samba-3.0.20rc1 compiled on Suse 9.1 Pro against heimdal-0.7 and openldap-2.2.26. SFU3.5 is installed on the Windows2003 Server SP1. Details: " [2005/07/29 15:25:00, 0] utils/net_ads.c:ads_startup(191) ads_connect: Unknown code krb5 6 w1:/scratch/samba-3.0.20pre2/source/nsswitch# !kin kinit Administrator@BSS.PHY.PRIVATE.CAM.AC.UK Administrator@BSS.PHY.PRIVATE.CAM.AC.UK's Password: w1:/scratch/samba-3.0.20pre2/source/nsswitch# net ads join Using short domain name -- BSS Joined 'W1' to realm 'BSS.PHY.PRIVATE.CAM.AC.UK' w1:/scratch/samba-3.0.20pre2/source/nsswitch# nmbd w1:/scratch/samba-3.0.20pre2/source/nsswitch# winbindd -d 10 w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -t checking the trust secret via RPC calls succeeded w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -u Administrator Guest SUPPORT_388945a0 SD1$ krbtgt bob mr w1$ w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -g Domain Computers Domain Controllers Schema Admins Enterprise Admins Domain Admins Domain Users Domain Guests Group Policy Creator Ownersw1:/scratch/samba-3.0.20pre2/source/nsswitch# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash w1:/scratch/samba-3.0.20pre2/source/nsswitch# getent passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News system:/etc/news:/bin/bash uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash exim:x:51:51:Exim MTA:/:/bin/sh ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash w1:/scratch/samba-3.0.20pre2/source/nsswitch# ll /lib/libnss_winbind.so -rwxr-xr-x 1 root root 21084 Jul 29 14:27 /lib/libnss_winbind.so w1:/scratch/samba-3.0.20pre2/source/nsswitch# ll /lib/libnss_winbind.so.2 lrwxrwxrwx 1 root root 22 Jul 28 09:19 /lib/libnss_winbind.so.2 -> /lib/libnss_winbind.so w1:/scratch/samba-3.0.20pre2/source/nsswitch# cat /etc/nsswitch.conf | grep winbind passwd: compat winbind group: compat winbind " The winbindd log (log.winbindd log level 10) shows this for getent passwd: " [2005/07/29 15:28:00, 6] nsswitch/winbindd.c:new_connection(603) accepted socket 20 [2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn INTERFACE_VERSION [2005/07/29 15:28:00, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2005/07/29 15:28:00, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/07/29 15:28:00, 6] nsswitch/winbindd.c:new_connection(603) accepted socket 21 [2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn SETPWENT [2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_setpwent_internal(429) [ 0]: setpwent [2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn GETPWENT [2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_getpwent(623) [ 0]: getpwent [2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn ENDPWENT [2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_endpwent(505) [ 0]: endpwent " and for getent group: " [2005/07/29 15:28:31, 6] nsswitch/winbindd.c:new_connection(603) accepted socket 20 [2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn INTERFACE_VERSION [2005/07/29 15:28:31, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2005/07/29 15:28:31, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/07/29 15:28:31, 6] nsswitch/winbindd.c:new_connection(603) accepted socket 21 [2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn SETGRENT [2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_setgrent_internal(382) [ 0]: setgrent [2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn GETGRENT [2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_getgrent(578) [ 0]: getgrent [2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(626) entry_index = 0, num_entries = 0 [2005/07/29 15:28:31, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526) get_sam_group_entries: Failed to enumerate domain local groups! [2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(633) freeing state info for domain BUILTIN [2005/07/29 15:28:31, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526) get_sam_group_entries: Failed to enumerate domain local groups! [2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(633) freeing state info for domain W1 [2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332) process_request: request fn ENDGRENT [2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_endgrent(444) [ 0]: endgrent " I can provide a remote login to the linux computer if that would help.
