Quantcast

Re: getent passwd does not list trusted users

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent passwd does not list trusted users

timnboys
I have been looking at
http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
and I think that if you add this in your nsswitch.conf like it says in the
website above:
if you already have the passwd: files ldap and group: files ldap in your
nsswitch.conf then just add winbind to the end of the lines of the passwd
and group lines. just like it is shown below: If you need any more help just
email me back, and I will try to help you.

*passwd*: files ldap winbind
  group: files ldap winbind

> ---------- Forwarded message ----------
> From: Gaiseric Vandal <[hidden email]>
> To: Samba <[hidden email]>
> Date: Mon, 06 Jun 2011 12:04:14 -0400
> Subject: [Samba] getent passwd does not list trusted users
> I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
> provided build.  I have an ldap backend for everything (unix+samba accounts,
> idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
> call "SAMBA."    Each samba account is tied to a unix account.
>
> I have a one-way  domain trust setup with a Windows 2003 domain which we
> can call "WIN2003."  SAMBA trusts WIN2003.   "getent passwd" and "getent
> group" seem to fundamentally be working (depending on syntax)  BUT "getent
> passwd" does NOT list trusted users.
>
>
> On the solaris machine:
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------
> "wbinfo -u"  and "wbinfo -g"    lists all users in this domain + the
> WIN2003 domain.   For the SAMBA users, the domain name is stripped out.
>
>
>  "getent passwd" -  lists all "unix" users (in ldap or /etc/passwd.)
>        It does not list the samba users -  which is the expected and
> desired behaviour.
>        I had expected it to list users from the WIN2003 domain.
>
>
> "getent group"  -  lists all "unix" groups  (in ldap or /etc/passwd)
>        It does not listed the SAMBA groups - which is the expected and
> desired behaviour.
>        It does list WIN2003 groups-  which is  also the expected and
> desired behaviour.
>
>
> "getent passwd SAMBA\\user" -  shows uid, gid, home directory, shell
> "getent passwd WIN2003\\user" -  shows uid, gid, home directory, shell
>
> "getent group SAMBA\\group" -  shows gid, members
> "getent group WIN2003\\group" -  shows gid, members
>
>
> "id SAMBA\\user" -  shows uid and gid
> "id  WIN2003 \\user" -  shows uid and gid
>
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>
> I can use chown and other commands from solaris command line  to grant
> rights to a user from the trusted domain.  However, in a Windows machine in
> samba domain, when setting file permissions, I can not see the trusted
> domain.
>
>
> Any thoughts?
>
>
> Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent passwd does not list trusted users

Gaiseric Vandal
I do have the entries in /etc/nswitch.conf

The "getent passwd"  won't list the winbind users although I can get
details on a specific user with the "getent passwd
SOMEDOMAIN\\someuser"   common


I looked in the /var/samba/locks directory -

I have a winbindd_cache.tdb file that is current.  I don't have a
current idmap_cache.tdb file anymore.  Not sure I need one.   I
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to
3.5.x, and it seems with .X upgrade that the configuration for winbind
and idmapping changes.


This may be a bug in Solaris itself rather than samba.





On 06/06/2011 02:28 PM, timothy mcdaniel wrote:

