompiling it to save time. The problem was that each PC had a different version of a certain library on it, so the original copy worked fine but the second one was linked to an old library but calling it like a newer version. You might want to recompile Samba (and perhaps kerberos) if you didn't originally compile them from source on the same machine they're running on now. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Getent not returning complete results.
Sarkar, Anirban wrote: I have some Redhat(ES 3) Linux servers authenticating agains Active Directory. One of the servers is not returning the complete list of users and groups for commands : getent passwd getent group But when I do wbinfo -u, I do get all the users. This is baffling me. The other servers don't have this problem. I have tallied the configuration on the servers and they are same. Thanks. Is /etc/nsswitch configured? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent and wbinfo not returning expected results?
Some commands work but not the way i would expect them to, such as wbinfo -u. This command comes back with a list of users from the AD but the domain name is not prepended as i would expect with the domain separator value between the domain name and the username. wbinfo -g is exactly the same, it comes back with a list of AD groups but the domain is not prepended, what would cause this behavior? Here is the global section of my smb.conf, maybe i am missing something that will be obvious to users on this list. [global] workgroup = domain netbios name = mps1intmx01 server string = SMB %v for domain.com security = ADS encrypt passwords = Yes template shell = /bin/bash realm = DOMAIN.COM # Winbind settings idmap backend = idmap_rid:DOMAIN=500-5000 idmap uid = 500-1000 idmap gid = 500-1000 winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes allow trusted domains = No preferred master = No local master = No wins server = msp1intmx02.domain.com log level = 10 Remove 'winbind use default domain = Yes' from smb.conf and you'll see the domain name prepended to the output from 'wbinfo -u' 'wbinfo -g' commands. ~Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent and wbinfo not returning expected results?
I did and this did address the wbinfo -u OR -g output but the getent passwd OR group, is still only listing the local users and groups sigh According to the Samba docs, it's either the NSS switch or the PAM modules or both that appear to be preventing the enumeration of users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books. Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I am referring to. I'm using FreeBSD and their NSS libraries are different from Linux's and I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there are numerous references to libnss_winbind.so.2 in TOSHARG which is based on Linux. I fear FreeBSD's GCC compiler is either older and/or different than Linux's. What distro are you using? Yes this is sound advice i was playing around with some others like the + , which seems to be a common choice but testparm complained about it so i changed it to what you see. Yeah. The separator isn't the real cause behind your woes though. Let me know what you come up with. ~Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent and wbinfo not returning expected results?
On Friday 16 September 2005 12:14, Doug Sampson wrote: I did and this did address the wbinfo -u OR -g output but the getent passwd OR group, is still only listing the local users and groups sigh According to the Samba docs, it's either the NSS switch or the PAM modules or both that appear to be preventing the enumeration of users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books. Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I am referring to. If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, this means that NSS is not working. It has nothing to do with PAM. I'm using FreeBSD and their NSS libraries are different from Linux's and I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there are numerous references to libnss_winbind.so.2 in TOSHARG which is based on Linux. I fear FreeBSD's GCC compiler is either older and/or different than Linux's. What distro are you using? Have you joined the Samba server to the domain? What do 'net rpc info' and 'net ads info' report? Is winbindd running? Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? Did you locate this in the /lib or the /usr/lib directory? What error logs are you seeing in /var/adm/messages? Yes this is sound advice i was playing around with some others like the + , which seems to be a common choice but testparm complained about it so i changed it to what you see. Yeah. The separator isn't the real cause behind your woes though. It certainly sounds more like a basic software installation and configuration issue. - John T. Let me know what you come up with. ~Doug -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent and wbinfo not returning expected results?
