4746 [Solved] Domain users not listed in getent passwd [Archive] - The FreeBSD Forums
PDA

View Full Version : [Solved] Domain users not listed in getent passwd

annapoorani
April 20th, 2010, 07:40
Domain users not listed in getent passwd.Only local posix users displayed.

My Configurations:

smb.conf:
#======================= Global Settings =====================================
[global]
workgroup = EXAMPLESERVER
realm=EXAMPLESERVER.COM
server string = OUR Server
security = ads
allow trusted domains =Yes
log file = /var/log/samba/log.%m
max log size = 1024
log level = 10
dns proxy = No
wins server = XXX.XXX.X.X
ldap ssl = no
idmap backend = ad
#idmap uid = 10000-20000
#idmap gid = 10000-20000
idmap uid = 12000
idmap gid = 3000-3500
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = Yes
remote announce =255.255.255.0/EXAMPLESERVER
#client use spnego = yes
password server = XXX.XXX.X.X
auth methods = winbind
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
#winbind nss info = sfu
encrypt passwords = yes
#============================ Share Definitions ==============================
[poorani]
comment = poorani Share
path=/tank/poorani-share
valid users = DOMAINSERVER+poorani, DOMAINSERVER+preethi,DOMAINSERVER+annapoorani
writable = yes
create mask = 0775

KRB5.CONF
[libdefaults]
default_realm = EXAMPLESERVER.COM
dns_lookup_realm=false
dns_lookup_kdc=false
ticket_lifetime=24h
forwardable=yes
krb4_config = /usr/kerberos/lib/krb.conf
krb4_realms = /usr/kerberos/lib/krb.realms

[realms]
EXAMPLESERVER.COM= {
kdc = XXX.XXX.X.XX
}
[domain_realm]
.exampleserver.com = EXAMPLESERVER.COM
.exampleserver=EXAMPLESERVER
exampleserver=EXAMPLESERVER

*************************************
/etc/pam.d/login

# auth
auth sufficient pam_self.so no_warn
auth include system
auth sufficient /usr/local/lib/pam_winbind.so
# account
account requisite pam_securetty.so
account required pam_nologin.so
account include system
account sufficient /usr/local/lib/pam_winbind.so

# session
session include system

# password
password include system

***********************

wbinfo -u,wbinfo -g display domain users and groups
but getent passwd wont

what missing here?
joe2010
September 10th, 2010, 18:21
Hello,

it looks like I have the same problem here.
I am trying to set up Samba as ActiveDirectory Domain Member.
PDC is a Windows 2008 server.

I built Samba34 and Kerberos5 from ports.
Samba + LDAP, ADS, WINBIND, EXP_MODULES, POPT
Krb5 + DNS_FOR_REALM

I can get Kerberos tickets:

# kinit Administrator@DOMAIN
# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@DOMAIN

Issued Expires Principal
Sep 10 18:51:44 Sep 11 04:51:44 krbtgt/DOMAIN@DOMAIN


I can join the Domain:

# net ads join -U Administrator
Using short domain name -- DOMAIN
Joined 'DC1' to realm 'domain.*'

# net ads info
LDAP server: *.*.*.*
LDAP server name: DC.domain.*
Realm: DOMAIN.*
Bind Path: dc=DOMAIN,dc=*,dc=*,dc=*
LDAP port: 389
Server time: Fri, 10 Sep 2010 18:59:52 CEST
KDC server: *.*.*.*
Server time offset: -29


I can list remote groups and users:

# wbinfo -u
administrator
guest
...

# wbinfo -g
domain admins
domain users
domain guests
...


But I cannot access the shares:

# smbclient -L localhost -U Administrator
session setup failed: NT_STATUS_LOGON_FAILURE


Also 'getent passwd' and 'getent group' diplay only the local users.

/usr/local/etc/smb.conf

[global]
security = ADS
workgroup = DOMAIN
realm = domain.*
wins server = dc.domain.*
password server = dc.domain.*

winbind uid = 1000 - 20000
winbind gid = 1000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap uid = 1000 - 20000
idmap gid = 1000 - 20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : base_rid = 1000
idmap config DOMAIN : range = 1000 - 20000


/etc/nsswitch.conf

group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files


This is now my third day searching samba doc, forums, mailinglists and internet... -.-

It looks like winbind is properly set up (wbinfo is working), but when samba tries to authenticate a request through nsswitch it fails.

I am very thankful for every kind of help.
joe2010
September 10th, 2010, 22:05
Hello,

I made a step forward.

My idmap config was incorrect:
- Winbind uid/gid is an alias for idmap uid/gid, so it is redundant.
- Idmap rid backend isn't writable, therefore it can't cache the mappings. See man idmap_rid. So we need to enable for example TDB.
- The entry base_rid is deprecated and unneeded.

The resulting /usr/local/etc/smb.conf


[global]
security = ADS
workgroup = DOMAIN
realm = domain.*
wins server = dc.domain.*
password server = dc.domain.*

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap backend = tdb
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000 - 20000

passdb backend = tdbsam # should be default


Now 'getent passwd' and 'getent group' display both local and remote users/groups.

But still my remote users can't use the samba shares...

/var/log/samba34/log.smbd

auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [WORKGROUP]\[Administrator]@[HOST] with the new password interface
auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [DC1]\[Administrator]@[HOST]
auth/auth_sam.c:350(check_sam_security)
check_sam_security: Couldn't find user 'Administrator' in passdb.
auth/auth_winbind.c:54(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [DC1] was for this SAM.
auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER


The log snippet shows an attempt to access the shares.

Again my call: Please help.
Thanks
joe2010
September 11th, 2010, 03:56
Hello,

it's solved now.

