Bug 2929 - samba-3.0.20rc1 getent passwd and getent group do not work, but wbinfo -t , -g an d-u do with Windows 2003 domain memebership
samba-3.0.20rc1 getent passwd and getent group do not work, but wbinfo -t , -...
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.20
x86 Linux
: P3 regression
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
: 2925 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-29 07:30 UTC by Mike Rose
Modified: 2005-08-24 10:25 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Rose 2005-07-29 07:30:10 UTC
samba-3.0.20rc1 compiled on Suse 9.1 Pro against heimdal-0.7 and openldap-2.2.26.

SFU3.5 is installed on the Windows2003 Server SP1.

Details:
"
[2005/07/29 15:25:00, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: Unknown code krb5 6
w1:/scratch/samba-3.0.20pre2/source/nsswitch# !kin
kinit Administrator@BSS.PHY.PRIVATE.CAM.AC.UK
Administrator@BSS.PHY.PRIVATE.CAM.AC.UK's Password: 
w1:/scratch/samba-3.0.20pre2/source/nsswitch# net ads join
Using short domain name -- BSS
Joined 'W1' to realm 'BSS.PHY.PRIVATE.CAM.AC.UK'
w1:/scratch/samba-3.0.20pre2/source/nsswitch# nmbd
w1:/scratch/samba-3.0.20pre2/source/nsswitch# winbindd -d 10
w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -t
checking the trust secret via RPC calls succeeded
w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -u
Administrator
Guest
SUPPORT_388945a0
SD1$
krbtgt
bob
mr
w1$
w1:/scratch/samba-3.0.20pre2/source/nsswitch# wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Ownersw1:/scratch/samba-3.0.20pre2/source/nsswitch# getent
passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
w1:/scratch/samba-3.0.20pre2/source/nsswitch# getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
exim:x:51:51:Exim MTA:/:/bin/sh
ldap:x:76:70:User for OpenLDAP:/var/lib/ldap:/bin/bash
w1:/scratch/samba-3.0.20pre2/source/nsswitch# ll /lib/libnss_winbind.so
-rwxr-xr-x  1 root root 21084 Jul 29 14:27 /lib/libnss_winbind.so
w1:/scratch/samba-3.0.20pre2/source/nsswitch# ll /lib/libnss_winbind.so.2 
lrwxrwxrwx  1 root root 22 Jul 28 09:19 /lib/libnss_winbind.so.2 ->
/lib/libnss_winbind.so
w1:/scratch/samba-3.0.20pre2/source/nsswitch# cat /etc/nsswitch.conf | grep winbind
passwd:     compat winbind
group:      compat winbind
"

The winbindd log (log.winbindd log level 10) shows this for getent passwd:
"
[2005/07/29 15:28:00, 6] nsswitch/winbindd.c:new_connection(603)
  accepted socket 20
[2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn INTERFACE_VERSION
[2005/07/29 15:28:00, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/07/29 15:28:00, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/29 15:28:00, 6] nsswitch/winbindd.c:new_connection(603)
  accepted socket 21
[2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn SETPWENT
[2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_setpwent_internal(429)
  [    0]: setpwent
[2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn GETPWENT
[2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_getpwent(623)
  [    0]: getpwent
[2005/07/29 15:28:00, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn ENDPWENT
[2005/07/29 15:28:00, 3] nsswitch/winbindd_user.c:winbindd_endpwent(505)
  [    0]: endpwent
"