On Sep 16, 2005, at 2:11 PM, John H Terpstra wrote: On Friday 16 September 2005 12:14, Doug Sampson wrote: I did and this did address the wbinfo -u OR -g output but the getent passwd OR group, is still only listing the local users and groups sigh According to the Samba docs, it's either the NSS switch or the PAM modules or both that appear to be preventing the enumeration of users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books. Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I am referring to. If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, this means that NSS is not working. It has nothing to do with PAM. I'm using FreeBSD and their NSS libraries are different from Linux's and I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there are numerous references to libnss_winbind.so.2 in TOSHARG which is based on Linux. I fear FreeBSD's GCC compiler is either older and/or different than Linux's. What distro are you using? Have you joined the Samba server to the domain? What do 'net rpc info' and 'net ads info' report? net rpc info returns nothing net ads info, returns: msp1intmx01:~ # net ads info LDAP server: 71.4.126.89 LDAP server name: msp1intmx02 Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Fri, 16 Sep 2005 14:17:38 GMT KDC server: 71.4.126.89 Server time offset: 0 I didn't think i was using ldap to store the idmap values for users, i thought the smb.conf setting idmap backend=idmap_rid Is winbindd running? Yes Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? No, i did not see that step in any of the documentation i have used. I did this and restarted winbind but it seemed to have no effect. Did you locate this in the /lib or the /usr/lib directory? in the /lib directory only What error logs are you seeing in /var/adm/messages? I am seeing a number of messages like this: Sep 16 14:21:17 msp1intmx01 winbindd[23202]: rid_idmap_get_id_from_sid: rid: 1157 (UID: 1657) too high for mapping of domain: JUMPNODE (500-1000) Which i assume is related to the fact that i changed the idmap_backend setting earlier this morning in the smb.conf file. Here is what it currently set to: idmap backend = idmap_rid:JUMPNODE=500-1000 idmap uid = 500-1000 idmap gid = 500-1000 This morning the idmap_backend had a range of 500-5000 but then i ran winbindd -i -d3 and i saw winbind complaining about the range being set too high, and i adjusted it down. Is there someplace i need to clear the old values from? I have since restarted winbind several times but that does not seem to be sufficient. Thank You, John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. Mike Partyka Jumpnode Systems, LLC Systems Administrator (612)605-5056 Desk (612)605-5099 Fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent and wbinfo not returning expected results?
On Friday 16 September 2005 13:35, Mike Partyka wrote: On Sep 16, 2005, at 2:11 PM, John H Terpstra wrote: On Friday 16 September 2005 12:14, Doug Sampson wrote: I did and this did address the wbinfo -u OR -g output but the getent passwd OR group, is still only listing the local users and groups sigh According to the Samba docs, it's either the NSS switch or the PAM modules or both that appear to be preventing the enumeration of users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books. Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I am referring to. If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, this means that NSS is not working. It has nothing to do with PAM. I'm using FreeBSD and their NSS libraries are different from Linux's and I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there are numerous references to libnss_winbind.so.2 in TOSHARG which is based on Linux. I fear FreeBSD's GCC compiler is either older and/or different than Linux's. What distro are you using? Have you joined the Samba server to the domain? What do 'net rpc info' and 'net ads info' report? net rpc info returns nothing net ads info, returns: msp1intmx01:~ # net ads info LDAP server: 71.4.126.89 LDAP server name: msp1intmx02 Realm: DOMAIN.COM Bind Path: dc=DOMAIN,dc=COM LDAP port: 389 Server time: Fri, 16 Sep 2005 14:17:38 GMT KDC server: 71.4.126.89 Server time offset: 0 I didn't think i was using ldap to store the idmap values for users, i thought the smb.conf setting idmap backend=idmap_rid ADS uses LDAP. The user and group account info when Samba is an ADS domain member is obtained from the LDAP service that is part of ADS. The IDMAP backend defines how the user and group SIDs are handled. The idmap_rid tool uses the value of the relative identifier (RID) part of the user SID as the UID. The RID can have any value from 1000 up to 4294967295. Typically the RID is allocated sequentially starting at 1000, but this appears not always to be the case. Is winbindd running? Yes Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? No, i did not see that step in any of the documentation i have used. For months I asked for review and feedback from Samba mailing list users. All feedback that I received was adopted. Samba is user supported software. The more people who provide documentation feedback, the better to documentation becomes. I did this and restarted winbind but it seemed to have no effect. Did you locate this in the /lib or the /usr/lib directory? in the /lib directory only It needs to be in the same directory that the other nss_*.so* files are in. The version number may need to be .1 or .2 - I am not sure. What error logs are you seeing in /var/adm/messages? I am seeing a number of messages like this: Sep 16 14:21:17 msp1intmx01 winbindd[23202]: rid_idmap_get_id_from_sid: rid: 1157 (UID: 1657) too high for mapping of domain: JUMPNODE (500-1000) The system accounts will use values of 500-1000, user acconts always above 999. i.e.: starting at 1000. Which i assume is related to the fact that i changed the idmap_backend setting earlier this morning in the smb.conf file. If you change the settings you must delete the winbind_idmap.tdb and winbind_cache.tdb files before restarting smbd and winbind. Here is what it currently set to: idmap backend = idmap_rid:JUMPNODE=500-1000 idmap uid = 500-1000 idmap gid = 500-1000 The upper-bound of the uid and gid ranges are much too low. Follow the examples I gave in the book. This morning the idmap_backend had a range of 500-5000 but then i ran winbindd -i -d3 and i saw winbind complaining about the range being set too high, and i adjusted it down. Is there someplace i need to clear the old values from? I have since restarted winbind several times but that does not seem to be sufficient. Remove the winbind*tdb files and restart winbindd. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent and wbinfo not returning expected results?