I needed a supplementary entry in smb.conf:
map untrusted to domain = Yes

For further explanation see the Samba 3.4.0 changelog (http://www.samba.org/samba/history/samba-3.4.0.html) under section "Authentication Changes" and the Samba doc (http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#MAPUNTRUSTEDTODOMAIN).

Cya... hoping for more answers the next time.
jyavenard
February 5th, 2011, 10:14
I've been running into the exact same problem; unfortunately I'm getting nowhere :(

I've copied the exact same configuration above (and the one from hundred of web sites)

[global]
security = ADS
workgroup = MEL
realm = mel.domain.com
wins server = ad.domain.com
password server = ad.domain.com

winbind uid = 1000 - 20000
winbind gid = 1000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap uid = 1000 - 20000
idmap gid = 1000 - 20000
idmap config MEL : backend = rid
idmap config MEL : base_rid = 1000
idmap config MEL : range = 1000 - 20000
map untrusted to domain = Yes


I also compiled samba with -DDEBUG_NSS in order to determine what was going on.

wbinfo -u and wbinfo -g properly shows all the username and groups defined on the AD.

However, getent passwd only returns the local users:

group: files winbind
#group_compat: ldap
hosts: files dns
networks: files
passwd: files winbind
#passwd: compat
#passwd_compat: winbind
shells: files
services: files
protocols: files
rpc: files


getend passwd returns:
# getent passwd
[22522]: endpwent
[22522]: endpwent returns NSS_STATUS_SUCCESS (1)
... list of local users
[22522]: getpwent
[22522]: getpwent returns NSS_STATUS_NOTFOUND (0)
[22522]: setpwent
[22522]: setpwent returns NSS_STATUS_SUCCESS (1)


That is shows the debug information leads me to believe that nss_winbind is properly called.

# net ads info
LDAP server: 192.168.0.3
LDAP server name: ad.domain.com
Realm: MEL.DOMAIN.COM
Bind Path: dc=MEL,dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sat, 05 Feb 2011 20:13:24 EST
KDC server: 192.168.0.3
Server time offset: 9


So what am i missing? :(

Thank you for your help
Jean-Yves
von_Gaden
April 4th, 2011, 22:21
I have exactly the same problem with almost the same configurations. I have been trying to solve this for about two years (FreeBSD 7) with no significant success... You may take a look at this old thread: http://lists-archives.org/samba/49286-freebsd-7-2-domain-member-problem-partially-solved.html

Well, the solution is not exactly a solution and it does not work with FreeBSD 8.2 and last samba 3.5 from ports. I need a very simple setup, without LDAP for nsswitch, no PAM. I just want fileserver functionality - to set permissions for AD domain users / groups on FreeBSD Samba files or shares.

If someone is interested I'll post my configuration files.

Best wishes,
Ivo
jyavenard
April 5th, 2011, 07:04
Use Samba 3.4 then.

You have to choose between:
Getting the ACL to work properly from Windows: use 3.5
Getting winbind to work: you must use samba 3.4

take your pick :(
von_Gaden
April 5th, 2011, 22:33
Thank you for your quick reply!
I must admit I was little shocked reading it. I would not imagine working code in Samba 3.4 abandoned in 3.5...
But you were right! 3.4 works fine with the same configuration that 3.5 fails to show users/groups with getent, but shows them with wbinfo, id, pw.

Common for both versions is non-working RID IDmap backend. I tried a lot of variations in its configuration including this thread with no success at all. But still TDB does enough for me.
I am using FreeBSD as server OS since 2003 and I doubt that annoying Samba malfunctions like these are OS dependent. That is my not-proved conviction since I did no tests with other OS yet.
I'd ask if you can tell me in short what is the problem with ACLs in 3.4?
jyavenard
April 6th, 2011, 07:08
Thank you for your quick reply!

But you were right! 3.4 works fine with the same configuration that 3.5 fails to show users/groups with getent, but shows them with wbinfo, id, pw.


It is something I learned the hard way unfortunately.

I'd ask if you can tell me in short what is the problem with ACLs in 3.4?

Support for sunacl (FreeBSD version of ZFS/NFS4 ACL) was only added in Samba 3.5. When checking the permissions from Windows: things do not always appear properly, nor can you set them from Windows.

No such problem with 3.5; but then I can't use winbind.. I chose winbind over ACLs so I went with Samba 3.4.

I did find a way to get winbind to work with 3.5. But it's dirty as, and not really working :)

I installed Samba 3.4; called getent; samba/winbind then create a cache of all the username and groups. Then if you uninstall 3.4 and install 3.5 on top; then you can use winbind as it uses the old cache create by 3.4.

Obviously, it's not something you would want to use... But it just shows that the problem is within samba.
von_Gaden
April 7th, 2011, 18:54
If it's Samba 3.5 we probably should notify the Samba team. Or it may be something in ports? Some debugging may help and I have an experimental system, but how can I do it? Is there any clue - howto or something?
tms3
November 11th, 2011, 07:22
Thanks for the info.
von_Gaden
November 11th, 2011, 09:13
I've forgotten to notify that suddenly since Samba 3.5.6 everything works OK with the same configuration.
tms3
November 12th, 2011, 08:10
3.6 works like a champ. That's what I should have said.
jyavenard
December 11th, 2011, 10:38
I've forgotten to notify that suddenly since Samba 3.5.6 everything works OK with the same configuration.

I've just upgraded to samba 3.5.11 and it does exactly the same as before. wbinfo -u or wbinfo -g list all the users, no problem. But getent passwd show no user whatsoever :( And 3.6 doesn't compile for me :(

Back to 3.4.
0