and for getent group:
"
[2005/07/29 15:28:31, 6] nsswitch/winbindd.c:new_connection(603)
  accepted socket 20
[2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn INTERFACE_VERSION
[2005/07/29 15:28:31, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460)
  [    0]: request interface version
[2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2005/07/29 15:28:31, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
  [    0]: request location of privileged pipe
[2005/07/29 15:28:31, 6] nsswitch/winbindd.c:new_connection(603)
  accepted socket 21
[2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn SETGRENT
[2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_setgrent_internal(382)
  [    0]: setgrent
[2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn GETGRENT
[2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_getgrent(578)
  [    0]: getgrent
[2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(626)
  entry_index = 0, num_entries = 0
[2005/07/29 15:28:31, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(633)
  freeing state info for domain BUILTIN
[2005/07/29 15:28:31, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521)
  get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well
[2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526)
  get_sam_group_entries: Failed to enumerate domain local groups!
[2005/07/29 15:28:31, 10] nsswitch/winbindd_group.c:winbindd_getgrent(633)
  freeing state info for domain W1
[2005/07/29 15:28:31, 10] nsswitch/winbindd.c:process_request(332)
  process_request: request fn ENDGRENT
[2005/07/29 15:28:31, 3] nsswitch/winbindd_group.c:winbindd_endgrent(444)
  [    0]: endgrent
"


I can provide a remote login to the linux computer if that would help.
Comment 1 Mike Rose 2005-07-29 07:33:56 UTC
net ads status shows lots of info that looks right.

excerpts from strace -o log getent passwd:

"
open("/lib/libnss_winbind.so.2", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\22\0\000"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=21084, ...}) = 0
old_mmap(NULL, 27804, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4016d000
madvise(0x4016d000, 27804, MADV_SEQUENTIAL|0x1) = 0
old_mmap(0x40171000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4,
0x3000) = 0x40171000
old_mmap(0x40172000, 7324, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40172000
close(4)                                = 0
munmap(0x40165000, 30848)               = 0
getpid()                                = 3185
lstat64("/tmp/.winbindd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat64("/tmp/.winbindd/pipe", {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 4
fcntl64(4, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_UNIX, path="/tmp/.winbindd/pipe"}, 110) = 0
select(5, [4], NULL, NULL, {0, 0})      = 0 (Timeout)
write(4, "$\7\0\0\0\0\0\0q\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1828) = 1828
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "\24\5\0\0\2\0\0\0\v\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300) = 1300
select(5, [4], NULL, NULL, {0, 0})      = 0 (Timeout)
write(4, "$\7\0\0%\0\0\0q\f\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1828) = 1828
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "D\5\0\0\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1300) = 1300
select(5, [4], NULL, NULL, {5, 0})      = 1 (in [4], left {5, 0})
read(4, "/usr/local/samba//var/locks/winb"..., 48) = 48
lstat64("/usr/local/samba//var/locks/winbindd_privileged",
{st_mode=S_IFDIR|0750, st_size=4096, ...}) = 0
lstat64("/usr/local/samba//var/locks/winbindd_privileged/pipe",
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
socket(PF_UNIX, SOCK_STREAM, 0)         = 5
fcntl64(5, F_GETFL)                     = 0x2 (flags O_RDWR)
fcntl64(5, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
fcntl64(5, F_GETFD)                     = 0
fcntl64(5, F_SETFD, FD_CLOEXEC)         = 0
connect(5, {sa_family=AF_UNIX,
path="/usr/local/samba//var/locks/winbindd_privileged/pipe"}, 110) = 0
close(4)          

Comment 2 Mike Rose 2005-08-01 05:00:52 UTC
Sorry seem to have forgotten this extra info:
cat /usr/local/samba/lib/smb.conf
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = +
# use uids from 10000 to 20000 for domain users
 idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
 idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/%U
template shell = /bin/bash
winbind cache time = 600
winbind trusted domains only = yes

workgroup = BSS

# to remove domain from username
# winbind use default domain = yes
obey pam restrictions = Yes

realm = bss.phy.private.cam.ac.uk
security = ADS
encrypt passwords = yes
password server = sd1.bss.phy.private.cam.ac.uk

# Example share definition

[public]
comment = Public data directory
read only = no
path = /sambapublic
user = @"BSS.PHY.PRIVATE.CAM.AC.UK+domain users"


#grep winbind /etc/nsswitch.conf
passwd:     compat winbind
group:      compat winbind