On Sep 16, 2005, at 2:57 PM, John H Terpstra wrote: Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? No, i did not see that step in any of the documentation i have used. For months I asked for review and feedback from Samba mailing list users. All feedback that I received was adopted. Samba is user supported software. The more people who provide documentation feedback, the better to documentation becomes. I was not active in this mailing list at that time but don't mean that to be an excuse, i will do better going forward. The system accounts will use values of 500-1000, user acconts always above 999. i.e.: starting at 1000. Remove the winbind*tdb files and restart winbindd. I adjusted this range up much higher (100-500) I then deleted these files as John recommended and the restarted winbind and smb. Amazingly, now getent passwd returns the local user list with the domain users appended to it, W00T! PS-The community effort that many people put into the lists as far as helping other users is always impressive to me and it's really something to admire but this afternoon topped all when i got a long distance call from John Terpstra, whose book i have sitting on my desk at home, and who wrote the Samba documentation that many of us use so frequently, the experience I have to say was a little intense. 60 seconds into the call John stated rather than asked, Your really new to Samba aren't you?, I can only laugh when thinking about it. John, Doug, Thanks for your help! - John T. Mike Partyka Jumpnode Systems, LLC Systems Administrator (612)605-5056 Desk (612)605-5099 Fax -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent and wbinfo not returning expected results?
On Friday 16 September 2005 14:40, Mike Partyka wrote: On Sep 16, 2005, at 2:57 PM, John H Terpstra wrote: Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? No, i did not see that step in any of the documentation i have used. For months I asked for review and feedback from Samba mailing list users. All feedback that I received was adopted. Samba is user supported software. The more people who provide documentation feedback, the better to documentation becomes. I was not active in this mailing list at that time but don't mean that to be an excuse, i will do better going forward. The system accounts will use values of 500-1000, user acconts always above 999. i.e.: starting at 1000. Remove the winbind*tdb files and restart winbindd. I adjusted this range up much higher (100-500) Suggest you consider 500-4000 so that all RIDs can be accomodated. I then deleted these files as John recommended and the restarted winbind and smb. Amazingly, now getent passwd returns the local user list with the domain users appended to it, W00T! PS-The community effort that many people put into the lists as far as helping other users is always impressive to me and it's really something to admire but this afternoon topped all when i got a long distance call from John Terpstra, whose book i have sitting on my desk at home, and who wrote the Samba documentation that many of us use so frequently, the experience I have to say was a little intense. I hope not too intense! :-) 60 seconds into the call John stated rather than asked, Your really new to Samba aren't you?, I can only laugh when thinking about it. There is nothing wrong with being new to Samba - in fact, there ought to be more if it. ;-) - John T. John, Doug, Thanks for your help! - John T. Mike Partyka Jumpnode Systems, LLC Systems Administrator (612)605-5056 Desk (612)605-5099 Fax -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent and wbinfo not returning expected results?
