subject:"RE\: \[Samba\] getent \?\?"


On 08/08/12 11:59, steve wrote:

Hi
Ubuntu 12.04 LTS client with 3.6.3 joined to the Samba4 AD domain.
smb.conf
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend=tdb
idmap config *:range=1-1
idmap config ALTEA:backend=ad
idmap config ALTEA:range=2-4000

getent passwd and wbinfo -u returns all AD users correctly
wbinfo -g returns all AD groups correctly
getent group fails. Only local groups are returned.

getent group works OK on the Samba4 DC.

I have disabled firewalls at both ends and torn down apparmor at both 
ends.


Any ideas anyone?
Cheers,
Steve


Hi, I am also getting this on Xubuntu 12.04 against a Samba 4 domain, 
but 'getent group linuxusers' does return the following info,

linuxusers:x:312:
and you can create dirs and files and chgrp them to the domain group.

My smb.conf
idmap config * : backend = tdb
idmap config * : range = 1100-2000
idmap config HOME : backend = ad
idmap config HOME : range = 300-310
idmap config HOME : schema_mode = rfc2307

I do not understand why 'getent group' only returns local groups when 
'getent group linuxusers' does returns the info.


Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working


On 08/08/12 12:38, Rowland Penny wrote:

On 08/08/12 11:59, steve wrote:

Hi
Ubuntu 12.04 LTS client with 3.6.3 joined to the Samba4 AD domain.
smb.conf
winbind enum users = Yes
winbind enum groups = Yes
idmap config *:backend=tdb
idmap config *:range=1-1
idmap config ALTEA:backend=ad
idmap config ALTEA:range=2-4000

getent passwd and wbinfo -u returns all AD users correctly
wbinfo -g returns all AD groups correctly
getent group fails. Only local groups are returned.

getent group works OK on the Samba4 DC.

I have disabled firewalls at both ends and torn down apparmor at both 
ends.


Any ideas anyone?
Cheers,
Steve


Hi, I am also getting this on Xubuntu 12.04 against a Samba 4 domain, 
but 'getent group linuxusers' does return the following info,

linuxusers:x:312:
and you can create dirs and files and chgrp them to the domain group.

My smb.conf
idmap config * : backend = tdb
idmap config * : range = 1100-2000
idmap config HOME : backend = ad
idmap config HOME : range = 300-310
idmap config HOME : schema_mode = rfc2307

I do not understand why 'getent group' only returns local groups when 
'getent group linuxusers' does returns the info.


Rowland




More info, with 'winbind use default domain = yes' in smb.conf on the 
client, 'getent group linuxusers' returns the info. Remove 'winbind use 
default domain = yes' from smb.conf and restart nmbd,smbd  winbind, 
'getent group linuxusers' now returns nothing, put the line back  
restart the daemons and the info comes back.


Why does one line in smb.conf make such a big difference?

Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working

2012-08-08 Thread Jonathan Buzzard


On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]



More info, with 'winbind use default domain = yes' in smb.conf on the
client, 'getent group linuxusers' returns the info. Remove 'winbind use
default domain = yes' from smb.conf and restart nmbd,smbd  winbind,
'getent group linuxusers' now returns nothing, put the line back 
restart the daemons and the info comes back.

Why does one line in smb.conf make such a big difference?



Remove it and do a 'getent group HOME\\linuxusers' and see if that 
works. Should explain why you need the user default domain in there.


JAB.

--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working


On 08/08/12 14:45, Jonathan Buzzard wrote:

On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]



More info, with 'winbind use default domain = yes' in smb.conf on the
client, 'getent group linuxusers' returns the info. Remove 'winbind use
default domain = yes' from smb.conf and restart nmbd,smbd  winbind,
'getent group linuxusers' now returns nothing, put the line back 
restart the daemons and the info comes back.

Why does one line in smb.conf make such a big difference?



Remove it and do a 'getent group HOME\\linuxusers' and see if that 
works. Should explain why you need the user default domain in there.


JAB.


ok, I removed the line and ran 'getent group HOME\\linuxusers'
This returned 'HOME\linuxusers:x:312:', this is just the same as 
before but with the domain name stuck on the front, 'getent group' still 
returns nothing.
So as I see it, with ''winbind use default domain = yes' in smb.conf, 
you do not need to give the domain name, but without it you do.
I still do not see why 'getent group' does not return anything but local 
groups.


Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working

2012-08-08 Thread steve


On 08/08/12 16:13, Rowland Penny wrote:

On 08/08/12 14:45, Jonathan Buzzard wrote:

On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]




Remove it and do a 'getent group HOME\\linuxusers' and see if that
works. Should explain why you need the user default domain in there.

JAB.


ok, I removed the line and ran 'getent group HOME\\linuxusers'
This returned 'HOME\linuxusers:x:312:', this is just the same as
before but with the domain name stuck on the front, 'getent group' still
returns nothing.
So as I see it, with ''winbind use default domain = yes' in smb.conf,
you do not need to give the domain name, but without it you do.
I still do not see why 'getent group' does not return anything but local
groups.

Rowland



OK
getent passwd works as does wbinfo -u/-g
getent passwd doesn't

My workgroup is ALTEA
I create a group staff2 with posixGroup and gidNumber of 21114
This works:
getent group ALTEA\\staff2
ALTEA\staff2:x:21114:


Back on the Samba4 DC at debug 3 the getent group command gives around 
50 of these:

ldb: ldb: dnAttributes extended match not supported yet

getent group (without specifying a WORKGROUP\\group) returns only local 
groups. Unfortunately the question remains the same. Why does getent 
group return only local users?


Is this just Ubuntu 12.04 with Samba 3.6.3? Can anyone confirm that it 
works on other distros?


Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working

2012-08-08 Thread Jonathan Buzzard


On 08/08/12 15:13, Rowland Penny wrote:

On 08/08/12 14:45, Jonathan Buzzard wrote:

On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]



More info, with 'winbind use default domain = yes' in smb.conf on the
client, 'getent group linuxusers' returns the info. Remove 'winbind use
default domain = yes' from smb.conf and restart nmbd,smbd  winbind,
'getent group linuxusers' now returns nothing, put the line back 
restart the daemons and the info comes back.

Why does one line in smb.conf make such a big difference?



Remove it and do a 'getent group HOME\\linuxusers' and see if that
works. Should explain why you need the user default domain in there.

JAB.


ok, I removed the line and ran 'getent group HOME\\linuxusers'
This returned 'HOME\linuxusers:x:312:', this is just the same as
before but with the domain name stuck on the front, 'getent group' still
returns nothing.
So as I see it, with ''winbind use default domain = yes' in smb.conf,
you do not need to give the domain name, but without it you do.
I still do not see why 'getent group' does not return anything but local
groups.



You did make sure to nuke any DB's that Samba might have created locally 
when switching between the two?


JAB.

--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working


On 08/08/12 16:58, Jonathan Buzzard wrote:

On 08/08/12 15:13, Rowland Penny wrote:

On 08/08/12 14:45, Jonathan Buzzard wrote:

On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]



More info, with 'winbind use default domain = yes' in smb.conf on the
client, 'getent group linuxusers' returns the info. Remove 'winbind 
use

default domain = yes' from smb.conf and restart nmbd,smbd  winbind,
'getent group linuxusers' now returns nothing, put the line back 
restart the daemons and the info comes back.

Why does one line in smb.conf make such a big difference?



Remove it and do a 'getent group HOME\\linuxusers' and see if that
works. Should explain why you need the user default domain in there.

JAB.


ok, I removed the line and ran 'getent group HOME\\linuxusers'
This returned 'HOME\linuxusers:x:312:', this is just the same as
before but with the domain name stuck on the front, 'getent group' still
returns nothing.
So as I see it, with ''winbind use default domain = yes' in smb.conf,
you do not need to give the domain name, but without it you do.
I still do not see why 'getent group' does not return anything but local
groups.



You did make sure to nuke any DB's that Samba might have created 
locally when switching between the two?


JAB.

Well no I didn't, but I have now, and it did not make any difference, 
exactly the same set of results.


Why does 'getent group' on the samba4 server return all the users (local 
 domain) and 'getent group' from 3.6.3 on the client only return local 
users?


Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not working

2012-08-08 Thread steve


On 08/08/2012 05:58 PM, Jonathan Buzzard wrote:

On 08/08/12 15:13, Rowland Penny wrote:

On 08/08/12 14:45, Jonathan Buzzard wrote:

On 08/08/12 13:36, Rowland Penny wrote:

[SNIP]



More info, with 'winbind use default domain = yes' in smb.conf on the
client, 'getent group linuxusers' returns the info. Remove 'winbind 
use

default domain = yes' from smb.conf and restart nmbd,smbd  winbind,
'getent group linuxusers' now returns nothing, put the line back 
restart the daemons and the info comes back.

Why does one line in smb.conf make such a big difference?



Remove it and do a 'getent group HOME\\linuxusers' and see if that
works. Should explain why you need the user default domain in there.

JAB.


ok, I removed the line and ran 'getent group HOME\\linuxusers'
This returned 'HOME\linuxusers:x:312:', this is just the same as
before but with the domain name stuck on the front, 'getent group' still
returns nothing.
So as I see it, with ''winbind use default domain = yes' in smb.conf,
you do not need to give the domain name, but without it you do.
I still do not see why 'getent group' does not return anything but local
groups.



You did make sure to nuke any DB's that Samba might have created 
locally when switching between the two?



Hi
I just physically removed /var/lib/samba and /var/cache/samba and did 
apt-get purge samba winbind samba-common. Then reinstalled over bare 
metal. _Still_ only local groups from getent group.


It works fine. We can login and files are shown as being owned by e.g.
WORKGROUP\steve WORKGROUP\domain users

It would just be nice to be able to see the groups listed by getent 
group. That's all.

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14

2011-12-02 Thread Kamil Choudhury

I know this thread is long dead, but for anyone who was wondering, the issue 
was 
a faulty compile of the net/samba34 port. 

Turning the log level to 3 in smb.conf, showed the following: 

Error loading module '/usr/local/lib/samba34/idmap/ad.so': Cannot open 
/usr/local/lib/samba34/idmap/ad.so

Oops. 

Recompiling resulted in a perfectly functioning SAMBA install inside the jail. 
I guess 
the moral of the story is to turn up logging verbosity when confronted with a 
problem? 

Thanks, 
Kamil
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-19 Thread Jorell


I had this same problem on Ubuntu 10.04; did you run pam-auth-update?
Do these files exist?:
/lib/libnss_winbind.so
/lib/libnss_winbind.so.2
/lib/security/pam_winbind.so
/usr/share/pam-configs/winbind
/usr/share/pam-configs/krb5

On 11/8/2011 7:56 AM, James Chase wrote:

Yes, definitely

On 11/8/2011 10:55 AM, Eddy Sturg wrote:

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net
mailto:ja...@chasecomputers.net wrote:

I tried a second install of CentOS with X, thinking perhaps the
GUI setup might do something that I was missing in terms of
getting samba connected to active directory. However I still can't
get this to work (now wbinfo doesn't seem to work either) in
CentOS. I also tried Fedora 14.

Then I tried a Ubuntu 11 install and followed their instructions
from the wiki:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And it worked! I tried to apply the same settings to CentOS setup
but I still get no output from 'getent passwd'.

Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my
best bet is building from source and trying 3.5.11 or 3.5.12 on
CentOS? Are there any critical flags that need to be set during
the configuration to make sure samba will work with active
directory/winbind?

James


I'm trying to get my CentOS 5.6 machine setup as a Active
Directory Domain Member with Windows 2008 level domain and
samba 3.5. I haven't tried this before.

I can successfully join the domain and return users using
'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent
passwd' I only get the local users. I'm not sure what element
that indicates is failing in the process. I'm not confident in
my pam.d/ setup since different guides show different methods
of setting this up. The /etc/nsswitch.conf file has been
edited to include winbind as a source for passwd/shadow/group.

The only insightful error message I see in the samba logs is
this (repeated over and over in all the logs) but I haven't
found the solution. Is this the cause of my problems? How do I
disable spinlocks? I'm using a prebuilt package from sernet

[2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log)
tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = SHAMOFFICE
realm = SHAMBHALA-OFFICE.LOCAL
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
printcap name = cups
idmap backend = ad
idmap uid = 1-2
idmap gid = 3-4
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config SHAMOFFICE : schema_mode = rfc2307
idmap config SHAMOFFICE : range = 4000-5000
idmap config SHAMOFFICE : backend = ad
idmap config * : range = 2000-3000
idmap config * : backend = tdb

[test]
comment = Directory for storing pictures by jims users
path = /local/test
read only = No
guest ok = Yes





-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-19 Thread Jorell


A few more thoughts...
for your smb.conf shouldn't it be:
workgroup = SHAMOFFICE
realm = SHAMOFFICE.LOCAL

or:
workgroup = SHAMBHALA-OFFICE
realm = SHAMBHALA-OFFICE.LOCAL

or maybe:
workgroup = SHAMOFFICE
realm = SHAMOFFICE.SHAMBHALA-OFFICE.LOCAL



For my setup I found having my domain being *.local problematic I ended 
up using *.lan




On 11/8/2011 7:56 AM, James Chase wrote:

Yes, definitely

On 11/8/2011 10:55 AM, Eddy Sturg wrote:

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net
mailto:ja...@chasecomputers.net wrote:

I tried a second install of CentOS with X, thinking perhaps the
GUI setup might do something that I was missing in terms of
getting samba connected to active directory. However I still can't
get this to work (now wbinfo doesn't seem to work either) in
CentOS. I also tried Fedora 14.

Then I tried a Ubuntu 11 install and followed their instructions
from the wiki:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And it worked! I tried to apply the same settings to CentOS setup
but I still get no output from 'getent passwd'.

Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my
best bet is building from source and trying 3.5.11 or 3.5.12 on
CentOS? Are there any critical flags that need to be set during
the configuration to make sure samba will work with active
directory/winbind?

James


I'm trying to get my CentOS 5.6 machine setup as a Active
Directory Domain Member with Windows 2008 level domain and
samba 3.5. I haven't tried this before.

I can successfully join the domain and return users using
'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent
passwd' I only get the local users. I'm not sure what element
that indicates is failing in the process. I'm not confident in
my pam.d/ setup since different guides show different methods
of setting this up. The /etc/nsswitch.conf file has been
edited to include winbind as a source for passwd/shadow/group.

The only insightful error message I see in the samba logs is
this (repeated over and over in all the logs) but I haven't
found the solution. Is this the cause of my problems? How do I
disable spinlocks? I'm using a prebuilt package from sernet

[2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log)
tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = SHAMOFFICE
realm = SHAMBHALA-OFFICE.LOCAL
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
printcap name = cups
idmap backend = ad
idmap uid = 1-2
idmap gid = 3-4
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config SHAMOFFICE : schema_mode = rfc2307
idmap config SHAMOFFICE : range = 4000-5000
idmap config SHAMOFFICE : backend = ad
idmap config * : range = 2000-3000
idmap config * : backend = tdb

[test]
comment = Directory for storing pictures by jims users
path = /local/test
read only = No
guest ok = Yes





-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-08 Thread Eddy Sturg

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.netwrote:

I tried a second install of CentOS with X, thinking perhaps the GUI setup
might do something that I was missing in terms of getting samba connected
to active directory. However I still can't get this to work (now wbinfo
doesn't seem to work either) in CentOS. I also tried Fedora 14.

Then I tried a Ubuntu 11 install and followed their instructions from the
wiki:
https://help.ubuntu.com/**community/**ActiveDirectoryWinbindHowtohttps://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And it worked! I tried to apply the same settings to CentOS setup but I
still get no output from 'getent passwd'.

Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet
is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there
any critical flags that need to be set during the configuration to make
sure samba will work with active directory/winbind?

James

I'm trying to get my CentOS 5.6 machine setup as a Active Directory
Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried
this before.

I can successfully join the domain and return users using 'wbinfo -u' and
groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local
users. I'm not sure what element that indicates is failing in the process.
I'm not confident in my pam.d/ setup since different guides show different
methods of setting this up. The /etc/nsswitch.conf file has been edited to
include winbind as a source for passwd/shadow/group.

The only insightful error message I see in the samba logs is this
(repeated over and over in all the logs) but I haven't found the solution.
Is this the cause of my problems? How do I disable spinlocks? I'm using a
prebuilt package from sernet

[2011/11/01 16:46:19.979981, 1] lib/util_tdb.c:385(tdb_log)
tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = SHAMOFFICE
realm = SHAMBHALA-OFFICE.LOCAL
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
printcap name = cups
idmap backend = ad
idmap uid = 1-2
idmap gid = 3-4
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config SHAMOFFICE : schema_mode = rfc2307
idmap config SHAMOFFICE : range = 4000-5000
idmap config SHAMOFFICE : backend = ad
idmap config * : range = 2000-3000
idmap config * : backend = tdb

[test]
comment = Directory for storing pictures by jims users
path = /local/test
read only = No
guest ok = Yes

--
To unsubscribe from this list go to the following URL and read the
instructions:
https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-08 Thread James Chase


Yes, definitely

On 11/8/2011 10:55 AM, Eddy Sturg wrote:

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase ja...@chasecomputers.net 
mailto:ja...@chasecomputers.net wrote:


I tried a second install of CentOS with X, thinking perhaps the
GUI setup might do something that I was missing in terms of
getting samba connected to active directory. However I still can't
get this to work (now wbinfo doesn't seem to work either) in
CentOS. I also tried Fedora 14.