> I have been looking at
> http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
> and I think that if you add this in your nsswitch.conf like it says in the
> website above:
> if you already have the passwd: files ldap and group: files ldap in your
> nsswitch.conf then just add winbind to the end of the lines of the passwd
> and group lines. just like it is shown below: If you need any more help just
> email me back, and I will try to help you.
>
> *passwd*: files ldap winbind
>    group: files ldap winbind
>
>> ---------- Forwarded message ----------
>> From: Gaiseric Vandal<[hidden email]>
>> To: Samba<[hidden email]>
>> Date: Mon, 06 Jun 2011 12:04:14 -0400
>> Subject: [Samba] getent passwd does not list trusted users
>> I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
>> provided build.  I have an ldap backend for everything (unix+samba accounts,
>> idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
>> call "SAMBA."    Each samba account is tied to a unix account.
>>
>> I have a one-way  domain trust setup with a Windows 2003 domain which we
>> can call "WIN2003."  SAMBA trusts WIN2003.   "getent passwd" and "getent
>> group" seem to fundamentally be working (depending on syntax)  BUT "getent
>> passwd" does NOT list trusted users.
>>
>>
>> On the solaris machine:
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>> "wbinfo -u"  and "wbinfo -g"    lists all users in this domain + the
>> WIN2003 domain.   For the SAMBA users, the domain name is stripped out.
>>
>>
>>   "getent passwd" -  lists all "unix" users (in ldap or /etc/passwd.)
>>         It does not list the samba users -  which is the expected and
>> desired behaviour.
>>         I had expected it to list users from the WIN2003 domain.
>>
>>
>> "getent group"  -  lists all "unix" groups  (in ldap or /etc/passwd)
>>         It does not listed the SAMBA groups - which is the expected and
>> desired behaviour.
>>         It does list WIN2003 groups-  which is  also the expected and
>> desired behaviour.
>>
>>
>> "getent passwd SAMBA\\user" -  shows uid, gid, home directory, shell
>> "getent passwd WIN2003\\user" -  shows uid, gid, home directory, shell
>>
>> "getent group SAMBA\\group" -  shows gid, members
>> "getent group WIN2003\\group" -  shows gid, members
>>
>>
>> "id SAMBA\\user" -  shows uid and gid
>> "id  WIN2003 \\user" -  shows uid and gid
>>
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> I can use chown and other commands from solaris command line  to grant
>> rights to a user from the trusted domain.  However, in a Windows machine in
>> samba domain, when setting file permissions, I can not see the trusted
>> domain.
>>
>>
>> Any thoughts?
>>
>>
>> Thanks

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent passwd does not list trusted users

Frank Mori Hess
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, June 06, 2011, Gaiseric Vandal wrote:
> I do have the entries in /etc/nswitch.conf
>
> The "getent passwd"  won't list the winbind users although I can get
> details on a specific user with the "getent passwd
> SOMEDOMAIN\\someuser"   common

Isn't that the expected behavior using the default smb.conf values of "no"
for "winbind enum users" and "winbind enum groups"?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE
2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM
=15SB
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent passwd does not list trusted users

Gaiseric Vandal
In reply to this post by timnboys
This maybe related to idmap allocation -  tho not sure how.


Initially my PDC was running Samba 3.0.x.    When I did "getent passwd"
or "getent group"  samba would create idmap entries for users and groups
from trusted domains.    There were some other things broken with idmap
and samba that made it unstable for maintaining a trust with  Active
Directory, thus the move to 3.4 and then to 3.5.

The 3.4 upgrade seems to have broken the automatic allocation.  (This
could just be a configuration error in my smb.conf)   In my environment,
that wasn't a huge deal since the number of users and groups in the
trusted domain us quite small and stable.     I could manually add an
idmapping with the wbinfo  or with an LDAP editor.

This morning, "getent group" would show the trusted WINDOWS groups.  I
added another group in the WINDOWS domain to see if Samba would
automatically create a group mapping (which it didn't) and to make sure
that it at least showed up with "wbinfo -g" (which it did-  so at least
I wasn't working just from a cache.)    But then "getent group" stopped
listing WINDOWS groups.  ("getent group WINDOWS\\thenewgroup" did
work.")  Once I manually created an idmap entry for the new group,
"getent group" was able to list all the groups.

So my guess is that samba or winbind chokes up when it finds a winbind
user or group in a domain for which an idmap entry is missing and can't
be created.

I tried adding idmap entries for the few users in the WINDOWS domain who
didn't have idmappings, but "getent passwd" still doesn't work.




-------- Original Message --------
Subject: Re: [Samba] getent passwd does not list trusted users
Date: Mon, 06 Jun 2011 15:16:28 -0400
From: Gaiseric Vandal <[hidden email]>
Reply-To: [hidden email]
To: [hidden email]



I do have the entries in /etc/nswitch.conf

The "getent passwd"  won't list the winbind users although I can get
details on a specific user with the "getent passwd
SOMEDOMAIN\\someuser"   common


I looked in the /var/samba/locks directory -

I have a winbindd_cache.tdb file that is current.  I don't have a
current idmap_cache.tdb file anymore.  Not sure I need one.   I
initially stated with samba 3.0.x, then upgraded to 3.4.x, then to
3.5.x, and it seems with .X upgrade that the configuration for winbind
and idmapping changes.


This may be a bug in Solaris itself rather than samba.





On 06/06/2011 02:28 PM, timothy mcdaniel wrote:

>  I have been looking at
>  http://samba.2283325.n4.nabble.com/Trusted-domain-users-unwantedly-mapping-onto-local-domain-users-td3005928.html
>  and I think that if you add this in your nsswitch.conf like it says in the
>  website above:
>  if you already have the passwd: files ldap and group: files ldap in your
>  nsswitch.conf then just add winbind to the end of the lines of the passwd
>  and group lines. just like it is shown below: If you need any more help just
>  email me back, and I will try to help you.
>
>  *passwd*: files ldap winbind
>     group: files ldap winbind
>
>>  ---------- Forwarded message ----------
>>  From: Gaiseric Vandal<[hidden email]>
>>  To: Samba<[hidden email]>
>>  Date: Mon, 06 Jun 2011 12:04:14 -0400
>>  Subject: [Samba] getent passwd does not list trusted users
>>  I am running Samba 3.5.5 on Solaris 10.  This is the latest Sun/Oracle
>>  provided build.  I have an ldap backend for everything (unix+samba accounts,
>>  idmapping for domain trusts.)  The Samba server is a PDC for a domain we can
>>  call "SAMBA."    Each samba account is tied to a unix account.
>>
>>  I have a one-way  domain trust setup with a Windows 2003 domain which we
>>  can call "WIN2003."  SAMBA trusts WIN2003.   "getent passwd" and "getent
>>  group" seem to fundamentally be working (depending on syntax)  BUT "getent
>>  passwd" does NOT list trusted users.
>>
>>
>>  On the solaris machine:
>>
>>  ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>>  "wbinfo -u"  and "wbinfo -g"    lists all users in this domain + the
>>  WIN2003 domain.   For the SAMBA users, the domain name is stripped out.
>>
>>
>>    "getent passwd" -  lists all "unix" users (in ldap or /etc/passwd.)
>>          It does not list the samba users -  which is the expected and
>>  desired behaviour.
>>          I had expected it to list users from the WIN2003 domain.
>>
>>
>>  "getent group"  -  lists all "unix" groups  (in ldap or /etc/passwd)
>>          It does not listed the SAMBA groups - which is the expected and
>>  desired behaviour.
>>          It does list WIN2003 groups-  which is  also the expected and
>>  desired behaviour.
>>
>>
>>  "getent passwd SAMBA\\user" -  shows uid, gid, home directory, shell
>>  "getent passwd WIN2003\\user" -  shows uid, gid, home directory, shell
>>
>>  "getent group SAMBA\\group" -  shows gid, members
>>  "getent group WIN2003\\group" -  shows gid, members
>>
>>
>>  "id SAMBA\\user" -  shows uid and gid
>>  "id  WIN2003 \\user" -  shows uid and gid
>>
>>
>>  ---------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>
>>  I can use chown and other commands from solaris command line  to grant
>>  rights to a user from the trusted domain.  However, in a Windows machine in
>>  samba domain, when setting file permissions, I can not see the trusted
>>  domain.
>>
>>
>>  Any thoughts?
>>
>>
>>  Thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent passwd does not list trusted users

Gaiseric Vandal
In reply to this post by Frank Mori Hess
my smb.conf includes

         winbind use default domain = Yes

         winbind enum users = Yes
         winbind enum groups = Yes



I did notice that some idmap entries are being created in the
gencache.tdb file  (specifically for LDAP groups that DON'T have a Samba
SID) -    I am guessing that is a symptom that idmap is trying to create
idmap entries but can't post them to ldap.





On 06/06/2011 03:26 PM, Frank Mori Hess wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday, June 06, 2011, Gaiseric Vandal wrote:
>> I do have the entries in /etc/nswitch.conf
>>
>> The "getent passwd"  won't list the winbind users although I can get
>> details on a specific user with the "getent passwd
>> SOMEDOMAIN\\someuser"   common
> Isn't that the expected behavior using the default smb.conf values of "no"
> for "winbind enum users" and "winbind enum groups"?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk3tKgIACgkQ5vihyNWuA4VsugCgiVnEZfTUlMGNqdSMrjIpMghE
> 2mUAn0cd7KEgq7Sd+JIO+Lcg02ppVdTM
> =15SB
> -----END PGP SIGNATURE-----

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...