# ps -ef | grep -E 'winbind|nmbd'
root      3169     1  0 Jul29 ?        00:00:02 nmbd
root      3171     1  0 Jul29 ?        00:00:01 winbindd -d 5
root      3172  3171  0 Jul29 ?        00:00:00 winbindd -d 5
root      3173  3171  0 Jul29 ?        00:00:01 winbindd -d 5

Comment 3 Gerald (Jerry) Carter 2005-08-01 13:58:33 UTC
Are you sure this should be set for your environment?
"winbind trusted domains only = yes"?  Are there any trusted 
domains available?  (i.e. what is the output from wbinfo -u?)
Comment 4 Gerald (Jerry) Carter 2005-08-01 16:50:28 UTC
*** Bug 2925 has been marked as a duplicate of this bug. ***
Comment 5 Mike Rose 2005-08-02 00:31:15 UTC
Argh.
I think I was using:
winbind trusted domains only = yes
to get rid of the prepended domain name from the getent passwd and group bits.
getent passwd now works.

wbinfo -m
BSS

That was from a previous setup using Samba 3 for single login for Windows and
linux (+ one place for directory info), which does work.

I tell myself RTM, and find:
winbind use default domain = yes
That seems to work.

I guess you can now close the bugs. Interesting that this worked for 3.0.9, half
worked for 3.0.14 (I think I got group not passwd using getent).

Thanks for looking at the problem.



Comment 6 Mike Rose 2005-08-02 00:57:19 UTC
If I could work out how to test getting the SFU properties from the Windows ADS
I would happily try it.

Found this:
"
Just as a heads up, Samba 3.0.20 will have support to
utilize the SFU schema for winbindd if you want to.
It's a new idmap plugin (idmap backend = ad).  And you will
be able to pull the home directory and shell information
as well (winbind nss support = sfu).
"
and entries in the WHATSNEW
Tried putting both settings in, but no luck:

w1:~# cat /usr/local/samba/lib/smb.conf 
[global]
# separate domain and username with '\', like DOMAIN\username
winbind separator = +
# use uids from 10000 to 20000 for domain users
# idmap uid = 10000-20000
# use gids from 10000 to 20000 for domain groups
# idmap gid = 10000-20000
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
# give winbind users a real shell (only needed if they have telnet access)
template homedir = /home/%U
template shell = /bin/bash
winbind cache time = 600
# winbind trusted domains only = yes
winbind use default domain = yes

idmap backend = ad
winbind nss support = sfu

workgroup = BSS

# to remove domain from username
# winbind use default domain = yes
obey pam restrictions = Yes

realm = bss.phy.private.cam.ac.uk
security = ADS
encrypt passwords = yes
password server = sd1.bss.phy.private.cam.ac.uk



I was expecting to have to use NIS to distribute the user and group info, but it
looks like the SFU integration is going to be great.
Comment 7 Mike Rose 2005-08-02 01:12:10 UTC
Logs show things like this when I try getent passwd hoping to get uid and gid
from ADS:

[2005/08/02 08:58:55, 1] nsswitch/winbindd_user.c:winbindd_getpwent(712)
  could not lookup domain user mr

For my sanity I checked that I do have gid and uid settings in AD for this user
(mr) which are 500 and 100. I've also tried a few other settings in smb.conf
like including the idmap uid and gid ranges (100 - 10000), but no luck.
I assume I am missing something obvious.
Comment 8 Gerald (Jerry) Carter 2005-08-02 09:40:25 UTC
Mike,

if idmap backend = ad is not working, let's open a new bug for that. 
Same thing for any new problems with winbind nss support = sfu.
Comment 9 Guenther Deschner 2005-08-02 15:12:39 UTC
Maybe your problem has to do with misspelling

"winbind nss support = sfu"

It is actually "winbind nss info = sfu".

Please reopen a new bug, as jerry said, if you are seeing problems with either
the SFU-support or the idmap_ad-module.
Comment 10 Gerald (Jerry) Carter 2005-08-24 10:25:28 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.