If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, this means that NSS is not working. It has nothing to do with PAM. I'm using FreeBSD and their NSS libraries are different from Linux's and I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there are numerous references to libnss_winbind.so.2 in TOSHARG which is based on Linux. I fear FreeBSD's GCC compiler is either older and/or different than Linux's. What distro are you using? Have you joined the Samba server to the domain? What do 'net rpc info' and 'net ads info' report? aries-root@/usr/local/etc: net rpc info Domain Name: DSP Domain SID: S-1-5-21-2008768363-1786319642-1659389152 Sequence number: 15618 Num users: 124 Num domain groups: 16 Num local groups: 1 Is winbindd running? aries-root@/usr/local/etc: ps aux | grep winbind root 8276 0.0 0.3 4644 2884 ?? Ss 12:26PM 0:00.01 winbindd -d4 root 8277 0.0 0.3 4584 2836 ?? I12:26PM 0:00.01 winbindd -d4 Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1? Did you locate this in the /lib or the /usr/lib directory? What error logs are you seeing in /var/adm/messages? On my FreeBSD machine, the log is located at /var/log/messages: Sep 16 12:26:21 aries winbindd[8277]: [2005/09/16 12:26:21, 0] rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700) Sep 16 12:26:21 aries winbindd[8277]: rpc_pipe_bind failed Sep 16 12:26:25 aries nmbd[8278]: [2005/09/16 12:26:25, 0] nmbd/nmbd.c:main(737) Sep 16 12:26:25 aries nmbd[8278]: standard input is not a socket, assuming -D option Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195) Sep 16 12:26:25 aries smbd[8280]: Unable to open/create TDB passwd Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488) Sep 16 12:26:25 aries smbd[8280]: pdb_getsampwrid: Unable to open TDB rid database! Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0] smbd/server.c:main(839) Sep 16 12:26:25 aries smbd[8280]: standard input is not a socket, assuming -D option Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 12:26:29 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 12:26:51 aries getent: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 13:00:00 aries newsyslog: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 13:06:07 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 13:07:08 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1: 'compat' used with other sources Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2: 'compat' used with other sources Sep 16 13:26:32 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol nss_module_register aries-root@/usr/local/etc: ll /usr/local/lib/*win* lrwxr-xr-x 1 root wheel 31 Sep 15 12:27 /usr/local/lib/libnss_winbind.so - /usr/local/lib/nss_winbind.so.1 lrwxr-xr-x 1 root wheel 14 Sep 15 13:29 /usr/local/lib/libnss_winbind.so.1 - nss_winbind.so lrwxr-xr-x 1 root wheel 14 Sep 15 13:30 /usr/local/lib/libnss_winbind.so.2 - nss_winbind.so lrwxr-xr-x 1 root wheel 11 Sep 15 13:30 /usr/local/lib/libnss_wins.so.1 - nss_wins.so lrwxr-xr-x 1 root wheel 11 Sep 15 13:30 /usr/local/lib/libnss_wins.so.2 - nss_wins.so -rwxr-xr-x 1 root wheel 23057 Sep 15 13:28 /usr/local/lib/nss_winbind.so lrwxr-xr-x 1 root
Re: [Samba] getent winbindd on FreeBSD 5.4
On Thursday 15 September 2005 17:44, Doug Sampson wrote: ... # /etc/nsswitch.conf passwd: compat winbind group: compat winbind hosts: files winbind wins dns Change to: hosts: fils dns wins networks: files shells: files ... # smb.conf [global] workgroup = DSP server string = Samba Server security = DOMAIN passdb backend = tdbsam Remove the passdb backend = tdbsam parameter - this is a domain member and will obtain SAM information using MS RPC via winbind. log file = /var/log/samba/log.%m max log size = 50 os level = 33 local master = No dns proxy = No wins server = 192.168.1.1 idmap uid = 15000-2 idmap gid = 15000-2 template homedir = /usr/home/%D/%U template shell = /bin/bash winbind separator = + hosts allow = 192.168.1., 192.168.2., 127. [homes] comment = Home Directories read only = No browseable = No [MacData] comment = Production Data path = /data valid users = @DSP+PRODUCTION read only = No create mask = 0765 The odd thing is- there's no /etc/pam.d/samba file even though I specified that the PAM samba module be installed. Is my PAM whacked? You need PAM only to log into your BSD system using a Windows account - if that is what you want to do. Also, I am unsure if I need to map users to NT account using a text file You do not need to map NT accounts to UNIX local accounts. That is all handled by winbind. similar to /etc/smb/smbusers or some file similar to that? When I execute 'pw groupshow DSP+PRODUCTION', the log.smbd shows this: [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195) Unable to open/create TDB passwd [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488) pdb_getsampwrid: Unable to open TDB rid database! This will go away when you get rid of passdb backend = tdbsam. - John T. -- John H Terpstra, CTO PrimaStasys Inc. Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent and wbinfo not returning expected results?