net ads status shows lots of info that looks right. excerpts from strace -o log getent passwd: " open("/lib/libnss_winbind.so.2", O_RDONLY) = 4 read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\22\0\000"..., 512) = 512 fstat64(4, {st_mode=S_IFREG|0755, st_size=21084, ...}) = 0 old_mmap(NULL, 27804, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4016d000 madvise(0x4016d000, 27804, MADV_SEQUENTIAL|0x1) = 0 old_mmap(0x40171000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x3000) = 0x40171000 old_mmap(0x40172000, 7324, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40172000 close(4) = 0 munmap(0x40165000, 30848) = 0 getpid() = 3185 lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 4 fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(4, F_GETFD) = 0 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 connect(4, {sa_family=AF_UNIX, path="/tmp/.winbindd/pipe"}, 110) = 0 select(5, [4], NULL, NULL, {0, 0}) = 0 (Timeout) write(4, "$\7\0\0\0\0\0\0q\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1828) = 1828 select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0}) read(4, "\24\5\0\0\2\0\0\0\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300) = 1300 select(5, [4], NULL, NULL, {0, 0}) = 0 (Timeout) write(4, "$\7\0\0%\0\0\0q\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1828) = 1828 select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0}) read(4, "D\5\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300) = 1300 select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0}) read(4, "/usr/local/samba//var/locks/winb"..., 48) = 48 lstat64("/usr/local/samba//var/locks/winbindd_privileged", {st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0 lstat64("/usr/local/samba//var/locks/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 socket(PF_UNIX, SOCK_STREAM, 0) = 5 fcntl64(5, F_GETFL) = 0x2 (flags O_RDWR) fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK) = 0 fcntl64(5, F_GETFD) = 0 fcntl64(5, F_SETFD, FD_CLOEXEC) = 0 connect(5, {sa_family=AF_UNIX, path="/usr/local/samba//var/locks/winbindd_privileged/pipe"}, 110) = 0 close(4)
Sorry seem to have forgotten this extra info: cat /usr/local/samba/lib/smb.conf [global] # separate domain and username with '\', like DOMAIN\username winbind separator = + # use uids from 10000 to 20000 for domain users idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template homedir = /home/%U template shell = /bin/bash winbind cache time = 600 winbind trusted domains only = yes workgroup = BSS # to remove domain from username # winbind use default domain = yes obey pam restrictions = Yes realm = bss.phy.private.cam.ac.uk security = ADS encrypt passwords = yes password server = sd1.bss.phy.private.cam.ac.uk # Example share definition [public] comment = Public data directory read only = no path = /sambapublic user = @"BSS.PHY.PRIVATE.CAM.AC.UK+domain users" #grep winbind /etc/nsswitch.conf passwd: compat winbind group: compat winbind # ps -ef | grep -E 'winbind|nmbd' root 3169 1 0 Jul29 ? 00:00:02 nmbd root 3171 1 0 Jul29 ? 00:00:01 winbindd -d 5 root 3172 3171 0 Jul29 ? 00:00:00 winbindd -d 5 root 3173 3171 0 Jul29 ? 00:00:01 winbindd -d 5
Are you sure this should be set for your environment? "winbind trusted domains only = yes"? Are there any trusted domains available? (i.e. what is the output from wbinfo -u?)
*** Bug 2925 has been marked as a duplicate of this bug. ***
Argh. I think I was using: winbind trusted domains only = yes to get rid of the prepended domain name from the getent passwd and group bits. getent passwd now works. wbinfo -m BSS That was from a previous setup using Samba 3 for single login for Windows and linux (+ one place for directory info), which does work. I tell myself RTM, and find: winbind use default domain = yes That seems to work. I guess you can now close the bugs. Interesting that this worked for 3.0.9, half worked for 3.0.14 (I think I got group not passwd using getent). Thanks for looking at the problem.
If I could work out how to test getting the SFU properties from the Windows ADS I would happily try it. Found this: " Just as a heads up, Samba 3.0.20 will have support to utilize the SFU schema for winbindd if you want to. It's a new idmap plugin (idmap backend = ad). And you will be able to pull the home directory and shell information as well (winbind nss support = sfu). " and entries in the WHATSNEW Tried putting both settings in, but no luck: w1:~# cat /usr/local/samba/lib/smb.conf [global] # separate domain and username with '\', like DOMAIN\username winbind separator = + # use uids from 10000 to 20000 for domain users # idmap uid = 10000-20000 # use gids from 10000 to 20000 for domain groups # idmap gid = 10000-20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes # give winbind users a real shell (only needed if they have telnet access) template homedir = /home/%U template shell = /bin/bash winbind cache time = 600 # winbind trusted domains only = yes winbind use default domain = yes idmap backend = ad winbind nss support = sfu workgroup = BSS # to remove domain from username # winbind use default domain = yes obey pam restrictions = Yes realm = bss.phy.private.cam.ac.uk security = ADS encrypt passwords = yes password server = sd1.bss.phy.private.cam.ac.uk I was expecting to have to use NIS to distribute the user and group info, but it looks like the SFU integration is going to be great.
Logs show things like this when I try getent passwd hoping to get uid and gid from ADS: [2005/08/02 08:58:55, 1] nsswitch/winbindd_user.c:winbindd_getpwent(712) could not lookup domain user mr For my sanity I checked that I do have gid and uid settings in AD for this user (mr) which are 500 and 100. I've also tried a few other settings in smb.conf like including the idmap uid and gid ranges (100 - 10000), but no luck. I assume I am missing something obvious.
Mike, if idmap backend = ad is not working, let's open a new bug for that. Same thing for any new problems with winbind nss support = sfu.
Maybe your problem has to do with misspelling "winbind nss support = sfu" It is actually "winbind nss info = sfu". Please reopen a new bug, as jerry said, if you are seeing problems with either the SFU-support or the idmap_ad-module.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.