Then I tried a Ubuntu 11 install and followed their instructions
from the wiki:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And it worked! I tried to apply the same settings to CentOS setup
but I still get no output from 'getent passwd'.

Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my
best bet is building from source and trying 3.5.11 or 3.5.12 on
CentOS? Are there any critical flags that need to be set during
the configuration to make sure samba will work with active
directory/winbind?

James


I'm trying to get my CentOS 5.6 machine setup as a Active
Directory Domain Member with Windows 2008 level domain and
samba 3.5. I haven't tried this before.

I can successfully join the domain and return users using
'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent
passwd' I only get the local users. I'm not sure what element
that indicates is failing in the process. I'm not confident in
my pam.d/ setup since different guides show different methods
of setting this up. The /etc/nsswitch.conf file has been
edited to include winbind as a source for passwd/shadow/group.

The only insightful error message I see in the samba logs is
this (repeated over and over in all the logs) but I haven't
found the solution. Is this the cause of my problems? How do I
disable spinlocks? I'm using a prebuilt package from sernet

[2011/11/01 16:46:19.979981,  1] lib/util_tdb.c:385(tdb_log)
 tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
   workgroup = SHAMOFFICE
   realm = SHAMBHALA-OFFICE.LOCAL
   interfaces = 127.0.0.1, eth0
   bind interfaces only = Yes
   security = ADS
   printcap name = cups
   idmap backend = ad
   idmap uid = 1-2
   idmap gid = 3-4
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   idmap config SHAMOFFICE : schema_mode = rfc2307
   idmap config SHAMOFFICE : range = 4000-5000
   idmap config SHAMOFFICE : backend = ad
   idmap config * : range = 2000-3000
   idmap config * : backend = tdb

[test]
   comment = Directory for storing pictures by jims users
   path = /local/test
   read only = No
   guest ok = Yes





-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-07 Thread James Chase

I tried a second install of CentOS with X, thinking perhaps the GUI 
setup might do something that I was missing in terms of getting samba 
connected to active directory. However I still can't get this to work 
(now wbinfo doesn't seem to work either) in CentOS. I also tried Fedora 14.


Then I tried a Ubuntu 11 install and followed their instructions from 
the wiki: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto


And it worked! I tried to apply the same settings to CentOS setup but I 
still get no output from 'getent passwd'.


Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best 
bet is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are 
there any critical flags that need to be set during the configuration to 
make sure samba will work with active directory/winbind?


James


I'm trying to get my CentOS 5.6 machine setup as a Active Directory 
Domain Member with Windows 2008 level domain and samba 3.5. I haven't 
tried this before.


I can successfully join the domain and return users using 'wbinfo -u' 
and groups with 'wbinfo -g' but when I try 'getent passwd' I only get 
the local users. I'm not sure what element that indicates is failing 
in the process. I'm not confident in my pam.d/ setup since different 
guides show different methods of setting this up. The 
/etc/nsswitch.conf file has been edited to include winbind as a source 
for passwd/shadow/group.


The only insightful error message I see in the samba logs is this 
(repeated over and over in all the logs) but I haven't found the 
solution. Is this the cause of my problems? How do I disable 
spinlocks? I'm using a prebuilt package from sernet


[2011/11/01 16:46:19.979981,  1] lib/util_tdb.c:385(tdb_log)
  tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = SHAMOFFICE
realm = SHAMBHALA-OFFICE.LOCAL
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
printcap name = cups
idmap backend = ad
idmap uid = 1-2
idmap gid = 3-4
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config SHAMOFFICE : schema_mode = rfc2307
idmap config SHAMOFFICE : range = 4000-5000
idmap config SHAMOFFICE : backend = ad
idmap config * : range = 2000-3000
idmap config * : backend = tdb

[test]
comment = Directory for storing pictures by jims users
path = /local/test
read only = No
guest ok = Yes






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

2011-11-01 Thread Mark Rutherford


Shot in the dark.. is nscd running?
I have been bitten by that a few times.

On 11/1/2011 5:04 PM, James Chase wrote:
I'm trying to get my CentOS 5.6 machine setup as a Active Directory 
Domain Member with Windows 2008 level domain and samba 3.5. I haven't 
tried this before.


I can successfully join the domain and return users using 'wbinfo -u' 
and groups with 'wbinfo -g' but when I try 'getent passwd' I only get 
the local users. I'm not sure what element that indicates is failing 
in the process. I'm not confident in my pam.d/ setup since different 
guides show different methods of setting this up. The 
/etc/nsswitch.conf file has been edited to include winbind as a source 
for passwd/shadow/group.


The only insightful error message I see in the samba logs is this 
(repeated over and over in all the logs) but I haven't found the 
solution. Is this the cause of my problems? How do I disable 
spinlocks? I'm using a prebuilt package from sernet


[2011/11/01 16:46:19.979981,  1] lib/util_tdb.c:385(tdb_log)
  tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section [test]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
workgroup = SHAMOFFICE
realm = SHAMBHALA-OFFICE.LOCAL
interfaces = 127.0.0.1, eth0
bind interfaces only = Yes
security = ADS
printcap name = cups
idmap backend = ad
idmap uid = 1-2
idmap gid = 3-4
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config SHAMOFFICE : schema_mode = rfc2307
idmap config SHAMOFFICE : range = 4000-5000
idmap config SHAMOFFICE : backend = ad
idmap config * : range = 2000-3000
idmap config * : backend = tdb

[test]
comment = Directory for storing pictures by jims users
path = /local/test
read only = No
guest ok = Yes







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14

2011-09-22 Thread Quinn Fissler

Doing what you're doing is using the wrong machine name when making the
query.

I presume that ABPSVC-UNIX2 is your server and your client is in the jail
on that machine.

You'd need a separate configuration instead of a copy from the server so
that the jail appears to be a separate client.

I've never done this.



On 22 September 2011 15:09, Kamil Choudhury
kamil.choudh...@anserinae.netwrote:

 I've been messing around with running samba 3.4.14 inside a freebsd jail
 over
 the last couple of days, and am running into an odd problem where wbinfo -u
 and wbinfo -g succeed, but getent passwd fails (insofar that it shows only
 local users, but none of the domain users).

 Here's my smb.conf:

 [global]

 interfaces =192.168.0.16/32
 bind interfaces only   =yes
 security   =ads
 realm  =domain.net
 password server=awpsvc-win1.domain.net
 workgroup  =DOMAIN
 idmap uid  =1-2
 idmap gid  =1-2
 idmap config DOMAIN: backend = ad
 idmap config DOMAIN : range   = 4-6
 winbind nss info   =rfc2307
 winbind enum users =yes
 winbind enum groups=yes
 winbind nested groups  =yes
 winbind expand groups  =1
 template homedir   =/home/%D/%U
 template shell =/usr/local/bin/bash
 client use spnego  =yes
 client ntlmv2 auth =yes
 encrypt passwords  =yes
 winbind use default domain =yes
 restrict anonymous =2
 acl check permissions  =yes
 follow symlinks=yes
 wide links =yes
 unix extensions=no

 And my /etc/nsswitch.conf file:

 group: winbind files
 group_compat: nis
 hosts: files dns
 networks: files
 passwd: winbind files
 passwd_compat: nis
 shells: files
 services: compat
 services_compat: nis
 protocols: files
 rpc: files

 Doing a getent passwd results in the following output to log.winbindd:

 [2011/09/22 00:22:00,  1] winbindd/winbindd_group.c:1366(winbindd_getgrent)
  could not look up gid for group ExchangeLegacyInterop
 [2011/09/22 00:22:00,  1] winbindd/winbindd_group.c:1366(winbindd_getgrent)
  could not look up gid for group Schema Admins
 [2011/09/22 00:22:00,  1] winbindd/winbindd_group.c:1366(winbindd_getgrent)
  could not look up gid for group Enterprise Admins
 [2011/09/22 00:22:00,  1] winbindd/winbindd_group.c:1366(winbindd_getgrent)
  could not look up gid for group Enterprise Read-only Domain Controllers
 ...

 ...and the following in log.nbmd:

 [2011/09/22 00:29:46,  0] nmbd/nmbd_packets.c:1079(process_browse_packet)
  process_browse_packet: Discarding datagram from IP 192.168.0.16. Source
 name ABPSVC-UNIX200 is one of our names !
 [2011/09/22 00:29:46,  0] nmbd/nmbd_packets.c:1079(process_browse_packet)
  process_browse_packet: Discarding datagram from IP 192.168.0.16. Source
 name ABPSVC-UNIX200 is one of our names !

 The configuration is known to work *outside* a jail -- is there something
 I should be doing differently in order to get winbind to work cleanly?

 Thanks in advance,
 Kamil
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd fails inside freebsd jail using samba 3.4.14

2011-09-22 Thread Kamil Choudhury

  I presume that ABPSVC-UNIX2 is your server and your client is in the jail 
 on that machine.

Actually, abpsvc-unix2 is the client at 192.168.0.16; it's hosted on a server 
called called serenity , which is at 192.168.0.1. If it matters, serenity is 
running a samba client successfully. Both are authenticating against AD server 
awpsvc-win1.anserinae.net at 192.168.12.

I'm new to all of this, so perhaps I'm asking the wrong question: is winbind 
the right tool to be using to map AD users to the jail? 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group not listing domain groups / wbinfo -r not working

2011-09-21 Thread Ľubomír Brindza

Update. Ugly hacks abound, be warned.

 As far as I can tell, nsswitch.conf is also configured properly, since
 `getent passwd` dumps local users, waits about .2 seconds, and dumps
 domain users:
 sasa.sokolova:*:10283:10001:Sasa
 Sokolova:/home/LIONSK/sasa.sokolova:/bin/false
 adam.szabados:*:10284:10001:Adam
 Szabados:/home/LIONSK/adam.szabados:/bin/false
 (All domain users are members of group '10001', is this normal?)
As I've found out, the `getent passwd` lists users and their *primary*
AD group, which is 'Domain Users' by default. After changing the user's
primary group (and restarting the whole server, unsure how often wbinfo
refreshes its data), `getent passwd` shows users along with their new
primary group (the one I'm actually looking for).

Please note that at my organization, there is very little to no overlap
between different AD groups, so this ugly ha^H^H^H fix may not
necessarily work out for you. I'm using 'plain' AD - UID/GID identity
mapping, and you might want to use idmap_rid backend.

Since `wbinfo -r user` still fails however, I've resorted to altering
the wbinfo_group.pl script shipped with squid (it's used to check
whether a user belongs to a group). Patch attached; don't laugh :

I understand that this could result in a large performance hit (among
other things), but so far it's working as intended.

Please don't hesitate to point out the flaws.
--- /usr/lib/squid3/wbinfo_group.pl 2011-02-22 17:23:47.0 +0100
+++ /etc/squid3/ad_group.pl 2011-09-21 15:52:20.089463160 +0200
@@ -57,8 +26,9 @@
 chop $groupGID;
 debug( User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   
-$groupGID-);
 return 'ERR' if($groupGID eq ); # Verify if groupGID variable is 
empty.
-return 'ERR' if(`wbinfo -r \Q$user\E` eq ); # Verify if wbinfo -r 
command returns no value.
-return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
+return 'OK' if(`getent passwd | grep $user | grep -o $groupGID` =~ 
/^$groupGID$/m);
 return 'ERR';
 }
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group fails - fixed

2011-06-24 Thread Dale Schroeder


On 06/24/2011 2:56 AM, Dermot wrote:

On 24 June 2011 05:48, Christian PERRIERbubu...@debian.org  wrote:

Quoting Dermot (paik...@googlemail.com):


Perhaps I am not understanding you correctly because that runs counter
my experience. The settings in my /etc/ldap/ldap.conf were correct
whereas the ones in /etc/libnss-ldap.conf were not. It was the search
filters from libnss-ldap.conf that were being used when I did `getent
group`. I think your telling me that getent is tied to the nss
framework so would use that config because that's what I told
nsswitch.conf to do. I would have thought, but I am no expert, that
samba would have used the config from smb.conf and that ldapsearch
(and anything else that didn't have hooks else where) would use
/etc/ldap/ldap.conf.


Please note that Debian has *two* packages for nss-ldap:

mykerinos:/home/cperrier# apt-cache search nss ldap naming service
libnss-ldap - NSS module for using LDAP as a naming service
libnss-ldapd - NSS module for using LDAP as a naming service

IIRC (but you probably want to check this), the latter is more
actively maintained than the former.

I asked about that on the samba IRC two days ago:

(14:33:17): On my distro (Debian), I have two options for NSS 1)
libnss_ldap and 2) libnss_ldapd (Source: nss-pam-ldapd) . Does anyone
know which one I should use?

now I have my answer but it looks like I installed the lesser
maintained version :/

libnss_ldap.so.2 (libc6,x86-64) =  /lib/libnss_ldap.so.2
libnss_ldap.so (libc6,x86-64) =  /usr/lib/libnss_ldap.so
libnss_ldap-2.7.so (libc6,x86-64) =  /lib/libnss_ldap-2.7.so

Thanks,
Dermot.


Looks like there's a migration happening.  On the libnss-ldap package 
webpage ( http://packages.debian.org/squeeze/libnss-ldap ) it says:


Packages providing libnss-ldap

libnss-ldapd

Under experimental, it describes libnss-ldap as a virtual package: 
http://packages.debian.org/experimental/libnss-ldap


One way or another, you will eventually have libnss-ldapd.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd does not list trusted users

2011-06-06 Thread timothy mcdaniel

I have been looking at
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
and I think that if you add this in your nsswitch.conf like it says in the
website above:
if you already have the passwd: files ldap and group: files ldap in your
nsswitch.conf then just add winbind to the end of the lines of the passwd
and group lines. just like it is shown below: If you need any more help just
email me back, and I will try to help you.

*passwd*: files ldap winbind
group: files ldap winbind

-- Forwarded message --
From: Gaiseric Vandal gaiseric.van...@gmail.com
To: Samba samba@lists.samba.org
Date: Mon, 06 Jun 2011 12:04:14 -0400
Subject: [Samba] getent passwd does not list trusted users
I am running Samba 3.5.5 on Solaris 10. This is the latest Sun/Oracle
provided build. I have an ldap backend for everything (unix+samba accounts,
idmapping for domain trusts.) The Samba server is a PDC for a domain we can
call SAMBA.Each samba account is tied to a unix account.

I have a one-way domain trust setup with a Windows 2003 domain which we
can call WIN2003. SAMBA trusts WIN2003. getent passwd and getent
group seem to fundamentally be working (depending on syntax) BUT getent
passwd does NOT list trusted users.

On the solaris machine:

---
wbinfo -u and wbinfo -glists all users in this domain + the
WIN2003 domain. For the SAMBA users, the domain name is stripped out.

getent passwd - lists all unix users (in ldap or /etc/passwd.)
It does not list the samba users - which is the expected and
desired behaviour.
I had expected it to list users from the WIN2003 domain.

getent group - lists all unix groups (in ldap or /etc/passwd)
It does not listed the SAMBA groups - which is the expected and
desired behaviour.
It does list WIN2003 groups- which is also the expected and
desired behaviour.

getent passwd SAMBA\\user - shows uid, gid, home directory, shell
getent passwd WIN2003\\user - shows uid, gid, home directory, shell

getent group SAMBA\\group - shows gid, members
getent group WIN2003\\group - shows gid, members

id SAMBA\\user - shows uid and gid
id WIN2003 \\user - shows uid and gid

---

I can use chown and other commands from solaris command line to grant
rights to a user from the trusted domain. However, in a Windows machine in
samba domain, when setting file permissions, I can not see the trusted
domain.

Any thoughts?

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd does not list trusted users

2011-06-06 Thread Gaiseric Vandal


I do have the entries in /etc/nswitch.conf

The getent passwd  won't list the winbind users although I can get 
details on a specific user with the getent passwd 
SOMEDOMAIN\\someuser   common



I looked in the /var/samba/locks directory -

I have a winbindd_cache.tdb file that is current.  I don't have a 
current idmap_cache.tdb file anymore.  Not sure I need one.   I 
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to 
3.5.x, and it seems with .X upgrade that the configuration for winbind 
and idmapping changes.



This may be a bug in Solaris itself rather than samba.





On 06/06/2011 02:28 PM, timothy mcdaniel wrote:

I have been looking at
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
and I think that if you add this in your nsswitch.conf like it says in the
website above:
if you already have the passwd: files ldap and group: files ldap in your
nsswitch.conf then just add winbind to the end of the lines of the passwd
and group lines. just like it is shown below: If you need any more help just
email me back, and I will try to help you.

*passwd*: files ldap winbind
   group: files ldap winbind


-- Forwarded message --
From: Gaiseric Vandalgaiseric.van...@gmail.com
To: Sambasamba@lists.samba.org
Date: Mon, 06 Jun 2011 12:04:14 -0400
Subject: [Samba] getent passwd does not list trusted users
I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
provided build.  I have an ldap backend for everything (unix+samba accounts,
idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
call SAMBA.Each samba account is tied to a unix account.

I have a one-way  domain trust setup with a Windows 2003 domain which we
can call WIN2003.  SAMBA trusts WIN2003.   getent passwd and getent
group seem to fundamentally be working (depending on syntax)  BUT getent
passwd does NOT list trusted users.


On the solaris machine:

---
wbinfo -u  and wbinfo -glists all users in this domain + the
WIN2003 domain.   For the SAMBA users, the domain name is stripped out.


  getent passwd -  lists all unix users (in ldap or /etc/passwd.)
It does not list the samba users -  which is the expected and
desired behaviour.
I had expected it to list users from the WIN2003 domain.


getent group  -  lists all unix groups  (in ldap or /etc/passwd)
It does not listed the SAMBA groups - which is the expected and
desired behaviour.
It does list WIN2003 groups-  which is  also the expected and
desired behaviour.


getent passwd SAMBA\\user -  shows uid, gid, home directory, shell
getent passwd WIN2003\\user -  shows uid, gid, home directory, shell

getent group SAMBA\\group -  shows gid, members
getent group WIN2003\\group -  shows gid, members


id SAMBA\\user -  shows uid and gid
id  WIN2003 \\user -  shows uid and gid


---


I can use chown and other commands from solaris command line  to grant
rights to a user from the trusted domain.  However, in a Windows machine in
samba domain, when setting file permissions, I can not see the trusted
domain.


Any thoughts?


Thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd does not list trusted users

2011-06-06 Thread Gaiseric Vandal


This maybe related to idmap allocation -  tho not sure how.


Initially my PDC was running Samba 3.0.x.When I did getent passwd 
or getent group  samba would create idmap entries for users and groups 
from trusted domains.There were some other things broken with idmap 
and samba that made it unstable for maintaining a trust with  Active 
Directory, thus the move to 3.4 and then to 3.5.


The 3.4 upgrade seems to have broken the automatic allocation.  (This 
could just be a configuration error in my smb.conf)   In my environment, 
that wasn't a huge deal since the number of users and groups in the 
trusted domain us quite small and stable. I could manually add an 
idmapping with the wbinfo  or with an LDAP editor.


This morning, getent group would show the trusted WINDOWS groups.  I 
added another group in the WINDOWS domain to see if Samba would 
automatically create a group mapping (which it didn't) and to make sure 
that it at least showed up with wbinfo -g (which it did-  so at least 
I wasn't working just from a cache.)But then getent group stopped 
listing WINDOWS groups.  (getent group WINDOWS\\thenewgroup did 
work.)  Once I manually created an idmap entry for the new group, 
getent group was able to list all the groups.


So my guess is that samba or winbind chokes up when it finds a winbind 
user or group in a domain for which an idmap entry is missing and can't 
be created.


I tried adding idmap entries for the few users in the WINDOWS domain who 
didn't have idmappings, but getent passwd still doesn't work.





 Original Message 
Subject:Re: [Samba] getent passwd does not list trusted users
Date:   Mon, 06 Jun 2011 15:16:28 -0400
From:   Gaiseric Vandal gaiseric.van...@gmail.com
Reply-To:   gaiseric.van...@gmail.com
To: samba@lists.samba.org



I do have the entries in /etc/nswitch.conf

The getent passwd  won't list the winbind users although I can get
details on a specific user with the getent passwd
SOMEDOMAIN\\someuser   common


I looked in the /var/samba/locks directory -

I have a winbindd_cache.tdb file that is current.  I don't have a
current idmap_cache.tdb file anymore.  Not sure I need one.   I
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to
3.5.x, and it seems with .X upgrade that the configuration for winbind
and idmapping changes.


This may be a bug in Solaris itself rather than samba.





On 06/06/2011 02:28 PM, timothy mcdaniel wrote:

 I have been looking at
 
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
 and I think that if you add this in your nsswitch.conf like it says in the
 website above:
 if you already have the passwd: files ldap and group: files ldap in your
 nsswitch.conf then just add winbind to the end of the lines of the passwd
 and group lines. just like it is shown below: If you need any more help just
 email me back, and I will try to help you.

 *passwd*: files ldap winbind
group: files ldap winbind


 -- Forwarded message --
 From: Gaiseric Vandalgaiseric.van...@gmail.com
 To: Sambasamba@lists.samba.org
 Date: Mon, 06 Jun 2011 12:04:14 -0400
 Subject: [Samba] getent passwd does not list trusted users
 I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
 provided build.  I have an ldap backend for everything (unix+samba accounts,
 idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
 call SAMBA.Each samba account is tied to a unix account.

 I have a one-way  domain trust setup with a Windows 2003 domain which we
 can call WIN2003.  SAMBA trusts WIN2003.   getent passwd and getent
 group seem to fundamentally be working (depending on syntax)  BUT getent
 passwd does NOT list trusted users.


 On the solaris machine:

 
---
 wbinfo -u  and wbinfo -glists all users in this domain + the
 WIN2003 domain.   For the SAMBA users, the domain name is stripped out.


   getent passwd -  lists all unix users (in ldap or /etc/passwd.)
 It does not list the samba users -  which is the expected and
 desired behaviour.
 I had expected it to list users from the WIN2003 domain.


 getent group  -  lists all unix groups  (in ldap or /etc/passwd)
 It does not listed the SAMBA groups - which is the expected and
 desired behaviour.
 It does list WIN2003 groups-  which is  also the expected and
 desired behaviour.


 getent passwd SAMBA\\user -  shows uid, gid, home directory, shell
 getent passwd WIN2003\\user -  shows uid, gid, home directory, shell

 getent group SAMBA\\group -  shows gid, members
 getent group WIN2003\\group -  shows gid, members


 id SAMBA\\user -  shows uid and gid
 id  WIN2003 \\user -  shows uid and gid

Re: [Samba] getent passwd does not list trusted users

2011-06-06 Thread Frank Mori Hess

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Monday, June 06, 2011, Gaiseric Vandal wrote:
 I do have the entries in /etc/nswitch.conf
 
 The getent passwd  won't list the winbind users although I can get
 details on a specific user with the getent passwd
 SOMEDOMAIN\\someuser   common

Isn't that the expected behavior using the default smb.conf values of no 
for winbind enum users and winbind enum groups?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE
2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM
=15SB
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd does not list trusted users

2011-06-06 Thread Gaiseric Vandal


my smb.conf includes

winbind use default domain = Yes

winbind enum users = Yes
winbind enum groups = Yes



I did notice that some idmap entries are being created in the 
gencache.tdb file  (specifically for LDAP groups that DON'T have a Samba 
SID) -I am guessing that is a symptom that idmap is trying to create 
idmap entries but can't post them to ldap.






On 06/06/2011 03:26 PM, Frank Mori Hess wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Monday, June 06, 2011, Gaiseric Vandal wrote:

I do have the entries in /etc/nswitch.conf

The getent passwd  won't list the winbind users although I can get
details on a specific user with the getent passwd
SOMEDOMAIN\\someuser   common

Isn't that the expected behavior using the default smb.conf values of no
for winbind enum users and winbind enum groups?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE
2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM
=15SB
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd strange behavior

2011-04-15 Thread Noé Puyal

Good morning people

I have installed samba from sernet repositories and currently it's
working perfectly.

If you have a Debian-based, RHEL (or CentOS) or Suse Enterprise (or
openSuse) browse this FTP ftp://ftp.sernet.de/pub/samba/3.4/ or the web
http://enterprisesamba.com/ in order to find the appropiate package for
your distribution.

Good luck

El lun, 11-04-2011 a las 12:25 +0200, Zabel, Daniel escribió: 

 Hi Noé,
 
  
 
 thank you for your quick reply.
 
 cvadmin is a domain user.
 
  
 
 Interesting that you have no problems using the old schema.
 
 If I try in /etc/samba/smb.conf
 
  
 
   [global]
 
  
 
workgroup = MYDOMAIN
 
password server = ldap.mydomain.com
 
realm = MYDOMAIN.COM
 
security = ads
 
   idmap uid = 100-50
 
   idmap gid = 100-50
 
   idmap backend = ad
 
   winbind nss info = rfc2307
 
   winbind normalize names = yes
 
   winbind use default domain = true
 
winbind offline logon = false
 
winbind cache time = 180
 
winbind enum users = yes
 
winbind enum groups = yes
 
winbind nested groups = Yes
 
  
 
 No domainuser could be resolved anymore. Same config work on our other samba 
 servers.
 
  
 
 /var/log/samba/log.winbind-idmap shows:
 
  
 
 [2011/04/11 12:24:13.560317,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery.c:1880(get_dc_list)
 
   get_dc_list: preferred server list: , *
 
 [2011/04/11 12:24:13.560365,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery.c:1119(resolve_lmhosts)
 
   resolve_lmhosts: Attempting lmhosts lookup for name *0x1c
 
 [2011/04/11 12:24:13.560467,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery_dc.c:169(rpc_dc_name)
 
   Could not look up dc's for domain *
 
 [2011/04/11 12:24:13.560487,  0, effective(0, 0), real(0, 0)] 
 libads/ldap.c:337(ads_find_dc)
 
   ads_find_dc: no realm or workgroup!  Don't know what to do
 
 [2011/04/11 12:24:13.560505,  1, effective(0, 0), real(0, 0)] 
 winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
 
   ad_idmap_init: failed to connect to AD
 
 [2011/04/11 12:24:13.560518,  1, effective(0, 0), real(0, 0)] 
 winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids)
 
   ADS uninitialized: Invalid parameter
 
 [2011/04/11 12:24:13.560564,  3, effective(0, 0), real(0, 0)] 
 winbindd/idmap.c:684(idmap_new_mapping)
 
   default domain not writable
 
  
 
 Cheers,
 
  
 
 Daniel
 
  
 
 Von: Noé Puyal [mailto:npu...@valls.cat] 
 Gesendet: Montag, 11. April 2011 10:41
 An: Zabel, Daniel
 Betreff: Re: [Samba] getent passwd strange behavior
 
  
 
 Hi Daniel
 
 First of all, one question, cvadmin is a domain user or local user?
 
 If cvadmin is a local user you should raise the 100 to a number after the 
 last UID and GID.
 
 Also, as you said, I have all my samba servers with old idmap schema working 
 properly.
 
 Good morning
 
 El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió:
 
 
 
 idmap uid = 100-50
 
 idmap gid = 100-50 
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd strange behavior

2011-04-13 Thread Puyal Tolosa , Noé

Good morning

Just after telling you I had no problems with getent I updated to 3.5.6
and I am having similar issues as the ones you have described.

I will give a try to Sernet-Samba 3.4.12 and I will tell my experience.

El lun, 11-04-2011 a las 12:25 +0200, Zabel, Daniel escribió: 

 Hi Noé,
 
  
 
 thank you for your quick reply.
 
 cvadmin is a domain user.
 
  
 
 Interesting that you have no problems using the old schema.
 
 If I try in /etc/samba/smb.conf
 
  
 
   [global]
 
  
 
workgroup = MYDOMAIN
 
password server = ldap.mydomain.com
 
realm = MYDOMAIN.COM
 
security = ads
 
   idmap uid = 100-50
 
   idmap gid = 100-50
 
   idmap backend = ad
 
   winbind nss info = rfc2307
 
   winbind normalize names = yes
 
   winbind use default domain = true
 
winbind offline logon = false
 
winbind cache time = 180
 
winbind enum users = yes
 
winbind enum groups = yes
 
winbind nested groups = Yes
 
  
 
 No domainuser could be resolved anymore. Same config work on our other samba 
 servers.
 
  
 
 /var/log/samba/log.winbind-idmap shows:
 
  
 
 [2011/04/11 12:24:13.560317,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery.c:1880(get_dc_list)
 
   get_dc_list: preferred server list: , *
 
 [2011/04/11 12:24:13.560365,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery.c:1119(resolve_lmhosts)
 
   resolve_lmhosts: Attempting lmhosts lookup for name *0x1c
 
 [2011/04/11 12:24:13.560467,  3, effective(0, 0), real(0, 0)] 
 libsmb/namequery_dc.c:169(rpc_dc_name)
 
   Could not look up dc's for domain *
 
 [2011/04/11 12:24:13.560487,  0, effective(0, 0), real(0, 0)] 
 libads/ldap.c:337(ads_find_dc)
 
   ads_find_dc: no realm or workgroup!  Don't know what to do
 
 [2011/04/11 12:24:13.560505,  1, effective(0, 0), real(0, 0)] 
 winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)
 
   ad_idmap_init: failed to connect to AD
 
 [2011/04/11 12:24:13.560518,  1, effective(0, 0), real(0, 0)] 
 winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids)
 
   ADS uninitialized: Invalid parameter
 
 [2011/04/11 12:24:13.560564,  3, effective(0, 0), real(0, 0)] 
 winbindd/idmap.c:684(idmap_new_mapping)
 
   default domain not writable
 
  
 
 Cheers,
 
  
 
 Daniel
 
  
 
 Von: Noé Puyal [mailto:npu...@valls.cat] 
 Gesendet: Montag, 11. April 2011 10:41
 An: Zabel, Daniel
 Betreff: Re: [Samba] getent passwd strange behavior
 
  
 
 Hi Daniel
 
 First of all, one question, cvadmin is a domain user or local user?
 
 If cvadmin is a local user you should raise the 100 to a number after the 
 last UID and GID.
 
 Also, as you said, I have all my samba servers with old idmap schema working 
 properly.
 
 Good morning
 
 El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió:
 
 
 
 idmap uid = 100-50
 
 idmap gid = 100-50 
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd strange behavior

2011-04-12 Thread Zabel, Daniel

Can anybody give me a hint where get_dc_list fetches the entries.


Because

-
[2011/04/11 12:24:13.560317,  3, effective(0, 0), real(0, 0)] 
libsmb/namequery.c:1880(get_dc_list)

  get_dc_list: preferred server list: , *
-

seems to be wrong.
 

Cheers,

 Daniel


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd strange behavior

2011-04-11 Thread Zabel, Daniel

Hi Noé,

 

thank you for your quick reply.

cvadmin is a domain user.

 

Interesting that you have no problems using the old schema.

If I try in /etc/samba/smb.conf

 

  [global]

 

   workgroup = MYDOMAIN

   password server = ldap.mydomain.com

   realm = MYDOMAIN.COM

   security = ads

  idmap uid = 100-50

  idmap gid = 100-50

  idmap backend = ad

  winbind nss info = rfc2307

  winbind normalize names = yes

  winbind use default domain = true

   winbind offline logon = false

   winbind cache time = 180

   winbind enum users = yes

   winbind enum groups = yes

   winbind nested groups = Yes

 

No domainuser could be resolved anymore. Same config work on our other samba 
servers.

 

/var/log/samba/log.winbind-idmap shows:

 

[2011/04/11 12:24:13.560317,  3, effective(0, 0), real(0, 0)] 
libsmb/namequery.c:1880(get_dc_list)

  get_dc_list: preferred server list: , *

[2011/04/11 12:24:13.560365,  3, effective(0, 0), real(0, 0)] 
libsmb/namequery.c:1119(resolve_lmhosts)

  resolve_lmhosts: Attempting lmhosts lookup for name *0x1c

[2011/04/11 12:24:13.560467,  3, effective(0, 0), real(0, 0)] 
libsmb/namequery_dc.c:169(rpc_dc_name)

  Could not look up dc's for domain *

[2011/04/11 12:24:13.560487,  0, effective(0, 0), real(0, 0)] 
libads/ldap.c:337(ads_find_dc)

  ads_find_dc: no realm or workgroup!  Don't know what to do

[2011/04/11 12:24:13.560505,  1, effective(0, 0), real(0, 0)] 
winbindd/idmap_ad.c:143(ad_idmap_cached_connection_internal)

  ad_idmap_init: failed to connect to AD

[2011/04/11 12:24:13.560518,  1, effective(0, 0), real(0, 0)] 
winbindd/idmap_ad.c:543(idmap_ad_sids_to_unixids)

  ADS uninitialized: Invalid parameter

[2011/04/11 12:24:13.560564,  3, effective(0, 0), real(0, 0)] 
winbindd/idmap.c:684(idmap_new_mapping)

  default domain not writable

 

Cheers,

 

Daniel

 

Von: Noé Puyal [mailto:npu...@valls.cat] 
Gesendet: Montag, 11. April 2011 10:41
An: Zabel, Daniel
Betreff: Re: [Samba] getent passwd strange behavior

 

Hi Daniel

First of all, one question, cvadmin is a domain user or local user?

If cvadmin is a local user you should raise the 100 to a number after the last 
UID and GID.

Also, as you said, I have all my samba servers with old idmap schema working 
properly.

Good morning

El lun, 11-04-2011 a las 09:38 +0200, Zabel, Daniel escribió:



idmap uid = 100-50

idmap gid = 100-50 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group fails on member server after upgrade to 3.5.5

2010-10-21 Thread Dale Schroeder


Neil,

Winbind 3.5.5 is not working properly in Squeeze either.  Using idmap 
backend rid with ads security, It will work for a while, but eventually 
becomes unresponsive.  I tried to report this yesterday, but I assume 
the zipped log file I attached caused it to be rejected.  I tried 3.5.6 
on a system this morning, and there is no improvement.  My primary error 
message was and still is


[2010/10/21 11:26:06.806089,  1] winbindd/winbindd_util.c:289(trustdom_recv)
  Could not receive trustdoms

Lately, there seems to be more than the usual number of winbind problems.

http://lists.samba.org/archive/samba/2010-October/158883.html

Dale


On 10/21/2010 7:44 AM, Neil Price wrote:
 I have a member server joined to a samba 3 domain. It was working 
fine with 3.4.8 but after an upgrade to 3.5.5 (debian lenny with 
backports) getent group no longer works.


getent passwd works fine, wbinfo -u and wbinfo -g work fine

I upgraded some other servers which are DC's and those work fine.

winbind.log shows
[2010/10/21 14:06:13.918006,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)

  [16709]: request interface version
[2010/10/21 14:06:13.918103,  3] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)

  [16709]: request location of privileged pipe
[2010/10/21 14:06:13.918288,  3] 
winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send)

  [16709]: getgrent
[2010/10/21 14:06:14.618332,  5] 
winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv)

  getgrent failed: NT_STATUS_NONE_MAPPED

Relevant parts of smb.conf

security = domain
   ldap ssl = Off

   idmap backend = ldap:ldap://170.130.105.39
   idmap uid = 8-9
   idmap gid = 8-9
   idmap alloc backend = ldap
   idmap alloc config: ldap_url = ldap://170.130.105.39
   idmap alloc config: ldap_base_dn = ou=idmap,dc=gibb,dc=co,dc=za
   idmap alloc config: ldap_user_dn = 
cn=admin,ou=people,dc=gibb,dc=co,dc=za

   idmap alloc config: range = 8-9

password server = *
   winbind enum groups = yes
   winbind enum users = yes

Relevant part of nsswitch.conf
passwd: compat winbind
group:  compat winbind
shadow: compat

hosts:  files dns wins



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent and a lot of users

2010-08-16 Thread Michal Dobroczynski

Hello,

On 16 August 2010 14:38, raveenpl ravee...@gmail.com wrote:

 Hi,

 In my environment I have windows ads domain with 180k users.

 I use Samba 3.5.4 and I noticed that not always all users are returned when
 I use getent command (sometimes it is half of whole list, sometimes this
 list is empty).

 Anybody has similar problem?

ads domain - where do you pull your data from? Is it OpenLDAP or AD?

Check if it's not your backend that limits the size of the answer.
OpenLDAP has a configuration directive called sizelimit (more in man
slapd.conf).

That would be my first suggestion. I also recommend ngrep for checking
things up.

Regards,
Michal



 --
 View this message in context: 
 http://old.nabble.com/getent-and-a-lot-of-users-tp29449147p29449147.html
 Sent from the Samba - General mailing list archive at Nabble.com.

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent acting unreliable with idmap_ad

2010-08-07 Thread Robert Grasso

Hello Nico,

I am unsure I will be able to help you further with this topic, I am not a 
Samba nor AD master ...

 I already list my servers in password server =, altough I 
 do have the
 impression that Samba may have problems with my 2008R2 
 servers. I'll try
 playing with the settings.

I cannot tell for 2008R2, we don't have this version yet ...

 
  - I stated clearly my /etc/krb5.conf
 
 Do you mean fill in /etc/krb5.conf properly or should I refer to it
 somewhere in the smb.conf file?  I'm sure my krb5.conf is correct is I
 was using it in my old setup using kerberos+ldap authentication.  I
 found some reference on the Internet to an smb.conf variable use
 kerberos keytab = yes however this doesn't seem to be accepted for
 Samba 3.4.7

I just filled it up properly, but did not mention Kerberos in any way in 
smb.conf

Best regards

---
Robert GRASSO 
System Engineer

CEDRAT
15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE 
Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09
mailto:robert.gra...@cedrat.com
---
Support service   : mailto:supp...@cedrat.com 
Commercial service : mailto:ced...@cedrat.com 
Web site  : http://www.cedrat.com 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent acting unreliable with idmap_ad

2010-08-03 Thread Robert Grasso


  I just filled it up properly, but did not mention Kerberos 
 in any way in smb.conf
 
 Doh, that's what I have too.
 
 Any chance you could send me a copy of your smb.conf?
 

well, no problem, I am sure it is not a great piece of smb.conf, actually : 
here it is : it is the one for my desktop : I removed
the comments and our private names and IPs :

[global]
   netbios name = short
   workgroup = WG
   realm = WG.LAN
   server string = Samba Server - long_name
   hosts allow = 10.0. 127.
   smb ports = 445
   #printcap name = /etc/printcap
   printcap name = cups
   load printers = yes
printing = cups
cups options = raw
 log level = 1
 log file = /var/log/samba/%m.log
   max log size = 1
   security = ADS
password server = s1,s2
   encrypt passwords = yes
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   preferred master = no
name resolve order = wins bcast
wins server = IP1 IP2
   dns proxy = yes 
   idmap domains = ALLDOMAINS
   idmap config ALLDOMAINS:backend = ad
   idmap config ALLDOMAINS:default = yes
   idmap config ALLDOMAINS:schema_mode = sfu
   idmap config ALLDOMAINS:range = 500 - 2
   template homedir = /home/%U
   winbind use default domain = yes
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   winbind nss info = template sfu
   winbind offline logon = true
   winbind refresh tickets = true

Some comments : 
- I used netbios name, as my desktop Unix name is longer than 15 characters - 
Windows or Samba did not like it ...
- we have two names for our AD domain - our winadmin did not solve this issue 
so far, thus I put one name as the workgroup and the
other name as the kerberos realm ...
- I let template homedir in smb.conf by sheer lazyness, with SFU I don't use 
it
- I used to set winbind offline logon and winbind refresh tickets when my 
Samba was unstable, they were tests - then, once I
found the true solution, lazyness again ...

Hope this helps
---
Robert GRASSO 
System Engineer

CEDRAT
15, Chemin de Malacher - Inovallée - 38246 MEYLAN Cedex - FRANCE 
Tel: +33 (0)4 76 90 50 45 Fax: +33 (0)4 76 90 16 09
mailto:robert.gra...@cedrat.com
---
Support service   : mailto:supp...@cedrat.com 
Commercial service : mailto:ced...@cedrat.com 
Web site  : http://www.cedrat.com 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent acting unreliable with idmap_ad

2010-08-02 Thread Nico De Ranter


Hi Robert,

thanks for your reply.


On Fri, 2010-07-30 at 17:45 +0200, Robert Grasso wrote:
 Hello,
 
 I personally solved my stability issues when, rather than letting Samba find 
 automatically the AD servers, I stated them clearly : 
 
 - I stated clearly my password server = in smb.conf

I already list my servers in password server =, altough I do have the
impression that Samba may have problems with my 2008R2 servers. I'll try
playing with the settings.

 - I stated clearly my /etc/krb5.conf

Do you mean fill in /etc/krb5.conf properly or should I refer to it
somewhere in the smb.conf file?  I'm sure my krb5.conf is correct is I
was using it in my old setup using kerberos+ldap authentication.  I
found some reference on the Internet to an smb.conf variable use
kerberos keytab = yes however this doesn't seem to be accepted for
Samba 3.4.7


 I am running on CentOS 5.5, samba 3.0.33.
 
 Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, 
 it seems that getent passwd username yields a result
 for the accounts which have an Unix account declared in AD through the Unix 
 attributes, and only for these ones (?).

I think that's expected behaviour. idmap_ad looks upo uid/gid from AD
but doesn't create its own mapping if it doesn't find one. So any user
that doesn't have a proper unix uid/gid field won't show up.  I also
noticed idmap_ad looks at the Windows Primary Group as gid in stead of
the group field on the unix tab. Therefor the Windows Primary Group also
needs to have a valid unix id assigned.

Nico




-- 
With kind regards

Nico De Ranter
Senior System Administrator
Techsoft Centre

Technology and Software Centre Europe
The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium

Phone:+32 (0)2 700 8641
Fax:  +32 (0)2 700 8622
E-mail:nico.deran...@eu.sony.com

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 - RPR Brussels
Fortis - BIC GEBABEBB - IBAN BE41293037680010



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent acting unreliable with idmap_ad

2010-08-02 Thread Nico De Ranter


Hi Robert,

On Mon, 2010-08-02 at 11:32 +0200, Robert Grasso wrote:
 Hello Nico,
 
 I am unsure I will be able to help you further with this topic, I am not a 
 Samba nor AD master ...

Thanks for trying anyway. Very much appreciated :-)

 
  I already list my servers in password server =, altough I 
  do have the
  impression that Samba may have problems with my 2008R2 
  servers. I'll try
  playing with the settings.
 
 I cannot tell for 2008R2, we don't have this version yet ...
 
  
   - I stated clearly my /etc/krb5.conf
  
  Do you mean fill in /etc/krb5.conf properly or should I refer to it
  somewhere in the smb.conf file?  I'm sure my krb5.conf is correct is I
  was using it in my old setup using kerberos+ldap authentication.  I
  found some reference on the Internet to an smb.conf variable use
  kerberos keytab = yes however this doesn't seem to be accepted for
  Samba 3.4.7
 
 I just filled it up properly, but did not mention Kerberos in any way in 
 smb.conf

Doh, that's what I have too.

Any chance you could send me a copy of your smb.conf?

Nico



-- 
With kind regards

Nico De Ranter
Senior System Administrator
Techsoft Centre

Technology and Software Centre Europe
The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium

Phone:+32 (0)2 700 8641
Fax:  +32 (0)2 700 8622
E-mail:nico.deran...@eu.sony.com

A division of Sony Europe (Belgium) N.V.
VAT BE 0413.825.160 - RPR Brussels
Fortis - BIC GEBABEBB - IBAN BE41293037680010



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent acting unreliable with idmap_ad

2010-07-30 Thread Robert Grasso

Hello,

I personally solved my stability issues when, rather than letting Samba find 
automatically the AD servers, I stated them clearly : 

- I stated clearly my password server = in smb.conf
- I stated clearly my /etc/krb5.conf

I am running on CentOS 5.5, samba 3.0.33.

Apart from that : I have installed SFU on my Windows 2003 AD servers; to me, it 
seems that getent passwd username yields a result
for the accounts which have an Unix account declared in AD through the Unix 
attributes, and only for these ones (?).

Regards

---
Robert GRASSO  System engineer

CEDRAT S.A.
15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE 
Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30
mailto:robert.gra...@cedrat.com - http://www.cedrat.com  

 -Message d'origine-
 De : samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] De la part de Nico De Ranter
 Envoyé : 30 juillet 2010 13:44
 À : samba@lists.samba.org
 Objet : [Samba] getent acting unreliable with idmap_ad
 
 
 I'm trying to get my linux boxes to authenticate to AD using 
 winbind. I
 need to get my uid's from AD so I'm using idmap_ad.
 
 I got to the point where 'getent passwd' shows me the list of 
 unix users
 from AD with all correct details, however when I do  'getent passwd
 username' for any username from the list returned by 
 'getent passwd' I
 get an empty reply (getent returns error code 2) and I can't 
 login using
 those users.
 
 As a matter of fact on one of my testmachines it works sometimes.
 'getent passwd nico' will return my user details and I can logon
 properly but when the system has been quiet for some time it seems to
 forget about the account again.
 
 Anybody seen this before? Any suggestions on how to debug this?
 
 I'm trying this on Ubuntu 9.10 and 10.04.
 
 Thanks in advance,
 
 Nico
 
 
 
 -- 
 With kind regards
 
 Nico De Ranter
 Senior System Administrator
 Techsoft Centre
 
 Technology and Software Centre Europe
 The Corporate Village - Da Vincilaan 7-D1 - B-1935 Zaventem - Belgium
 
 Phone:+32 (0)2 700 8641
 Fax:  +32 (0)2 700 8622
 E-mail:nico.deran...@eu.sony.com
 
 A division of Sony Europe (Belgium) N.V.
 VAT BE 0413.825.160 - RPR Brussels
 Fortis - BIC GEBABEBB - IBAN BE41293037680010
 
 
 
 **
 **
 The information contained in this message or any of its 
 attachments may be confidential and is intended for the 
 exclusive use of the addressee(s).  Any disclosure, 
 reproduction, distribution or other dissemination or use of 
 this communication is strictly prohibited without the express 
 permission of the sender.  The views expressed in this email 
 are those of the individual and not necessarily those of Sony 
 or Sony affiliated companies.  Sony email is for business use only.
 
 This email and any response may be monitored by Sony to be in 
 compliance with Sony's global policies and standards
 
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent behavior since 3.5.x

2010-06-28 Thread Andrew Masterson

-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Steve Chupack
Sent: Saturday, June 26, 2010 6:18 PM
To: samba@lists.samba.org
Subject: Re: [Samba] getent behavior since 3.5.x

I can confirm that I've always had to manually replace the system's
libnss_windbind files with those in [samba source]/nssswitch. 

On Sat, 26 Jun 2010 16:39:42 -0400
Gaiseric Vandal gaiseric.van...@gmail.com wrote:

 Are you use the nss_winbind or winbind_nss files compiled?   They may
be in
 a separate directory or explicitly require make nsswitch command.  

 -Original Message-
 From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org]
 On Behalf Of David Boyd
 Sent: Friday, June 25, 2010 12:44 PM
 To: sa...@samba.org
 Subject: [Samba] getent behavior since 3.5.x

 Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and
samba-3.3.12
 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return
samba
 group or user entries displaying only the local unix group and
password
 data.

 wbinfo -u and wbinfo -g seem to work just fine.

 No smb.conf changes were made during the upgrades.

 Falling back to samba 3.4.8 resolves this issue.

 Logins using the samba credentials always work without regard to
version.

 Several bug reports exist which describe these problems although not
 specifically for FreeBSD.

 Is this expected behavior?  I realize that getent isn't a samba
utility.

 Should another bug report be submitted?  What info? debug level?

 Thanks for any reply.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Existing bug:

https://bugzilla.samba.org/show_bug.cgi?id=7355 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent behavior since 3.5.x

2010-06-26 Thread Gaiseric Vandal

Are you use the nss_winbind or winbind_nss files compiled?   They may  be in
a separate directory or explicitly require make nsswitch command.  

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of David Boyd
Sent: Friday, June 25, 2010 12:44 PM
To: sa...@samba.org
Subject: [Samba] getent behavior since 3.5.x

Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12
on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba
group or user entries displaying only the local unix group and password
data.

wbinfo -u and wbinfo -g seem to work just fine.

No smb.conf changes were made during the upgrades.

Falling back to samba 3.4.8 resolves this issue.

Logins using the samba credentials always work without regard to version.

Several bug reports exist which describe these problems although not
specifically for FreeBSD.

Is this expected behavior?  I realize that getent isn't a samba utility.

Should another bug report be submitted?  What info? debug level?

Thanks for any reply.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent behavior since 3.5.x

2010-06-26 Thread Steve Chupack

I can confirm that I've always had to manually replace the system's 
libnss_windbind files with those in [samba source]/nssswitch. 

On Sat, 26 Jun 2010 16:39:42 -0400
Gaiseric Vandal gaiseric.van...@gmail.com wrote:

 Are you use the nss_winbind or winbind_nss files compiled?   They may  be in
 a separate directory or explicitly require make nsswitch command.  
 
 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
 On Behalf Of David Boyd
 Sent: Friday, June 25, 2010 12:44 PM
 To: sa...@samba.org
 Subject: [Samba] getent behavior since 3.5.x
 
 Since upgrading to samba 3.5.x (x=2,3,4) from samba 3.4.8 and samba-3.3.12
 on FreeBSD versions 6.4, 7.3 and 8.0, getent has failed to return samba
 group or user entries displaying only the local unix group and password
 data.
 
 wbinfo -u and wbinfo -g seem to work just fine.
 
 No smb.conf changes were made during the upgrades.
 
 Falling back to samba 3.4.8 resolves this issue.
 
 Logins using the samba credentials always work without regard to version.
 
 Several bug reports exist which describe these problems although not
 specifically for FreeBSD.
 
 Is this expected behavior?  I realize that getent isn't a samba utility.
 
 Should another bug report be submitted?  What info? debug level?
 
 Thanks for any reply.
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2

2010-05-06 Thread Oliver Weinmann

I have investigated further and compared the behaviour of samba 3.3 and
samba 3.5 on 2 identical SLES9 VM's. Samba 3.3 is working as expected
with our Win2k3 SFU Domain and idmap_ad module. Samba 3.5 is not. I
noticed that there are a few kerberos params that have changed in 3.5
but I just can't get 3.5 to work as expected:

sles9test3:~ # testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Unknown parameter encountered: use kerberos keytab
Ignoring unknown parameter use kerberos keytab
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

For example I can run getent passwd and getent group fine under 3.3 but
not under 3.5. Also I created a user in AD tuser2 this user is visible
within 1 minute under 3.3 under 3.5 it's not even visible after a
reboot. Also group memberships of AD users are not updated under 3.5.2.

I'm not sure if this is a bug. I tried a lot of things in smb.conf but
it just doesn't work. At the moment I have to consider going back to
3.3.

I googled a lot in the past days to find a correct smb.conf for 3.5 and
idmap_ad but it's really hard to find a well documented howto.

I would really appreciate if someone has a look on this.

Here is my smb.conf:

[global]
netbios name = sles9test1
realm = SOMEDOMAIN.NET
workgroup = SOMEDOMAIN
security = ADS
encrypt passwords = yes
password server = dc.somedomain.net
os level = 20
idmap backend = ad
idmap config SOMEDOMAIN : backend = ad
idmap config SOMEDOMAIN : schema_mode = sfu
idmap config SOMEDOMAIN : range = 0-
winbind nss info = sfu
winbind enum users = yes
winbind enum groups = yes
preferred master = no
winbind nested groups = Yes
winbind use default domain = Yes
max log size = 50
log level = 10
log file = /var/log/samba/log.%m
dns proxy = no
wins server = 172.20.200.18 172.18.200.20
allow trusted domains = no
client use spnego = Yes
use kerberos keytab = true
winbind refresh tickets = yes
idmap cache time = 1
winbind cache time = 1
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2

2010-05-05 Thread Oliver Weinmann

Im really totally lost about this problem. I tried a lot of things in
smb.conf but it just doesn't work. I mean it is working fine on 3.3.2 so
I don't think this is a problem in AD. It must be something that has
changed in the config of 3.5.2

-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann
Sent: Dienstag, 4. Mai 2010 10:21
To: samba@lists.samba.org
Subject: [Samba] Getent passwd and getent group fail / Samba 3.5.2

Hi all,

I just stepped over a problem where I can't add a local user to an AD
group. Running getent passwd and getent group doesn't display the AD
users. Wbinfo -g and -u work fine. Here is my smb.conf:

[global]
netbios name = sles11test1
realm = SOMEDOMAIN.NET
workgroup = SOMEDOMAIN
security = ADS
encrypt passwords = yes
password server = someserver.somedomain.net
idmap backend = ad
idmap config SOMEDOMAIN : backend = ad
idmap config SOMEDOMAIN : schema_mode = sfu
idmap config SOMEDOMAIN : range = 0-
winbind nss info = sfu
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
preferred master = no
winbind nested groups = Yes
winbind use default domain = Yes
max log size = 50
log file = /var/log/samba/log.%m
log level = 3
dns proxy = no
wins server = 172.20.200.18 172.18.200.20
allow trusted domains = No
client use spnego = Yes
kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab
winbind refresh tickets = true
idmap cache time = 1
idmap negative cache time = 1
winbind cache time = 1

In the log I get this error when running getent group:

tail -f /var/log/samba/log.winbindd-idmap
  Could not get unix ID
[2010/05/04 10:15:29.444783,  1]
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
  Could not get unix ID

Getent group and passwd works fine e.g. on an old ubuntu install with
samba 3.3.2.

So far I have this problem on SLES9 and SLES11.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Getent passwd and getent group fail / Samba 3.5.2

2010-05-04 Thread Mike Leone


On 5/4/2010 4:20 AM, Oliver Weinmann had this to say:

Hi all,

I just stepped over a problem where I can't add a local user to an AD group. 
Running getent passwd and getent group doesn't display the AD users. Wbinfo -g 
and -u work fine. Here is my smb.conf:


snip


In the log I get this error when running getent group:

tail -f /var/log/samba/log.winbindd-idmap
   Could not get unix ID
[2010/05/04 10:15:29.444783,  1] 
winbindd/idmap_ad.c:651(idmap_ad_sids_to_unixids)
   Could not get unix ID


Doesn't that indicate that Samba thinks the SFU extensions aren't 
installed? What is the version of AD? Is it 2003 R2, or 2003 with SFU 
installed?


--
Michael J. Leone, mailto:tur...@mike-leone.com

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: http://www.flickr.com/photos/mikeleonephotos

USER ERROR: replace user and press any key to continue.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd problem

2009-12-23 Thread Wasim Bashir

Hi,

I have replicated this on a test box, if you do a net cache flush, then
restart samba and winbind,

run getent passwd (only displays local users)
then net cache list (will display all cache of remote users)


The only way i know  to fix this is to rename idmap config name and
restart samba/winbind... but a week later the problem will be back..

seems strange to me, is this a bug with 3.3.9 or am i missing something here
?


Thanks,

Wasim

2009/12/22 Gaiseric Vandal gaiseric.van...@gmail.com

 I have similar issues with samba 3.0.37 on Solaris 10.I use winbind and
 ldap for domain trusts (not for the users with in the domain.)  Increasing
 idmap cache time may reduce how often you need to reset things.  When the
 cache time expires I have to zap idmap entries from ldap and zap the idmap
 cache tbd files.   It appears samba can create the cache info but not
 properly update or reread it once the cache has expired.

 I have been testing 3.4.3 and it seems better but I can't say for sure yet.
(Getting samba compiled with ldap and zfs support for Solaris is tricky.)






 On 12/22/09 10:44, Wasim Bashir wrote:

 Hi,

 I am having a weird issue with samba where once a week approximately at
 the
 same time users will lose connectivity,

 if i run

 wbinfo -u  all users are displayed
 wbinfo -g all groups are displayed

 However running getent passwd only shows local-users, no remote users are
 shown..

 To fix the issue I have to change the name of my idmap config and restart
 samba and winbind and everything works fine for a week...

 Am I missing something obvious here ? I have attached my config below :



 [global]
 security = ads
 max mux = 16384
 log file  = /home/sites/samba-log/log.%m

 ldap timeout = 45
 ldap connection timeout = 30
 max open files = 10
 realm =  merlin.internaloffice.co.uk
 password server = 10.0.9.0
 workgroup = WEBHOSTING
 idmap backend = tdb
 idmap uid = 500-200
 idmap gid = 500-200
 winbind enum users = yes
 winbind enum groups = yes
 template homedir = /home/sites/%U
 template shell = /bin/bash
 client use spnego = yes
 client ntlmv2 auth = yes
 encrypt passwords = yes
 winbind use default domain = yes
 winbind nss info = template rfc2307
 restrict anonymous = 2
 idmap config WEBHOSTING : schema_mode = rfc2307
 idmap config WEBHOSTING : backend  = ad
 idmap config WEBHOSTING : range= 500 - 3




 [home]
 hide dot files = no
 path = /home/sites
 read only = no
 dos filetime resolution = yes

 I am using samba 3.3.9, do we know whether this issue has been fixed in
 samba 3.4.x ?

 Any help greatly appreciated.

 Thanks,

 Wasim




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd problem

2009-12-23 Thread Moray Henderson

Wasim Bashir wrote:
I am having a weird issue with samba where once a week approximately at
the
same time users will lose connectivity,

if i run

wbinfo -u  all users are displayed
wbinfo -g all groups are displayed

However running getent passwd only shows local-users, no remote users
are
shown..

To fix the issue I have to change the name of my idmap config and
restart
samba and winbind and everything works fine for a week...

Am I missing something obvious here ? I have attached my config below :



[global]
security = ads
max mux = 16384
log file  = /home/sites/samba-log/log.%m

ldap timeout = 45
ldap connection timeout = 30
max open files = 10
realm =  merlin.internaloffice.co.uk
password server = 10.0.9.0
workgroup = WEBHOSTING
idmap backend = tdb
idmap uid = 500-200
idmap gid = 500-200
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/sites/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
winbind nss info = template rfc2307
restrict anonymous = 2
idmap config WEBHOSTING : schema_mode = rfc2307
idmap config WEBHOSTING : backend  = ad
idmap config WEBHOSTING : range= 500 -
3




[home]
hide dot files = no
path = /home/sites
read only = no
dos filetime resolution = yes

I am using samba 3.3.9, do we know whether this issue has been fixed in
samba 3.4.x ?

Any help greatly appreciated.

Thanks,

Wasim

Could it be a network issue rather than Samba itself - a switch being
turned off briefly, IP address being refreshed, DNS issue - that breaks
the communication with kerberos or PDC?

I heard of one site whose network was interrupted at the same time each
day, which they eventually traced to a heavy delivery lorry crushing a
badly-installed underground cable.


Moray.
To err is human.  To purr, feline




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent doesnt't list group - resolved

2009-11-20 Thread Massimo

Thank you very much, it's one week which I was trying to resolve this problem 
:-)

Perhaps use 'winbind' instead of 'windind' :-)


Bye
Massimo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent doesnt't list group - resolved

2009-11-20 Thread Massimo

Perhaps use 'winbind' instead of 'windind' :-)

Thank you very much, it's one week which I was trying to resolve this problem 
:-)

Bye
Massimo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent doesnt't list group

2009-11-19 Thread Adam Nielsen

 my nssswitch.conf
 passwd: compat winbind
 group:  compat windind

Perhaps use 'winbind' instead of 'windind' :-)

Cheers,
Adam.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group fails

2009-06-18 Thread Stefan Dengscherz

Hello Kevin,


make sure you don't have winbind enum users = yes  winbind enum
groups = yes turned off in your configuration; it's however set to
yes as default.


Regards,

-sd

2009/6/17 Kevin Blackwell akblack...@gmail.com:
 Hi,

 Well, I'll try to start at what I think the root of my problems are.

 When I do a getent group, I only get a list of the BUILTIN groups.

 BUILTIN+administrators
 BUILTIN+users

 But if I do a wbinfo -g, all the AD groups show up.

 This alone is not the overall problem, but it is creating a problem
 because I need getent to return the groups for logging different AD
 groups to different log files in squid.

 Another problem is the wbinfo_group.pl and I know this is a squid app,
 but from what I understand it used wbinfo.

 /usr/lib/squid/wbinfo_group.pl
 tuser password
 Could not get groups for user tuser

 I can provice config data and anything else necessary.

 Thanks in advance.
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent group shows AD groups; getent passwd only shows local users

2009-01-23 Thread Tomasz Chmielewski


Brian Gregorcy schrieb:


In log.winbindd I can see errors like:

[2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696)
  ads_do_paged_search_args: 
ldap_search_with_timeout((objectCategory=user)) - Operations error
[2009/01/22 10:44:55, 3] 
libads/ldap_utils.c:ads_do_search_retry_internal(76)
  Reopening ads connection to realm 'GEORGIANUT.COM' after error 
Operations error

[2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677)
  sitename_fetch: Returning sitename for georgianut.com: 
Default-First-Site-Name

[2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294)
  ads_find_dc: looking for realm 'georgianut.com'
[2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
  get_sorted_dc_list: attempting lookup for name georgianut.com 
(sitename Default-First-Site-Name) using [ads]






check that your clock on the linux box matches the clock on the DC.


Just being curios: what time difference is acceptable? I.e. up to 5 
seconds, 5 minutes? That being said, the clocks are in sync.


When I use tcpdump to see what happens when doing getent passwd, I can 
see such error message:


5012 DIR_ERROR

Google suggest such causes for this error:

i.e. LDAP troubleshooting 
kb.adobe.com/selfservice/viewContent.do?externalId=tn_19576


Cause: The DN specified in the User Search tab is incorrect, wrong, or 
incorrectly formatted.


Cause: User could not be found. Most likely due to DN settings in the 
User Search tab or the suffix or prefix fields in the Settings tab.


Cause: Most likely caused by a bad username or password. Common cause of 
this error is a user trying to login with DOMAIN\login instead of just 
login.



However, this doesn't explain why getent group works, and getent 
passwd doesn't.


--
Tomasz Chmielewski
http://wpkg.org
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent group shows AD groups; getent passwd only shows local users

2009-01-23 Thread Brian Gregorcy




check that your clock on the linux box matches the clock on the DC.


Just being curios: what time difference is acceptable? I.e. up to 5 
seconds, 5 minutes? That being said, the clocks are in sync.





I think the default is 5 minutes.  We have seen odd problems like this when our 
Linux boxes clock skew to far from our DC.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent group shows AD groups; getent passwd only shows local users

2009-01-22 Thread Brian Gregorcy




Tomasz Chmielewski wrote:

I had winbind configured so that it could fetch users from AD.
Everything was working properly, but something happened in the past 
couple of days (no change in the Samba config) I'm not able to diagnose.


getent group enumerates groups, getent passwd doesn't.

wbinfo -g returns groups, whereas I get this error when trying to get 
users:


# wbinfo -u
Error looking up domain users

# net rpc join -S GNCNET -U user_linux
Password:
Joined domain NUT.

# net ads join -S GNCNET -U user_linux
user_linux's password:
[2009/01/22 10:37:06, 0] utils/net_ads.c:ads_startup_int(286)
  ads_connect: No logon servers
Failed to join domain: No logon servers


I see the Samba machine sends and receives packets on port 389 when I do 
getent passwd, but just no users are returned.


Ideas?


This is my smb.conf:

   workgroup = NUT
   password server = GNCNET
   realm = GNCNET.GEORGIANUT.COM
   security = ads
   idmap uid = 1-2
   idmap gid = 1-2
   winbind separator = +
   template homedir = /home/%D/cbl
   template shell = /bin/bash
   winbind use default domain = true
   winbind offline logon = false

server string = Samba Server %v
encrypt passwords = Yes

log file = /var/log/samba/log.%m
max log size = 100
log level = 8

os level = 18
local master = No
dns proxy = No

winbind enum users = yes
winbind enum groups = yes


In log.winbindd I can see errors like:

[2009/01/22 10:44:55, 3] libads/ldap.c:ads_do_paged_search_args(696)
  ads_do_paged_search_args: 
ldap_search_with_timeout((objectCategory=user)) - Operations error
[2009/01/22 10:44:55, 3] 
libads/ldap_utils.c:ads_do_search_retry_internal(76)
  Reopening ads connection to realm 'GEORGIANUT.COM' after error 
Operations error

[2009/01/22 10:44:55, 5] libads/dns.c:sitename_fetch(677)
  sitename_fetch: Returning sitename for georgianut.com: 
Default-First-Site-Name

[2009/01/22 10:44:55, 6] libads/ldap.c:ads_find_dc(294)
  ads_find_dc: looking for realm 'georgianut.com'
[2009/01/22 10:44:55, 8] libsmb/namequery.c:get_sorted_dc_list(1626)
  get_sorted_dc_list: attempting lookup for name georgianut.com 
(sitename Default-First-Site-Name) using [ads]






check that your clock on the linux box matches the clock on the DC.


--Brian






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] 'getent passwd' shows duplicate user accounts

2008-08-11 Thread André Welter

Hi,

David Collins schrieb:
 Hello,

 I am setting up an LDAP Samba server, and have migrated all the local
 posix account info into it as well as creating the smb account info.

 I have now set up this server to use LDAP for authentication (rather
 than /etc/passwd, etc.) like so ...
 sudo apt-get --yes install ldap-auth-client
 sudo auth-client-config -a -p lac_ldap

 When testing the result with 'getent passwd', I see all the LDAP user
 accounts, but it seems the info in /etc/passwd file is also reported.

 Is this normal?
   

Have a look at your /etc/nsswitch.conf. If it contains something like this:
passwd: files ldap
group:  files ldap
shadow: files ldap

(while 'files' could also read 'compat') it is indeed normal and
normally it should be left this way so you have authentication during
system startup before ldap becomes available.

Cheers,

André



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] 'getent passwd' shows duplicate user accounts

2008-08-11 Thread David Collins

Thanks for the advice, Andre.
Yes, the lines do say 'files ldap'.  I will leave it as is.


On Mon, 2008-08-11 at 08:52 +0200, André Welter wrote:

 Hi,
 
 David Collins schrieb:
  Hello,
 
  I am setting up an LDAP Samba server, and have migrated all the local
  posix account info into it as well as creating the smb account info.
 
  I have now set up this server to use LDAP for authentication (rather
  than /etc/passwd, etc.) like so ...
  sudo apt-get --yes install ldap-auth-client
  sudo auth-client-config -a -p lac_ldap
 
  When testing the result with 'getent passwd', I see all the LDAP user
  accounts, but it seems the info in /etc/passwd file is also reported.
 
  Is this normal?

 
 Have a look at your /etc/nsswitch.conf. If it contains something like this:
 passwd: files ldap
 group:  files ldap
 shadow: files ldap
 
 (while 'files' could also read 'compat') it is indeed normal and
 normally it should be left this way so you have authentication during
 system startup before ldap becomes available.
 
 Cheers,
 
 Andr
 
 
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Getent troubles.

2008-07-14 Thread Jeremy Allison

On Mon, Jul 14, 2008 at 12:20:01PM -0500, [EMAIL PROTECTED] wrote:
 I've joined a box to my windows 2003 ad domain.  I can use wbinfo u/g
 with no problems.   I can also run getent passwd and it returns local
 and domain accounts.  However, when I run getent group it hangs.   Not
 sure why.  I have to restart windbind after this, also.  Anybody have
 any ideas or pointer?

What version of Samba ? What OS is it running on ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent not listing ADS users ctdb samba

2008-06-03 Thread devel

Did you copy the libnss_winbind.so to /lib and make a libnss_winbind.so.2
link out of it ?



 Hi,



 I am setting up ctdb samba, and have hit a brick wall trying to solve the
 following issue.



 1.getent does not retrieve the list of domain users or groups (wbinfo
 works fine)



 I'm not sure what I'm missing but I've almost spent the whole day trying
 to
 resolve this one and haven't made any progress :-(



 Any help or suggestions are appreciated



 My configuration is as follows



 Installed pre-built RHEL binaries from ctdb.samba

 ctdb-1.0-41.src.rpm

 ctdb-1.0-41.x86_64.rpm

 ctdb-debuginfo-1.0-41.x86_64.rpm

 samba-3.0.25-ctdb.16.src.rpm

 samba-3.0.25-ctdb.16.x86_64.rpm

 samba-client-3.0.25-ctdb.16.x86_64.rpm

 samba-common-3.0.25-ctdb.16.x86_64.rpm

 samba-debuginfo-3.0.25-ctdb.16.x86_64.rpm

 samba-doc-3.0.25-ctdb.16.x86_64.rpm

 samba-swat-3.0.25-ctdb.16.x86_64.rpm

 samba-winbind-32bit-3.0.25-ctdb.16.i386.rpm





 SMB.CONF

 [global]

 workgroup = PLANET

 realm = PLANET.AD

 netbios name = CTDBSAMBA

 server string = CTDB Samba Server

 security = ADS

 private dir = /gpfs/gpfs0/SMBDconfig

 log file = /usr/local/samba/var/log.%m

 max log size = 50

 clustering = Yes

 dns proxy = No

 ldap ssl = no

 idmap backend = tdb2

 idmap uid = 1-2

 idmap gid = 1-2

 winbind separator = +



 [homes]

 comment = Home Directories

 read only = No

 browseable = No



 [printers]

 comment = All Printers

 path = /usr/spool/samba

 printable = Yes

 browseable = No



 [GPFSGLOBAL]

 comment = GPFS Global Share

 path = /gpfs/gpfs0/GLOBALSHARE

 read only = No

 force unknown acl user = Yes

 vfs objects = gpfs

 nfs4:acedup = merge

 nfs4:chown = yes

 nfs4:mode = special

 gpfs:sharemodes = No

 fileid:mapping = fsname





 KRB5.CONF

 [logging]

  default = FILE:/var/log/krb5libs.log

  kdc = FILE:/var/log/krb5kdc.log

  admin_server = FILE:/var/log/kadmind.log



 [libdefaults]

 default_realm = PLANET.AD



 [realms]

  PLANET.AD = {

 kdc = msad2k3.planet.ad

 admin_server = msad2k3

  }



 [domain_realm]

 .msad2k3.planet.ad = PLANET.AD



 [appdefaults]

  pam = {

debug = false

ticket_lifetime = 36000

renew_lifetime = 36000

forwardable = true

krb4_convert = false

  }



 NSSWITCH.CONF

 passwd: files winbind

 shadow: files

 group:  files winbind





 SYSTEM-AUTH

 #%PAM-1.0

 # This file is auto-generated.

 # User changes will be destroyed the next time authconfig is run.

 authrequired  pam_env.so



 ### WINBIND AUTH ###

 authsufficient  /lib/security/pam_winbind.so



 authsufficientpam_unix.so nullok try_first_pass

 authrequisite pam_succeed_if.so uid = 500 quiet

 authrequired  pam_deny.so





 ### WINBIND AUTH ###

 accountsufficient  /lib/security/pam_winbind.so



 account required  pam_unix.so

 account sufficientpam_succeed_if.so uid  500 quiet

 account required  pam_permit.so



 passwordrequisite pam_cracklib.so try_first_pass retry=3

 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
 use_authtok

 passwordrequired  pam_deny.so



 session optional  pam_keyinit.so revoke

 session required  pam_limits.so

 session [success=1 default=ignore] pam_succeed_if.so service in crond
 quiet use_uid

 session required  pam_unix.so



 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba


 Message scanned by ClamAV engine (http://www.clamav.net)
 



-- 
François Legal


Message scanned by ClamAV engine (http://www.clamav.net)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent not listing ADS users ctdb samba

2008-06-03 Thread Evan Koutsandreou


this seems to have been created during the rpm install, see below

[EMAIL PROTECTED] samba]# rpm -ql samba-winbind-32bit-3.0.25-ctdb.16
/lib/libnss_winbind.so
/lib/libnss_winbind.so.2
/lib/libnss_wins.so
/lib/libnss_wins.so.2
/lib/security/pam_winbind.so

 

[EMAIL PROTECTED] samba]# ls -lasp /lib | grep libnss
  40 -rwxr-xr-x  1 root root   36340 Jul  5  2007 libnss_compat-2.5.so
   4 lrwxrwxrwx  1 root root  20 May 26 08:37 libnss_compat.so.2 -
libnss_compat-2.5.so
 816 -rwxr-xr-x  1 root root  824900 Jul 13  2006 libnss_db-2.2.so
   4 lrwxrwxrwx  1 root root  16 May 26 08:39 libnss_db.so.2 -
libnss_db-2.2.so
  28 -rwxr-xr-x  1 root root   21848 Jul  5  2007 libnss_dns-2.5.so
   4 lrwxrwxrwx  1 root root  17 May 26 08:37 libnss_dns.so.2 -
libnss_dns-2.5.so
  52 -rwxr-xr-x  1 root root   46740 Jul  5  2007 libnss_files-2.5.so
   4 lrwxrwxrwx  1 root root  19 May 26 08:37 libnss_files.so.2 -
libnss_files-2.5.so
  28 -rwxr-xr-x  1 root root   22752 Jul  5  2007 libnss_hesiod-2.5.so
   4 lrwxrwxrwx  1 root root  20 May 26 08:37 libnss_hesiod.so.2 -
libnss_hesiod-2.5.so
3036 -rwxr-xr-x  1 root root 3099444 Jul  6  2007 libnss_ldap-2.5.so
   4 lrwxrwxrwx  1 root root  18 May 26 08:40 libnss_ldap.so.2 -
libnss_ldap-2.5.so
  48 -rwxr-xr-x  1 root root   42368 Jul  5  2007 libnss_nis-2.5.so
  60 -rwxr-xr-x  1 root root   51696 Jul  5  2007 libnss_nisplus-2.5.so
   4 lrwxrwxrwx  1 root root  21 May 26 08:37 libnss_nisplus.so.2 -
libnss_nisplus-2.5.so
   4 lrwxrwxrwx  1 root root  17 May 26 08:37 libnss_nis.so.2 -
libnss_nis-2.5.so
  20 -rwxr-xr-x  1 root root   19408 Jan 31 10:30 libnss_winbind.so
   0 lrwxrwxrwx  1 root root  17 Jun  3 18:36 libnss_winbind.so.2 -
libnss_winbind.so
1016 -rwxr-xr-x  1 root root 1032916 Jan 31 10:30 libnss_wins.so
   0 lrwxrwxrwx  1 root root  14 Jun  3 18:36 libnss_wins.so.2 -
libnss_wins.so

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Evan Koutsandreou
Sent: Tuesday, 3 June 2008 7:09 PM
To: samba@lists.samba.org
Subject: [Samba] getent not listing ADS users ctdb samba

 

Hi,

 

I am setting up ctdb samba, and have hit a brick wall trying to solve the
following issue.

 

1.  getent does not retrieve the list of domain users or groups (wbinfo
works fine)

 

I'm not sure what I'm missing but I've almost spent the whole day trying to
resolve this one and haven't made any progress :-(

 

Any help or suggestions are appreciated

 

My configuration is as follows

 

Installed pre-built RHEL binaries from ctdb.samba

ctdb-1.0-41.src.rpm

ctdb-1.0-41.x86_64.rpm

ctdb-debuginfo-1.0-41.x86_64.rpm

samba-3.0.25-ctdb.16.src.rpm

samba-3.0.25-ctdb.16.x86_64.rpm

samba-client-3.0.25-ctdb.16.x86_64.rpm

samba-common-3.0.25-ctdb.16.x86_64.rpm

samba-debuginfo-3.0.25-ctdb.16.x86_64.rpm

samba-doc-3.0.25-ctdb.16.x86_64.rpm

samba-swat-3.0.25-ctdb.16.x86_64.rpm

samba-winbind-32bit-3.0.25-ctdb.16.i386.rpm

 

 

SMB.CONF

[global]

workgroup = PLANET

realm = PLANET.AD

netbios name = CTDBSAMBA

server string = CTDB Samba Server

security = ADS

private dir = /gpfs/gpfs0/SMBDconfig

log file = /usr/local/samba/var/log.%m

max log size = 50

clustering = Yes

dns proxy = No

ldap ssl = no

idmap backend = tdb2

idmap uid = 1-2

idmap gid = 1-2

winbind separator = +

 

[homes]

comment = Home Directories

read only = No

browseable = No

 

[printers]

comment = All Printers

path = /usr/spool/samba

printable = Yes

browseable = No

 

[GPFSGLOBAL]

comment = GPFS Global Share

path = /gpfs/gpfs0/GLOBALSHARE

read only = No

force unknown acl user = Yes

vfs objects = gpfs

nfs4:acedup = merge

nfs4:chown = yes

nfs4:mode = special

gpfs:sharemodes = No

fileid:mapping = fsname

 

 

KRB5.CONF

[logging]

 default = FILE:/var/log/krb5libs.log

 kdc = FILE:/var/log/krb5kdc.log

 admin_server = FILE:/var/log/kadmind.log

 

[libdefaults]

default_realm = PLANET.AD

 

[realms]

 PLANET.AD = {

kdc = msad2k3.planet.ad

admin_server = msad2k3

 }

 

[domain_realm]

.msad2k3.planet.ad = PLANET.AD

 

[appdefaults]

 pam = {

   debug = false

   ticket_lifetime = 36000

   renew_lifetime = 36000

   forwardable = true

   krb4_convert = false

 }

 

NSSWITCH.CONF

passwd: files winbind

shadow: files

group:  files winbind

 

 

SYSTEM-AUTH

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

authrequired  pam_env.so

 

### WINBIND AUTH ###

authsufficient  /lib/security/pam_winbind.so

 

authsufficientpam_unix.so nullok try_first_pass

authrequisite pam_succeed_if.so uid = 500 quiet

auth

Re: [Samba] getent not listing ADS users ctdb samba

2008-06-03 Thread John Hodrien


On Tue, 3 Jun 2008, Evan Koutsandreou wrote:


1.  getent does not retrieve the list of domain users or groups (wbinfo
works fine)


Do you mean getent passwd, or getent passwd foo?

If you mean the former, then you need:

winbind enum groups = yes
winbind enum users  = yes

jh

--
Woman was God's second mistake.-- Nietzsche
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent not listing ADS users ctdb samba

2008-06-03 Thread Evan Koutsandreou

That's worked, thanks a million!! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Hodrien
Sent: Tuesday, 3 June 2008 8:11 PM
Cc: samba@lists.samba.org
Subject: Re: [Samba] getent not listing ADS users ctdb samba

On Tue, 3 Jun 2008, Evan Koutsandreou wrote:

 1.getent does not retrieve the list of domain users or groups (wbinfo
 works fine)

Do you mean getent passwd, or getent passwd foo?

If you mean the former, then you need:

winbind enum groups = yes
winbind enum users  = yes

jh

-- 
Woman was God's second mistake.-- Nietzsche
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent passwd not adding users

2007-12-07 Thread Max León

You need to add idmap uid with the same range as the gid, well at least 
that is what I've always have done.

Jamie Gordon wrote:

I'm running Samba version Version 3.0.25b-1.el5_1.2 on RH Enterprise
Linux 5. I've configured the SMB server to get users from a Windows 2003
Server Active Directory tree. I was able to join the machine to the
domain with no problem.

Here's the smb.conf

Quote:

[global]
idmap gid = 6-9
winbind trusted domains only = yes
encrypt passwords = yes
show add printer wizard = No
winbind use default domain = Yes
realm = domain
netbios name = servername
printing = cups
idmap uid = 1-5
password server = dcname
workgroup = domain
os level = 20
printcap name = cups
security = domain
winbind separator = \
disable spoolss = Yes
winbind enum groups = yes
winbind enum users = yes 


My nsswitch.conf has the following;

Quote:

passwd: files winbind
shadow: files
group: files winbind 



wbinfo -u and wbinfo-g work well, returning a list of users and groups.
However, when I issue 'getent passwd' my winbind log 
(/var/log/samba/winbindd.log) shows a long list of the following and no
users are added to the passwd db; 


Quote:

[2007/12/04 12:11:03, 1] nsswitch/winbindd_ads.c:query_user_list(209)
Not a user account? atype=0x3000 


Not sure where to go from here. Any help or hints would be appreciated.

 


Jamie Gordon

QA Manager

WideOrbit

[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 

 


You can't make what you can't measure, 'cause you don't know when
you've got it made.

 

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent passwd not adding users

2007-12-07 Thread Jamie Gordon

Thanks Nathan. Perhaps I misspoke. My understanding is that if winbind
is configured correctly, if I issue 'getent passwd' then I should see
local and domain users listed. I only see local users and my windbindd
log has the aforementioned errors. 

Jamie Gordon
QA Manager
WideOrbit
[EMAIL PROTECTED]

You can't make what you can't measure, 'cause you don't know when
you've got it made.
-Original Message-
From: Nathan VanHoudnos [mailto:[EMAIL PROTECTED] 
Sent: Friday, December 07, 2007 12:32 PM
To: Jamie Gordon
Cc: samba
Subject: Re: [Samba] getent passwd not adding users


 wbinfo -u and wbinfo-g work well, returning a list of users and
groups.
 However, when I issue 'getent passwd' my winbind log 
 (/var/log/samba/winbindd.log) shows a long list of the following and
no
 users are added to the passwd db; 

Perhaps I misunderstand you, but getent is a query tool, not something
that you use to add entries to /etc/passwd or /etc/group. 

If you wanted to use it to add entries, you'd need to do something like:
  getent passwd | grep YOURDOMAIN+  /etc/passwd

But, then that would defeat the purpose of using winbind anyway. 

Hope this helps,

Nathan VanHoudnos
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent passwd not adding users

2007-12-07 Thread Nathan VanHoudnos


 wbinfo -u and wbinfo-g work well, returning a list of users and groups.
 However, when I issue 'getent passwd' my winbind log 
 (/var/log/samba/winbindd.log) shows a long list of the following and no
 users are added to the passwd db; 

Perhaps I misunderstand you, but getent is a query tool, not something
that you use to add entries to /etc/passwd or /etc/group. 

If you wanted to use it to add entries, you'd need to do something like:
  getent passwd | grep YOURDOMAIN+  /etc/passwd

But, then that would defeat the purpose of using winbind anyway. 

Hope this helps,

Nathan VanHoudnos
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent passwd not adding users

2007-12-07 Thread Nathan VanHoudnos

(forgot to copy list) 

 Thanks Nathan. Perhaps I misspoke. My understanding is that if winbind
 is configured correctly, if I issue 'getent passwd' then I should see
 local and domain users listed. I only see local users and my windbindd
 log has the aforementioned errors. 

Yes, that's true. I noticed that your config file has 
  security = domain
If you change that to 
  security = ads 
It might work. I don't know, I'm not a samba expert! 

The other thing I might try is to change your winbind seperator from /
to +. Perhaps getent can't handle / in a username, but why it would give
you that winbind error, I don't know. I do know, however, that + works. 

The other thing your error message makes me think of is the service
account that you may or may not have set as windbind's authorized user.
But, that wouldn't make much sense, since you reported that wbinfo -u
and wbinfo -g work well. To check it, try:
  wbinfo --get-auth-user 

One thing though, that will echo your service accounts password to the
screen in plain text. So, you have to run it as root, and you have to be
careful who's behind you. 

Cheers,

Nathan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent passwd not listing domain users, nsswitch.conf is configured

2007-10-21 Thread Necos Secon


This is one that took me a while to figure out. By default, the newer versions 
of samba tell winbind not to enumerate users or groups, because this could 
cause a performance drop for large (1+ users I believe) networks. The way 
to fix this is to set these two options in smb.conf:
 
winbind enum users = yes
winbind enum groups = yes
 
Hope that helps some. Date: Wed, 17 Oct 2007 11:03:13 -0600 From: [EMAIL 
PROTECTED] To: samba@lists.samba.org Subject: [Samba] getent passwd not 
listing domain users, nsswitch.conf is configured  Using Samba 3.0.25c on 
OpenSolaris nv72.  wbinfo -u lists domain users as expected. getent passwd 
only lists local users. nsswitch.conf has the following lines: passwd: files 
winbind group: files winbind  My smb.conf is below. Where should I start to 
troubleshoot?  [global] realm = FNB.LOCAL workgroup = FNB security = ADS 
use kerberos keytab = true ; password server = my-server.fnb.local encrypt 
passwords = yes server string = Samba ADS client use spnego = yes  # 
winbind configuration: winbind use default domain = yes winbind nested groups 
= yes idmap backend = ad winbind nss info = rfc2307 winbind separator = / 
winbind enum users = yes winbind enum groups = yes # idmap uid = 1-2 
# idmap gid = 1-2 ; template homedir = /samba/pchome/%D/%U  # idmap 
domains = FNB # idmap config FNB:default = yes # idmap config FNB:backend = 
tdb # idmap config FNB:range = 1-2 # this tells Samba to use a 
separate log file for each machine # that connects log file = 
/var/samba/log/log.%m log level = 10 # Put a capping on the size of the log 
files (in Kb). max log size = 1024  # Most people will find that this option 
gives better performance. # See the chapter 'Samba performance issues' in the 
Samba HOWTO Collection # and the manual pages for details. ; socket options = 
TCP_NODELAY --  To unsubscribe from this list go to the following URL and 
read the instructions: https://lists.samba.org/mailman/listinfo/samba
_
Climb to the top of the charts!  Play Star Shuffle:  the word scramble 
challenge with star power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_oct--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent passwd not listing domain users, nsswitch.conf is configured

2007-10-18 Thread Frank Van Damme

On 10/17/07, Peter Baumgartner [EMAIL PROTECTED] wrote:
 Using Samba 3.0.25c on OpenSolaris nv72.

 wbinfo -u lists domain users as expected.
 getent passwd only lists local users.
 nsswitch.conf has the following lines:
 passwd: files winbind
 group:  files winbind

 My smb.conf is below. Where should I start to troubleshoot?

Hi,

this also recently came up in a thread I started (called default
kerberos realm??). It may have multiple reasons.

-- 
Frank Van Damme   A: Because it destroys the flow of the conversation
  Q: Why is it bad?
  A: No, it's bad.
  Q: Should I top post in replies to mails or on usenet?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent returns HEX number instead of username

2007-02-28 Thread Gerald (Jerry) Carter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stephen Carville wrote:
 Not for all users but for some.
 
 I'm using samba 3.0.20 running on Fedora Core 3.  Security = ADS,
 winbind works and getent passwd returns local unix accounts plus the
 domain accounts as expected.
 
 It also returns a lot of entries like:
 
 6811ff15281f4d19bdc:x:18004:1:Anel Susana
 Esquivel:/export/private/6811ff15281f4d19bdc:/sbin/nologin
 
 I suspect these are accounts in a trusted domain.  AFAIK, they are not
 causing any problems but I'm wondering if this is normal (and harmless)
 or an indication I messed up something.  Could the owner of the hex
 numbered account access any shares on my server?  Ideally no one outside
 the domain designated in the smb.conf file should be able to access any
 shares on this server.

Never seen that.  Sorry.  What is the name supposed to be?




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5mVBIR7qMdg1EfYRAmw5AJwPlYC8a5p+ky/kn02atna00VMBswCggJdC
nmOXY3JX3MZFgSzfYBfXDu0=
=l+9s
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent passwd

2006-11-10 Thread Gerald (Jerry) Carter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel Quigley-Skillin wrote:

 Three users out of about 50 get no result using 
 the getent passwd command.
 
 The accounts are in good standing and can access all 
 other network services.  The accounts are similar to
 other accounts which are working.
 
 The accounts do show up in a getent group, and with wbinfo -u
 
 Upgrading/Downgrading Samba isn't a possibility.

Do you really need user/group enumeration?






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFFVNH8IR7qMdg1EfYRAunoAJ9wuAOv3/uML0OAM1FYmfoLS50NrwCgwWGK
LS+Xfwo2scXQVvb0O0w9cMU=
=XVHI
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent passwd

2006-11-10 Thread Daniel Quigley-Skillin

Due to access requirements, yes.

-Original Message-
From: Gerald (Jerry) Carter [EMAIL PROTECTED]
To: Daniel Quigley-Skillin [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Sent: 11/10/06 2:24 PM
Subject: Re: [Samba] getent passwd


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent passwd

2006-11-10 Thread Daniel Quigley-Skillin


Stopping smbd and winbindd, moving the winbind_*.tdb files, then
starting smbd and winbindd again resolved the problem.

On 11/10/06, Daniel Quigley-Skillin [EMAIL PROTECTED] wrote:

Due to access requirements, yes.

-Original Message-
From: Gerald (Jerry) Carter [EMAIL PROTECTED]
To: Daniel Quigley-Skillin [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Sent: 11/10/06 2:24 PM
Subject: Re: [Samba] getent passwd




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent not working (again)

2006-04-21 Thread Gautier, B \(Bob\)

'getent passwd' imposes an overall timeout of 30 seconds on the reply from 
winbindd.  Maybe that's biting you?  See Bugzillas 3660, 3024.

Bob G 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]
] On Behalf Of Horchler, Joerg
 Sent: 21 April 2006 11:06
 To: samba@lists.samba.org
 Subject: [Samba] getent not working (again)
 
 Hi all, 
 
 after I searched the internet about a week now I can't find 
 an answer to my
 problem: 
 
 The company I work for is using a Windows 2003 Domain using 
 the Windows Services for UNIX (SFU) and NIS. We are using two 
 Domain Controllers that are hosting the ADS. 
 
 Now I want to use Samba and NFS to implement a file server 
 for our mixed client enviroment: There will be Linux, HP 
 UNIX, Solaris, AIX and Windows clients accessing this server. 
 The Linux/UNIX clients will  use NFS (no problem). The 
 Windows clients will use Samba. 
 
 =
 I compiled Samba 3.0.22 with: 
 
 ./configure \
 --with-ldap \
 --with-ads \
 --with-pam \
 --with-quotas \
 --with-acl-support \
 --with-aio-support \
 --with-sendfile-support \
 --with-winbind \
 --with-shared-modules=idmap_ad
 
 The last option was the only way to get idmap_ad compiled and 
 installed. I need this to use 'idmap backend = ad'
 
 =
 
 After installation I copied libnss_winbind.so and 
 libnss_wins.so to /lib and run ldconfig
 
 [EMAIL PROTECTED] source]# ldconfig -v | grep libnss
 libnss_winbind.so.2 - libnss_winbind.so
 libnss_wins.so.2 - libnss_wins.so [EMAIL PROTECTED] source]#
 
 =
 
 My smb.conf is
 
 [EMAIL PROTECTED] source]# cat /usr/local/samba/lib/smb.conf [global]
 unix charset = UTF8
 display charset = UTF8
 workgroup = XYZ
 realm = ABC.COM
 server string = linux fileserver %h (Samba %v)
 security = ADS
 auth methods = winbind
 allow trusted domains = No
 lanman auth = No
 log level = 0 smb:1 auth:1 winbind:1 idmap:1 acls:1
 log file = /var/log/samba/%m.log
 disable netbios = Yes
 reset on zero vc = Yes
 deadtime = 10
 os level = 0
 preferred master = No
 local master = No
 domain master = No
 wins server = a.b.c.d, a.b.c.e
 ldap ssl = no
 pid directory = /var/run
 idmap backend = ad
 idmap uid = 100-10
 idmap gid = 100-10
 winbind use default domain = Yes
 winbind nested groups = Yes
 winbind nss info = sfu
 acl group control = Yes
 acl map full control = No
 inherit owner = Yes
 ea support = Yes
 map acl inherit = Yes
 use sendfile = Yes
 hide special files = Yes
 map readonly = permissions
 strict locking = No
 dos filemode = Yes
 [EMAIL PROTECTED] source]# 
 
 I configured no shares at the moment. Could that be a problem?
 
 =
 
 My /etc/krb5.conf
 
 [EMAIL PROTECTED] source]# cat /etc/krb5.conf
 [logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
 
 [libdefaults]
  default_realm = ABC.COM
 
 [realms]
  ABC.COM = {
   default_domain = abc.com
  }
 
 [domain_realm]
  .abc.com = ABC.COM
  abc.com = ABC.COM
 
 [appdefaults]
  pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
  }
 [EMAIL PROTECTED] source]#
 
 =
 
 My /etc/nsswitch.conf
 
 [EMAIL PROTECTED] source]# cat /etc/nsswitch.conf # # /etc/nsswitch.conf [...]
 
 passwd: files winbind
 shadow: files winbind
 group:  files winbind
 
 #hosts: db files ldap nis dns
 hosts:  files dns wins
 
 [...]
 
 =
 
 Then I joined the domain successfully:
 
 [EMAIL PROTECTED] source]#
 net ads join -Uruth Servers
 
 [EMAIL PROTECTED] source]# wbinfo -t
 checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] source]#
 
 [EMAIL PROTECTED] source]# net ads info
 LDAP server: a.b.c.d
 LDAP server name: uranus
 Realm: ABC.COM
 Bind Path: dc=ABC,dc=COM
 LDAP port: 389
 Server time: Fri, 21 Apr 2006 11:59:54 CEST KDC server: 
 a.b.c.d Server time offset: 55 [EMAIL PROTECTED] source]#
 
 =
 
 After starting nmbd, smbd and winbindd I can successfully 
 list my domain users and group with wbinfo. But when I try to 
 get a list via getent it doesn't work. 
 
 [EMAIL PROTECTED] source]# getent passwd
 root:x:0:0:root:/root:/bin/bash
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 adm:x:3:4:adm:/var/adm:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
 sync:x:5:0:sync:/sbin:/bin/sync
 shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
 halt:x:7:0:halt:/sbin:/sbin/halt

Re: [Samba] Getent Not Working

2006-02-06 Thread Dennis B. Hopp


Jon Parkins wrote:

I hope I'm submitting this to the right place

Hello All,

I've been pouring over the groups for a couple of days now, and found a
few problems and setups similiar to mine, but I'm not having much luck
trying to resolve the issue.  My setup currently is a RHFC4 Box running
Samba 3.0.21a-1 on a Win2k AD Domain.

Now I have no problem running wbinfo -t -u or -g  I get listings of
groups and users.  When I run getent passwd though  all I get are the
local users.

I have all the symbolic links and libnss_winbind.so files in /lib.  I
get no errors in the winbindd log, I did notice the following error in
the smbd.log file in /var/logs/samba/  But I'm not sure what the deal
is.

I updated GCC, Krb5 just in case with yum.  I had no problem adding the
machine to the domain, I just can't use getent to pull a listing or
access the share from any of the domain worstations without having a
local account on the RH box.

In the past using RHFC4 and a Win2k3 domain I've had no problems.  So
I'm just baffeled right now.  Maybe I've overlooked something.  Maybe
it's something with the 2K domain.  Any help is appriciated.  If more
info is needed, or I'm way in left field just let me know.

I'll post my conf files below.

Thanks.

/var/log/samba/smbd.log snippet

[2006/02/06 16:30:28, 0] lib/util_sock.c:open_socket_in(823)
 bind failed on port 445 socket_addr = 0.0.0.0.
 Error = Address already in use
*** glibc detected *** smbd: free(): invalid pointer: 0x00f4cdb0 ***
=== Backtrace: =
/lib/libc.so.6[0x58f424]
/lib/libc.so.6(__libc_free+0x77)[0x58f95f]
/lib/libcom_err.so.2(remove_error_table+0x4b)[0x131abb]
/usr/lib/libkrb5.so.3[0xeea8c4]
/usr/lib/libkrb5.so.3[0xeea5c7]
/usr/lib/libkrb5.so.3[0xf3b9da]
/lib/ld-linux.so.2[0x11f058]
/lib/libc.so.6(exit+0xc5)[0x556c69]
smbd(main+0x697)[0xa1a323]
/lib/libc.so.6(__libc_start_main+0xc6)[0x540de6]
smbd[0x7d5081]
=== Memory map: 

/etc/samba/smb.conf (minimal setup to test)

[global]
   workgroup = DOMAIN
   realm = DOMAIN.LOCAL
   server string = Samba Server
   security = ADS
   password server = 192.168.0.4
   log file = /var/log/samba/%m.log
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   dns proxy = No
   idmap uid = 1-2
   idmap gid = 1-2
   winbind separator = +
   winbind use default domain = Yes

  


Have you tried to increase the debug level? 


smbcontrol smbd debug 5

That might be too high or too low. 


--Dennis
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Getent Not Working

2006-02-06 Thread Adam Nielsen

 *** glibc detected *** smbd: free(): invalid pointer: 0x00f4cdb0 ***

I've seen this error before when I compiled a program on one PC, then
copied it across to another PC without recompiling it to save time.
The problem was that each PC had a different version of a certain
library on it, so the original copy worked fine but the second one was
linked to an old library but calling it like a newer version.

You might want to recompile Samba (and perhaps kerberos) if you didn't
originally compile them from source on the same machine they're running
on now.

Cheers,
Adam.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Getent not returning complete results.

2006-01-12 Thread Geoffrey Scott

Sarkar, Anirban wrote:
 I have some Redhat(ES 3) Linux servers authenticating agains Active
 Directory. One of the servers is not returning the complete list of
 users and groups for commands : getent passwd 
 getent group
 
 But when I do wbinfo -u, I do get all the users.
 
 This is baffling me.
 
 The other servers don't have this problem. I have tallied the
 configuration on the servers and they are same. 
 
 Thanks.

Is /etc/nsswitch configured?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent and wbinfo not returning expected results?

 Some commands work but not the way i would expect them to, such as  
 wbinfo -u. This command comes back with a list of users 
 from the AD  
 but the domain name is not prepended as i would expect with the  
 domain separator value between the domain name and the username.
 
 wbinfo -g is exactly the same, it comes back with a list of AD  
 groups but the domain is not prepended, what would cause this 
 behavior?
 
 Here is the global section of my smb.conf, maybe i am missing  
 something that will be obvious to users on this list.
 
  [global]
 workgroup = domain
 netbios name = mps1intmx01
 server string = SMB %v for domain.com
 security = ADS
 encrypt passwords = Yes
 template shell = /bin/bash
 realm = DOMAIN.COM
 
 # Winbind settings
 idmap backend = idmap_rid:DOMAIN=500-5000
 idmap uid = 500-1000
 idmap gid = 500-1000
 winbind separator = /
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nested groups = Yes
 allow trusted domains = No
 
 preferred master = No
 local master = No
 wins server = msp1intmx02.domain.com
 
 log level = 10

Remove 'winbind use default domain = Yes' from smb.conf and you'll see the
domain name prepended to the output from 'wbinfo -u'  'wbinfo -g' commands.

~Doug 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent and wbinfo not returning expected results?

 I did and this did address the wbinfo -u OR -g output but the getent
 passwd OR group, is still only listing the local users and groups

sigh According to the Samba docs, it's either the NSS switch or the PAM
modules or both that appear to be preventing the enumeration of
users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books.
Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I
am referring to.

I'm using FreeBSD and their NSS libraries are different from Linux's and I'm
wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas there
are numerous references to libnss_winbind.so.2 in TOSHARG which is based on
Linux. I fear FreeBSD's GCC compiler is either older and/or different than
Linux's. What distro are you using?

 Yes this is sound advice i was playing around with some others like the
 + , which seems to be a common choice but testparm complained about it
 so i changed it to what you see.

Yeah. The separator isn't the real cause behind your woes though.

Let me know what you come up with.

~Doug


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent and wbinfo not returning expected results?

On Friday 16 September 2005 12:14, Doug Sampson wrote:
  I did and this did address the wbinfo -u OR -g output but the getent
  passwd OR group, is still only listing the local users and groups

 sigh According to the Samba docs, it's either the NSS switch or the PAM
 modules or both that appear to be preventing the enumeration of
 users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples' books.
 Check page 228 section 12 in 'Samba-3 by Examples' and you will see what I
 am referring to.

If 'wbinfo -u' returns the domain user list, but 'getent passwd' does not, 
this means that NSS is not working. It has nothing to do with PAM.


 I'm using FreeBSD and their NSS libraries are different from Linux's and
 I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1 whereas
 there are numerous references to libnss_winbind.so.2 in TOSHARG which is
 based on Linux. I fear FreeBSD's GCC compiler is either older and/or
 different than Linux's. What distro are you using?

Have you joined the Samba server to the domain? 
What do 'net rpc info' and 'net ads info' report?

Is winbindd running?

Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
Did you locate this in the /lib or the /usr/lib directory?

What error logs are you seeing in /var/adm/messages?

  Yes this is sound advice i was playing around with some others like the
  + , which seems to be a common choice but testparm complained about it
  so i changed it to what you see.

 Yeah. The separator isn't the real cause behind your woes though.

It certainly sounds more like a basic software installation and configuration 
issue.

- John T.

 Let me know what you come up with.

 ~Doug

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO  Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent and wbinfo not returning expected results?

2005-09-16 Thread Mike Partyka



On Sep 16, 2005, at 2:11 PM, John H Terpstra wrote:


On Friday 16 September 2005 12:14, Doug Sampson wrote:


I did and this did address the wbinfo -u OR -g output but the getent
passwd OR group, is still only listing the local users and groups



sigh According to the Samba docs, it's either the NSS switch or  
the PAM

modules or both that appear to be preventing the enumeration of
users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples'  
books.
Check page 228 section 12 in 'Samba-3 by Examples' and you will  
see what I

am referring to.



If 'wbinfo -u' returns the domain user list, but 'getent passwd'  
does not,

this means that NSS is not working. It has nothing to do with PAM.




I'm using FreeBSD and their NSS libraries are different from  
Linux's and
I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1  
whereas
there are numerous references to libnss_winbind.so.2 in TOSHARG  
which is

based on Linux. I fear FreeBSD's GCC compiler is either older and/or
different than Linux's. What distro are you using?



Have you joined the Samba server to the domain?
What do 'net rpc info' and 'net ads info' report?


net rpc info returns nothing

net ads info, returns:

msp1intmx01:~ # net ads info
LDAP server: 71.4.126.89
LDAP server name: msp1intmx02
Realm: DOMAIN.COM
Bind Path: dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Fri, 16 Sep 2005 14:17:38 GMT
KDC server: 71.4.126.89
Server time offset: 0

I didn't think i was using ldap to store the idmap values for users,  
i thought the smb.conf setting idmap backend=idmap_rid


Is winbindd running?

Yes


Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
No, i did not see that step in any of the documentation i have used.  
I did this and restarted winbind but it seemed to have no effect.

Did you locate this in the /lib or the /usr/lib directory?

in the /lib directory only


What error logs are you seeing in /var/adm/messages?

I am seeing a number of messages like this:

Sep 16 14:21:17 msp1intmx01 winbindd[23202]:
rid_idmap_get_id_from_sid: rid: 1157 (UID: 1657) too high

for mapping of domain: JUMPNODE (500-1000)

Which i assume is related to the fact that i changed the  
idmap_backend setting earlier this morning in the smb.conf file.


Here is what it currently set to:

   idmap backend = idmap_rid:JUMPNODE=500-1000
   idmap uid = 500-1000
   idmap gid = 500-1000

This morning the idmap_backend had a range of 500-5000 but then i ran  
winbindd -i -d3 and i saw winbind complaining about the range being  
set too high, and i adjusted it down. Is there someplace i need to  
clear the old values from? I have since restarted winbind several  
times but that does not seem to be sufficient.


Thank You,


John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO  Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.



Mike Partyka
Jumpnode Systems, LLC
Systems Administrator
(612)605-5056 Desk
(612)605-5099 Fax


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent and wbinfo not returning expected results?

On Friday 16 September 2005 13:35, Mike Partyka wrote:
 On Sep 16, 2005, at 2:11 PM, John H Terpstra wrote:
  On Friday 16 September 2005 12:14, Doug Sampson wrote:
  I did and this did address the wbinfo -u OR -g output but the getent
  passwd OR group, is still only listing the local users and groups
 
  sigh According to the Samba docs, it's either the NSS switch or
  the PAM
  modules or both that appear to be preventing the enumeration of
  users/groups. I have on hand TOSHARG and the 'Samba-3 By Examples'
  books.
  Check page 228 section 12 in 'Samba-3 by Examples' and you will
  see what I
  am referring to.
 
  If 'wbinfo -u' returns the domain user list, but 'getent passwd'
  does not,
  this means that NSS is not working. It has nothing to do with PAM.
 
  I'm using FreeBSD and their NSS libraries are different from
  Linux's and
  I'm wondering if that is the cause. FreeBSD uses nss_winbind.so.1
  whereas
  there are numerous references to libnss_winbind.so.2 in TOSHARG
  which is
  based on Linux. I fear FreeBSD's GCC compiler is either older and/or
  different than Linux's. What distro are you using?
 
  Have you joined the Samba server to the domain?
  What do 'net rpc info' and 'net ads info' report?

 net rpc info returns nothing

 net ads info, returns:

  msp1intmx01:~ # net ads info
  LDAP server: 71.4.126.89
  LDAP server name: msp1intmx02
  Realm: DOMAIN.COM
  Bind Path: dc=DOMAIN,dc=COM
  LDAP port: 389
  Server time: Fri, 16 Sep 2005 14:17:38 GMT
  KDC server: 71.4.126.89
  Server time offset: 0

 I didn't think i was using ldap to store the idmap values for users,
 i thought the smb.conf setting idmap backend=idmap_rid

ADS uses LDAP. The user and group account info when Samba is an ADS domain 
member is obtained from the LDAP service that is part of ADS. The IDMAP 
backend defines how the user and group SIDs are handled. The idmap_rid tool 
uses the value of the relative identifier (RID) part of the user SID as the 
UID. The RID can have any value from 1000 up to 4294967295. Typically the RID 
is allocated sequentially starting at 1000, but this appears not always to be 
the case.


  Is winbindd running?

 Yes

  Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?

 No, i did not see that step in any of the documentation i have used.

For months I asked for review and feedback from Samba mailing list users. All 
feedback that I received was adopted. Samba is user supported software. The 
more people who provide documentation feedback, the better to documentation 
becomes.

 I did this and restarted winbind but it seemed to have no effect.

  Did you locate this in the /lib or the /usr/lib directory?

 in the /lib directory only

It needs to be in the same directory that the other nss_*.so* files are in.

The version number may need to be .1 or .2 - I am not sure.


  What error logs are you seeing in /var/adm/messages?

 I am seeing a number of messages like this:

  Sep 16 14:21:17 msp1intmx01 winbindd[23202]:
 rid_idmap_get_id_from_sid: rid: 1157 (UID: 1657) too high
  for mapping of domain: JUMPNODE (500-1000)

The system accounts will use values of 500-1000, user acconts always above 
999. i.e.: starting at 1000.


 Which i assume is related to the fact that i changed the
 idmap_backend setting earlier this morning in the smb.conf file.

If you change the settings you must delete the winbind_idmap.tdb and 
winbind_cache.tdb files before restarting smbd and winbind.

 Here is what it currently set to:

 idmap backend = idmap_rid:JUMPNODE=500-1000
 idmap uid = 500-1000
 idmap gid = 500-1000


The upper-bound of the uid and gid ranges are much too low. Follow the 
examples I gave in the book.

 This morning the idmap_backend had a range of 500-5000 but then i ran
 winbindd -i -d3 and i saw winbind complaining about the range being
 set too high, and i adjusted it down. Is there someplace i need to
 clear the old values from? I have since restarted winbind several
 times but that does not seem to be sufficient.

Remove the winbind*tdb files and restart winbindd.

- John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent and wbinfo not returning expected results?

2005-09-16 Thread Mike Partyka



On Sep 16, 2005, at 2:57 PM, John H Terpstra wrote:

Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?



No, i did not see that step in any of the documentation i have used.



For months I asked for review and feedback from Samba mailing list  
users. All
feedback that I received was adopted. Samba is user supported  
software. The
more people who provide documentation feedback, the better to  
documentation

becomes.
I was not active in this mailing list at that time but don't mean  
that to be an excuse, i will do better going forward.


The system accounts will use values of 500-1000, user acconts  
always above

999. i.e.: starting at 1000.

Remove the winbind*tdb files and restart winbindd.


I adjusted this range up much higher (100-500)

I then deleted these files as John recommended and the restarted  
winbind and smb.


Amazingly, now getent passwd returns the local user list with the  
domain users appended to it, W00T!


PS-The community effort that many people put into the lists as far as  
helping other users is always impressive to me and it's really  
something to admire but this afternoon topped all when i got a long  
distance call from John Terpstra, whose book i have sitting on my  
desk at home, and who wrote the Samba documentation that many of us  
use so frequently, the experience I have to say was a little intense.


60 seconds into the call John stated rather than asked, Your really  
new to Samba aren't you?, I can only laugh when thinking about it.


John, Doug, Thanks for your help!



- John T.



Mike Partyka
Jumpnode Systems, LLC
Systems Administrator
(612)605-5056 Desk
(612)605-5099 Fax


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getent and wbinfo not returning expected results?

On Friday 16 September 2005 14:40, Mike Partyka wrote:
 On Sep 16, 2005, at 2:57 PM, John H Terpstra wrote:
  Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
 
  No, i did not see that step in any of the documentation i have used.
 
  For months I asked for review and feedback from Samba mailing list
  users. All
  feedback that I received was adopted. Samba is user supported
  software. The
  more people who provide documentation feedback, the better to
  documentation
  becomes.

 I was not active in this mailing list at that time but don't mean
 that to be an excuse, i will do better going forward.

  The system accounts will use values of 500-1000, user acconts
  always above
  999. i.e.: starting at 1000.
 
  Remove the winbind*tdb files and restart winbindd.

 I adjusted this range up much higher (100-500)

Suggest you consider 500-4000 so that all RIDs can be accomodated.


 I then deleted these files as John recommended and the restarted
 winbind and smb.

 Amazingly, now getent passwd returns the local user list with the
 domain users appended to it, W00T!

 PS-The community effort that many people put into the lists as far as
 helping other users is always impressive to me and it's really
 something to admire but this afternoon topped all when i got a long
 distance call from John Terpstra, whose book i have sitting on my
 desk at home, and who wrote the Samba documentation that many of us
 use so frequently, the experience I have to say was a little intense.

I hope not too intense! :-)

 60 seconds into the call John stated rather than asked, Your really
 new to Samba aren't you?, I can only laugh when thinking about it.

There is nothing wrong with being new to Samba - in fact, there ought to be 
more if it. ;-)

- John T.

 John, Doug, Thanks for your help!

  - John T.

 Mike Partyka
 Jumpnode Systems, LLC
 Systems Administrator
 (612)605-5056 Desk
 (612)605-5099 Fax

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO  Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent and wbinfo not returning expected results?

 If 'wbinfo -u' returns the domain user list, but 'getent 
 passwd' does not, 
 this means that NSS is not working. It has nothing to do with PAM.
 
 
  I'm using FreeBSD and their NSS libraries are different 
 from Linux's and
  I'm wondering if that is the cause. FreeBSD uses 
 nss_winbind.so.1 whereas
  there are numerous references to libnss_winbind.so.2 in 
 TOSHARG which is
  based on Linux. I fear FreeBSD's GCC compiler is either older and/or
  different than Linux's. What distro are you using?
 
 Have you joined the Samba server to the domain? 
 What do 'net rpc info' and 'net ads info' report?

aries-root@/usr/local/etc: net rpc info
Domain Name: DSP
Domain SID: S-1-5-21-2008768363-1786319642-1659389152
Sequence number: 15618
Num users: 124
Num domain groups: 16
Num local groups: 1

 Is winbindd running?

aries-root@/usr/local/etc: ps aux | grep winbind
root   8276  0.0  0.3  4644  2884  ??  Ss   12:26PM   0:00.01 winbindd -d4
root   8277  0.0  0.3  4584  2836  ??  I12:26PM   0:00.01 winbindd -d4

 
 Did you rename the libnss_winbind.so.2 file to nss_winbind.so.1?
 Did you locate this in the /lib or the /usr/lib directory?
 
 What error logs are you seeing in /var/adm/messages?

On my FreeBSD machine, the log is located at /var/log/messages:

Sep 16 12:26:21 aries winbindd[8277]: [2005/09/16 12:26:21, 0]
rpc_client/cli_pipe.c:cli_rpc_open_noauth(1700)
Sep 16 12:26:21 aries winbindd[8277]:   rpc_pipe_bind failed
Sep 16 12:26:25 aries nmbd[8278]: [2005/09/16 12:26:25, 0]
nmbd/nmbd.c:main(737)
Sep 16 12:26:25 aries nmbd[8278]:   standard input is not a socket, assuming
-D option
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
passdb/pdb_tdb.c:tdbsam_tdbopen(195)
Sep 16 12:26:25 aries smbd[8280]:   Unable to open/create TDB passwd
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
Sep 16 12:26:25 aries smbd[8280]:   pdb_getsampwrid: Unable to open TDB rid
database!
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf
line 1: 'compat' used with other sources
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nsparser): /etc/nsswitch.conf
line 2: 'compat' used with other sources
Sep 16 12:26:25 aries smbd[8280]: NSSWITCH(nss_load_module): wins, Undefined
symbol nss_module_register
Sep 16 12:26:25 aries smbd[8280]: [2005/09/16 12:26:25, 0]
smbd/server.c:main(839)
Sep 16 12:26:25 aries smbd[8280]:   standard input is not a socket, assuming
-D option
Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 12:26:29 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 12:26:29 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol
nss_module_register
Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 12:26:51 aries getent: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 12:26:51 aries getent: NSSWITCH(nss_load_module): wins, Undefined
symbol nss_module_register
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line
1: 'compat' used with other sources
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nsparser): /etc/nsswitch.conf line
2: 'compat' used with other sources
Sep 16 13:00:00 aries newsyslog: NSSWITCH(nss_load_module): wins, Undefined
symbol nss_module_register
Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:06:07 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:06:07 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol
nss_module_register
Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:07:08 aries ls: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:07:08 aries ls: NSSWITCH(nss_load_module): wins, Undefined symbol
nss_module_register
Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 1:
'compat' used with other sources
Sep 16 13:26:32 aries ps: NSSWITCH(nsparser): /etc/nsswitch.conf line 2:
'compat' used with other sources
Sep 16 13:26:32 aries ps: NSSWITCH(nss_load_module): wins, Undefined symbol
nss_module_register

aries-root@/usr/local/etc: ll /usr/local/lib/*win*
lrwxr-xr-x  1 root  wheel  31 Sep 15 12:27
/usr/local/lib/libnss_winbind.so - /usr/local/lib/nss_winbind.so.1
lrwxr-xr-x  1 root  wheel  14 Sep 15 13:29
/usr/local/lib/libnss_winbind.so.1 - nss_winbind.so
lrwxr-xr-x  1 root  wheel  14 Sep 15 13:30
/usr/local/lib/libnss_winbind.so.2 - nss_winbind.so
lrwxr-xr-x  1 root  wheel  11 Sep 15 13:30
/usr/local/lib/libnss_wins.so.1 - nss_wins.so
lrwxr-xr-x  1 root  wheel  11 Sep 15 13:30
/usr/local/lib/libnss_wins.so.2 - nss_wins.so
-rwxr-xr-x  1 root  wheel   23057 Sep 15 13:28 /usr/local/lib/nss_winbind.so
lrwxr-xr-x  1 root

Re: [Samba] getent winbindd on FreeBSD 5.4

On Thursday 15 September 2005 17:44, Doug Sampson wrote:
...
 # /etc/nsswitch.conf
 passwd: compat winbind
 group: compat winbind
 hosts: files winbind wins dns

Change to:

hosts: fils dns wins

 networks: files
 shells: files

...
 # smb.conf
 [global]
 workgroup = DSP
 server string = Samba Server
 security = DOMAIN
 passdb backend = tdbsam

Remove the passdb backend = tdbsam parameter - this is a domain member and 
will obtain SAM information using MS RPC via winbind.

 log file = /var/log/samba/log.%m
 max log size = 50
 os level = 33
 local master = No
 dns proxy = No
 wins server = 192.168.1.1
 idmap uid = 15000-2
 idmap gid = 15000-2
 template homedir = /usr/home/%D/%U
 template shell = /bin/bash
 winbind separator = +
 hosts allow = 192.168.1., 192.168.2., 127.

 [homes]
 comment = Home Directories
 read only = No
 browseable = No

 [MacData]
 comment = Production Data
 path = /data
 valid users = @DSP+PRODUCTION
 read only = No
 create mask = 0765


 The odd thing is- there's no /etc/pam.d/samba file even though I specified
 that the PAM samba module be installed. Is my PAM whacked?

You need PAM only to log into your BSD system using a Windows account - if 
that is what you want to do.


 Also, I am unsure if I need to map users to NT account using a text file

You do not need to map NT accounts to UNIX local accounts. That is all handled 
by winbind.

 similar to /etc/smb/smbusers or some file similar to that? When I execute
 'pw groupshow DSP+PRODUCTION', the log.smbd shows this:
 [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195)
   Unable to open/create TDB passwd
 [2005/09/15 16:17:24, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488)
   pdb_getsampwrid: Unable to open TDB rid database!

This will go away when you get rid of passdb backend = tdbsam.

- John T.
-- 
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO  Reference Guide, 2 Ed., ISBN: 0131882228
Samba-3 by Example, 2 Ed., ISBN: 0131882221X
Hardening Linux, ISBN: 0072254971
Other books in production.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] getent and wbinfo not returning expected results?