If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, this means that NSS is not working. It has nothing to do with PAM. Taking a cue from above, I edited nsswitch.conf to reflect your recommended nsswitch.conf settings as follows: passwd: files winbind group: files winbind hosts: files winbind dns networks: files shells: files wbinfo -u, wbinfo -g, getent passwd, and getent group now properly presents local domain users!! Egads! I need to be careful with what I leave in nsswitch.conf! I'm so thrilled to get the enumeration stuff working now! One more thing: The getent passwd produces as follows: aries-root@/usr/local/lib/OLD: /usr/local/sbin/getent passwd root:$1$nKq6XJlA$znAgh1MrkzByxA6/HDuah1:0:0:Charlie :/root:/bin/csh toor:*:0:0:Bourne-again Superuser:/root: daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin operator:*:2:5:System :/:/usr/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin news:*:8:8:News Subsystem:/:/usr/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin dougs:$1$EKEN2gSO$kXpBoFW5qfpDq3KF0ODT91:1001:1001:Doug Sampson:/home/dougs:/bin/sh beckyr:$1$deELUVIF$rHMoGndIAUOqUTfLFQnxR.:1002:1002:Becky Ryan:/home/beckyr:/bin/sh alfredos:$1$SxjkDe4a$wib3bY8ugKZy.gRPnjJ2r0:1003:1003:Alfredo Sierra:/home/alfredos:/bin/sh michaelm:$1$bSVPy645$N02/WIbak.fLIxShs3JcT1:1004:1004:Michael MacAulay:/home/michaelm:/bin/sh DSP-adrianp:x:15000:15000:Adrian Pearson:/usr/home/DSP/adrianp:/bin/bash DSP-alfredo:x:15001:15000:Alfredo Sierra:/usr/home/DSP/alfredo:/bin/bash DSP-barry:x:15002:15000:Barry Howland:/usr/home/DSP/barry:/bin/bash DSP-becky:x:15003:15000:Rebecca L. Ryan:/usr/home/DSP/becky:/bin/bash DSP-benb:x:15004:15000:Ben Bahan:/usr/home/DSP/benb:/bin/bash ...snip... whereas getent group produces the following: aries-root@/usr/local/lib/OLD: /usr/local/sbin/getent group wheel:*:0:root,dougs daemon:*:1: kmem:*:2: sys:*:3: tty:*:4: operator:*:5:root mail:*:6: bin:*:7: news:*:8: man:*:9: games:*:13: staff:*:20: sshd:*:22: smmsp:*:25: mailnull:*:26: guest:*:31: bind:*:53: proxy:*:62: authpf:*:63: _pflogd:*:64: uucp:*:66: dialer:*:68: network:*:69: www:*:80: nogroup:*:65533: nobody:*:65534: dougs:*:1001: beckyr:*:1002: alfredos:*:1003: michaelm:*:1004: production:*:1:dougs,beckyr,alfredos,michaelm DSP-CUSTSVC:x:15001:DSP-Barry,DSP-denise,DSP-susan,DSP-heatherq,DSP-GIGI,DSP -moniqueb,DSP-TAMI,DSP-ChrisM,DSP-Leigh,DSP-Maryann,DSP-JoeS DSP-Domain Admins:x:15002:DSP-DSPAdmin,DSP-Tom,DSP-root,DSP-Robot,DSP-smtp2pop3,DSP-DSP ADMIN1,DSP-Doug,DSP-Tom2 DSP-Domain Guests:x:15003: ...snip... DSP-Dynamics:x:15005:DSP-Jared,DSP-Tom,DSP-Kris,DSP-Tom2 DSP-FINANCE:x:15006:DSP-DANNIS,DSP-GIGI,DSP-TAMI,DSP-Tom2,DSP-Tom,DSP-Doug,D SP-dahmian,DSP-Jared,DSP-Holly,DSP-Lynne,DSP-boe DSP-Management:x:15007:DSP-DANNIS,DSP-Joe,DSP-GIGI,DSP-TAMI,DSP-TJ,DSP-Tom,D SP-Becky,DSP-Barry,DSP-Maryann,DSP-Tom2,DSP-Jon,DSP-Jared DSP-MARKETING:x:15008:DSP-JoeS,DSP-GIGI,DSP-Becky,DSP-Barry,DSP-Leslie Why is the prepended domain username in lower case in getent passwd but not with getent group? Will this create problems? ~Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd and wbinfo -u returns machine names too
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom wrote: | I've just got a quick question about my winbind | implementation. I'm running 3.0.9 on fedora core 2, using my | AD for authentication via winbind. | | When I run 'getent passwd' or 'wbinfo -u' I get the computer | names from AD as well as the usernames. (now the usernames are | lowercased, I think that was a good idea BTW) | | But when I run 'getent group' or 'wbinfo -g' all I get is | the groups from AD (as well as locally). | | Is this supposed to happen or have I set it up wrong? Sounds right to me. Is the question whether or not the machine accounts should show up in the user list ? cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBreOzIR7qMdg1EfYRAnyxAKCIa/C704plzXO9tXXUImDmjzvBkACg13ZA HCLxnd807fdqGu1B3YFHqCw= =yrnj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd wbinfo -u not working
