Bug 2925 - getent passwd and getent group do not work, but wbinfo -t , -g an d-u do with Windows 2003 domain memebership
Summary: getent passwd and getent group do not work, but wbinfo -t , -g an d-u do with...
Status: RESOLVED DUPLICATE of bug 2929
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20
Hardware: x86 Linux
: P3 regression
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-27 07:34 UTC by Mike Rose
Modified: 2005-08-01 16:50 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Rose 2005-07-27 07:34:44 UTC
Compiled heimdal 0.7, openldap-2.2.26 and samba-3.0.20pre2

on Suse 9.1 Pro

Windows 2003 Server with all patches, no firewall.

Joined ADS OK:
kinit Administrator@BSS.PHY.PRIVATE.CAM.AC.UK
Administrator@BSS.PHY.PRIVATE.CAM.AC.UK's Password: 
w1:/usr/local/samba/lib# net ads join
Using short domain name -- BSS
Joined 'W1' to realm 'BSS.PHY.PRIVATE.CAM.AC.UK'

machine trust account is on server.

My smb.conf:
"
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = +
# use uids from 10000 to 20000 for domain users
 idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
 idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/%U
template shell = /bin/bash
winbind cache time = 600
winbind trusted domains only = yes

workgroup = BSS

# to remove domain from username
# winbind use default domain = yes
obey pam restrictions = Yes

realm = bss.phy.private.cam.ac.uk
security = ADS
encrypt passwords = yes
password server = sd1.bss.phy.private.cam.ac.uk
"

w1:/usr/local/samba/lib# nmbd
w1:/usr/local/samba/lib# winbindd -d 5

all fine:
"
[2005/07/27 15:30:11, 5] lib/util.c:init_names(260)
  Netbios name list:-
  my_netbios_names[0]="W1"
[2005/07/27 15:30:11, 2] lib/interface.c:add_interface(81)
  added interface ip=131.111.75.196 bcast=131.111.75.255 nmask=255.255.255.0
[2005/07/27 15:30:11, 5] lib/gencache.c:gencache_init(59)
  Opening cache file at /usr/local/samba//var/locks/gencache.tdb
[2005/07/27 15:30:11, 5] libsmb/namecache.c:namecache_enable(58)
  namecache_enable: enabling netbios namecache, timeout 660 seconds
[2005/07/27 15:30:11, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'ldap'
[2005/07/27 15:30:11, 5] sam/idmap.c:smb_register_idmap(91)
  smb_register_idmap: Successfully added idmap backend 'tdb'
[2005/07/27 15:30:11, 2] lib/tallocmsg.c:register_msg_pool_usage(56)
  Registered MSG_REQ_POOL_USAGE
[2005/07/27 15:30:11, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2005/07/27 15:30:11, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain BSS BSS.PHY.PRIVATE.CAM.AC.UK
S-1-5-21-571314010-3273254802-3516507047
[2005/07/27 15:30:11, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain BUILTIN  S-1-5-32
[2005/07/27 15:30:11, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
  Added domain W1  S-1-5-21-1038852147-1775589294-3259616702
[2005/07/27 15:30:12, 5] nsswitch/winbindd_util.c:init_child_recv(407)
  Received child initialization response for domain BSS
"

wbinfo all fine:
binfo -t
-bash: binfo: command not found
w1:/usr/local/samba/lib# wbinfo -t
checking the trust secret via RPC calls succeeded
w1:/usr/local/samba/lib# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
SD1$
krbtgt
bob
mr
w1$
w1:/usr/local/samba/lib# wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
DnsUpdateProxy

getent group
just gives the local UNIX groups.

nsswitch.conf:
passwd:     compat winbind
shadow:     compat
group:      compat winbind


I've used:
cp libnss_winbind.so /lib/
cp pam_winbind.so /lib/security/

from the samba distro with a soft link:
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

ldconfig -v | grep winbindd
libnss_winbind.so -> libnss_winbind.so.2
 ll /lib/libnss_winbind.so.2 
lrwxrwxrwx  1 root root 22 Jul 27 11:05 /lib/libnss_winbind.so.2 ->
/lib/libnss_winbind.so
w1:/usr/local/samba/lib# ll /lib/libnss_winbind.so
-rwxr-xr-x  1 root root 21084 Jul 27 15:20 /lib/libnss_winbind.so


in the winbindd log I get this when using getent passwd:
"[2005/07/27 15:34:10, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:34:10, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:34:10, 3] nsswitch/winbindd_user.c:winbindd_setpwent_internal(429)
  [    0]: setpwent
[2005/07/27 15:34:10, 3] nsswitch/winbindd_user.c:winbindd_getpwent(623)
  [    0]: getpwent
[2005/07/27 15:34:10, 3] nsswitch/winbindd_user.c:winbindd_endpwent(505)
  [    0]: endpwent
"

and this for getent group:
"
[2005/07/27 15:34:46, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:34:46, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:34:46, 3] nsswitch/winbindd_group.c:winbindd_setgrent_internal(382)
  [    0]: setgrent
[2005/07/27 15:34:46, 3] nsswitch/winbindd_group.c:winbindd_getgrent(578)
  [    0]: getgrent
[2005/07/27 15:34:46, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/07/27 15:34:46, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/07/27 15:34:46, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/07/27 15:34:46, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/07/27 15:34:46, 3] nsswitch/winbindd_group.c:winbindd_endgrent(444)
  [    0]: endgrent
"
Comment 1 Mike Rose 2005-07-27 07:49:20 UTC
If I try and access the public share using:

smbclient -L w1
"
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(355)
  [    0]: domain_info [BSS]
[2005/07/27 15:48:08, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535)
  [    0]: pam auth crap domain: [BSS] user: mr
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:48:08, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(355)
  [    0]: domain_info [BSS]
[2005/07/27 15:48:08, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535)
  [    0]: pam auth crap domain: [BSS] user: mr
"

and

 smbclient -L w1 -U mr
Password: 
session setup failed: NT_STATUS_LOGON_FAILURE
gives:
"
[2005/07/27 15:48:57, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:48:57, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:48:57, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(355)
  [    0]: domain_info [BSS]
[2005/07/27 15:48:57, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535)
  [    0]: pam auth crap domain: [BSS] user: mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/27 15:48:57, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam bss+mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam BSS+mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam BSS+MR
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam MR
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam MR
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam bss+mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam BSS+mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam BSS+MR
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam MR
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam mr
[2005/07/27 15:48:57, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(333)
  [    0]: getpwnam MR
"

The user mr does exist on the Windows2003 Server and wbinfo does find it.
Comment 2 Mike Rose 2005-07-28 02:34:49 UTC
I've just re-compiled samba3.0.20pre2 and the libnss_winbind.so file is the same.
I thought I might have screwed this up as wbinfo -u is working, but getent
passwd is not.
An strace of getent passwd shows it opening libnss_winbind.so fine and dandy
using the soft link from libnss_winbind.so.2

Changing severity as I believe one of the main iprovements in 3.0.20 is to be
able to grab uid and gid from ADS when SFU is installed (I have installed it on
the Windows 2003 DC and was hoping to test it).

I do have winbind + pam.d working on other computers with an older version of
samba, but in that case joined to a samba domain.

I was worried this might be a Suse 9.1 problem with nsswitch, but it does seem
to be with libss_winbind.so instead.

If any other info is needed I am happy to supply.. even login to test computer.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-08-01 16:50:26 UTC

*** This bug has been marked as a duplicate of 2929 ***