Hi, remeber, after compiling and installing samba you have to copy the files nsswitch/libnss_winbind.so and nsswitch/libnss_wins.so to /lib/ and ln -sf /lib/libnss_winbind.so /lib/libnss_winbind.so.2 ln -sf /lib/libnss_wins.so /lib/libnss_wins.so.2 then copy nsswitch/pam_winbind.so to /lib/security/ and finally do a ldconfig. you'll have to do these steps manually after each compile and install, as these files are omitted by make install Christoph Sahibzada Junaid Noor schrieb: HI, i had messed up with the pam.d so i did a fresh install. now after this fresh install some how getent passwd and wbinfo -u is not working. the rest of the commands kinit net ads join are ok. [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users and getent passwd simply returns me to the prompt after listing the names of the local users and groups any know how whats going on? = Sahibzada Junaid Noor Ph # (+92) (051) 5950 940 Cell # (+92) (0333) 5223586 Qazi plaza,Third Floor,Commerical Market,Chaklala Scheme 3, Rawalpindi Islamic Republic of Pakistan __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent ??
Sorry for asking this question again, I'm hoping someone can answer it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roberto Mason Sent: Saturday, May 22, 2004 5:16 PM To: Samba-List Subject: [Samba] getent ?? I've installed Fedora Core 2 from scratch, got my DNS and VNC to work, next is Samba. I was running previously SAMBA 2.28a but now I'm working with 3.04. I've since bought Samba-3 by Example, and I'm following it fairly closely. I've got samba to work with no shares yet, I've run initgrps.sh to create my Domain Groups. Winbind is working. I do a getent groups and this is what I get ~~ --- shortened the output of getent baubba:x:500: public:x:501: ntadmin:x:502: BUILTIN\System Operators:x:1: BUILTIN\Replicators:x:10001: BUILTIN\Guests:x:10002: BUILTIN\Power Users:x:10003: BUILTIN\Print Operators:x:10004: BUILTIN\Administrators:x:10005: BUILTIN\Account Operators:x:10006: BUILTIN\Backup Operators:x:10007: BUILTIN\Users:x:10008: Now my Domain is MEPHISTOPHELES. Shouldn't the output be more MEPHISTOPHELES\System Operators. or is this correct? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent does not get remote users
On 3. Mar, 2004, at 11:52, Stefan Günther wrote: Also, home directories for the NT4 -users are not created and no logs whatsoever are left behind by the As far as I know, the home directories for NT-Users aren't created automatically. But they should - perhaps winbind isn't working for you either. I could also live without this property, but it _would_ be nice to have them owned by someone instead of just seeing numeric UIDs and GIDs on the unix box. I have written a small perl script which gets the NT -users vi wbinfo -u and creates the home directories. IIf you are interested in it I could post it or send it. At least you can send it and if people on the list don't object, please post it as well. Bye, Stefan -- ArNO 2 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent does not get remote users
I'm not sure where you've gotten some of your configuration, but it doesn't look right to me... I am, however, only comparing it to my setup, which does work. I'll make notes on what differences I see, although I wouldn't consider myself an expert on samba, winbind, or pam. First, I never changed my /etc/pam.d/samba from the original. Mine looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_stack.so service=system-auth accountrequired pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth The other files in /etc/pam.d which I want to use the PDC for authentication look like: #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth sufficient pam_unix.so service=system-auth auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_mkhomedir.so skel=/etc/skel umask=0222 sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so Your smb.conf file looks like it's lacking something, mostly concerning winbind, although since I'm using an Active Directory domain, rather than NT4, I'm not sure if the differences between yours and mine would cause the problems you're seeing. I would assume you could cut out the AD stuff from mine and substitute the non-AD settings for yours... but I'm not sure. My smb.conf file (which I wrote out by hand, rather than using samba's default template) looks like: # General Options workgroup = TEST netbios name = linux-machine-name # Winbind Configuration winbind separator = _ idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /users/%U template shell = /bin/bash # following option automatically prepends the domain name # to the username when a user tries to login winbind use default domain = yes # Active Directory Config security = ads encrypt passwords = yes password server = 192.168.1.5# IP of the AD server realm = TEST.DOMAIN.COM I've probably managed to confuse more than I've helped... but I hope not. Shannon Shannon Johnson Network Support Specialist / Systems Administrator Dept. of Mechanical and Nuclear Engineering 224 Reber Building University Park, PA 16802 Phone: (814) 865-8267 -Original Message- From: Arno Hahma [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 03, 2004 4:31 AM To: [EMAIL PROTECTED] Subject: [Samba] getent does not get remote users I have a samba 3.0.2a -server running Linux, which I try to set up to authenticate users from a NT4 PDC using winbindd. Now, everything works to the point, where I try to list users with getent passwd. Getent only gets the local unix-users and has no clue about the NT4 -users. Also, home directories for the NT4 -users are not created and no logs whatsoever are left behind by the PAM module pam_mkhomedir, although I added the debug -switch to it. Otherwise, the system works: the shared secret is ok, wbinfo -u shows all NT4 -users correctly, and the NT4 -users can even create a samba -mount, provided the mounted directory has world rwx -permissions (such as the /tmp below in the smb.conf). This means the authentication works ok, but the unix box is just not aware of any winbindd users, even though samba is. Any clues, where to look for the problem? And yes, I did search through winbindd how-tos and this mailing list archives and tried all the tricks there. I also do not have any local users by the same names as the NT4 has them, thus, no conflicts here. Samba has been compiled with all necessary support (PAM, winbind etc. ) to support this scheme. /etc/nsswitch.conf has been edited to include winbind. ldconfig has been run to include the winbind shared modules. No nscd or any other NSS services are running. What can still be wrong? PAM configuration file samba: #%PAM-1.0 # pam_smbpass.so authenticates against the smbpasswd file auth required pam_smbpass.so nodelay accountrequired /lib/security/pam_stack.so service=system-auth-winbind sessionrequired /lib/security/pam_stack.so service=system-auth-winbind password required pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf The service -lines were edited according to the instructions in smb.conf comments to include system-auth-winbind: #%PAM-1.0 # $Header: /home/cvsroot/gentoo-x86/net-fs/samba/files/system-auth-winbind,v 1.1 2002/05/06 19:57:08 woodchip Exp $ authrequired /lib/security/pam_env.so authsufficient/lib/security/pam_unix.so likeauth nullok use_first_pass auth
Re: [Samba] getent passwd problem (please it's quite URGENT)
On Fri, 2004-01-23 at 23:52, [EMAIL PROTECTED] wrote: Hi, My ultimate goal is to use this samba installation as a member server without having to maintain NT user accounts on the samba box. /home/subbu not created... It is not winbind's role to create home directories. Either pam_mkhomedir, the 'add user script' in smbd (I think), or manual scripts on your part must handle this. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] getent passwd doesn't list domain users
Did you remember to edit /etc/nsswitch.conf, I always forget that. passwd: files winbind shadow: files group: files winbind -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17 December 2003 16:29 To: [EMAIL PROTECTED] Subject: [Samba] getent passwd doesn't list domain users __ Hi all, I've configured samba 3.0 as a domain memeber in NT 4.0 domain. Server has been added to the domain, without any problems, BUT, for three days, I'm not able to find a way how to use NT domain resourses for this samba server. I can list domain users and groups with wbinfo command from but getent passwd lists only the local users. Does anyone know where can be the problem? Thanks Vasek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba