getent passwd user no output, addc + dm

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

getent passwd user no output, addc + dm

Samba - General mailing list
There are two ubuntu 16.04 samba 4.5 servers. Ubuntu ADDC and a Member
(ubuntu-dm1)
From Member "wbinfo -u" shows shows users of ADDC
From Member "net ads join -U administrator" was successfull with no errors.
The dns A record was added in ADDC.

But getent passwd <user> shows no results.

DMember's /etc/nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


root@ubuntu-dm1:~# ldconfig -p |grep winbind
libnss_winbind.so.2 (libc6,x86-64) =>
/lib/x86_64-linux-gnu/libnss_winbind.so.2

root@ubuntu-dm1:~# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners
ras and ias servers
domain controllers
enterprise admins
domain computers
cert publishers
dnsupdateproxy
domain admins
domain guests
schema admins
domain users
dnsadmins




Any help will be welcome
Lin


root@ubuntu-dm1:~# strace -e trace=connect,access,stat,open getent passwd
justin
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1
ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libnss_winbind.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64", 0x7ffee3224700) = -1
ENOENT (No such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/tls/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/tls", 0x7ffee3224700) = -1 ENOENT (No
such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/x86_64/libpthread.so.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba/x86_64", 0x7ffee3224700) = -1 ENOENT
(No such file or directory)
open("/usr/lib/x86_64-linux-gnu/samba/libpthread.so.0", O_RDONLY|O_CLOEXEC)
= -1 ENOENT (No such file or directory)
stat("/usr/lib/x86_64-linux-gnu/samba", {st_mode=S_IFDIR|0755,
st_size=12288, ...}) = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0",
O_RDONLY|O_CLOEXEC) = 3
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/samba/winbindd/pipe"},
110) = 0
connect(4, {sa_family=AF_LOCAL,
sun_path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
+++ exited with 2 +++
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
Hmm.

/lib/x86_64-linux-gnu/libnss_winbind.so.2
With samba 4.5
http://packages.ubuntu.com/search?keywords=samba shows 4.5 in zesty.
Did you recompile?

Please post the output of : winbindd -V
apt-cache policy winbind

or if the 4.5. installed from source, if so, then you have a mixed setup of "source" and deb packages, and that wont work.

If its from source, check for leftovers in ubuntu dpkg -l |egrep "samba|winbind"


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Lin Pro via samba
> Verzonden: vrijdag 17 februari 2017 3:27
> Aan: [hidden email]
> Onderwerp: [Samba] getent passwd user no output, addc + dm
>
> There are two ubuntu 16.04 samba 4.5 servers. Ubuntu ADDC and a Member
> (ubuntu-dm1)
> From Member "wbinfo -u" shows shows users of ADDC
> From Member "net ads join -U administrator" was successfull with no
> errors.
> The dns A record was added in ADDC.
>
> But getent passwd <user> shows no results.
>
> DMember's /etc/nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
> gshadow:        files
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> root@ubuntu-dm1:~# ldconfig -p |grep winbind
> libnss_winbind.so.2 (libc6,x86-64) =>
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
>
> root@ubuntu-dm1:~# wbinfo -g
> allowed rodc password replication group
> enterprise read-only domain controllers
> denied rodc password replication group
> read-only domain controllers
> group policy creator owners
> ras and ias servers
> domain controllers
> enterprise admins
> domain computers
> cert publishers
> dnsupdateproxy
> domain admins
> domain guests
> schema admins
> domain users
> dnsadmins
>
>
>
>
> Any help will be welcome
> Lin
>
>
> root@ubuntu-dm1:~# strace -e trace=connect,access,stat,open getent passwd
> justin
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or
> directory)
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -
> 1
> ENOENT (No such file or directory)
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -
> 1
> ENOENT (No such file or directory)
> open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libnss_winbind.so.2", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/tls/x86_64", 0x7ffee3224700) = -1
> ENOENT (No such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/tls/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/tls", 0x7ffee3224700) = -1 ENOENT
> (No
> such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/x86_64/libpthread.so.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba/x86_64", 0x7ffee3224700) = -1 ENOENT
> (No such file or directory)
> open("/usr/lib/x86_64-linux-gnu/samba/libpthread.so.0",
> O_RDONLY|O_CLOEXEC)
> = -1 ENOENT (No such file or directory)
> stat("/usr/lib/x86_64-linux-gnu/samba", {st_mode=S_IFDIR|0755,
> st_size=12288, ...}) = 0
> access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or
> directory)
> open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/lib/x86_64-linux-gnu/samba/libwinbind-client.so.0",
> O_RDONLY|O_CLOEXEC) = 3
> connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/samba/winbindd/pipe"},
> 110) = 0
> connect(4, {sa_family=AF_LOCAL,
> sun_path="/var/lib/samba/winbindd_privileged/pipe"}, 110) = 0
> +++ exited with 2 +++
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
On Fri, 17 Feb 2017 09:44:51 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hmm.
>
> /lib/x86_64-linux-gnu/libnss_winbind.so.2
> With samba 4.5
> http://packages.ubuntu.com/search?keywords=samba shows 4.5 in zesty.
> Did you recompile?
>
> Please post the output of : winbindd -V
> apt-cache policy winbind
>
> or if the 4.5. installed from source, if so, then you have a mixed
> setup of "source" and deb packages, and that wont work.
>
> If its from source, check for leftovers in ubuntu dpkg -l |egrep
> "samba|winbind"
>

Using a self-compiled version of Samba will work with the OS packages
installed, provided the PATH is set up correctly and the required
libnss_winbind links are set up correctly as well.

It does look like this is the problem, but one other thing I would
check, is nscd running, if so, turn it off, winbind has its own cache.

It might also help if the OP posted their smb.conf

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
On Fri, 17 Feb 2017 07:02:23 -0600
Lin Pro <[hidden email]> wrote:

> Hi, thank for the reply. Here is the smb.conf on the Domain Member
> [global]
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000

Remove  the above lines, they are replaced by the 'idmap config' lines
and you shouldn't have both.

> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes

You might as well remove these, they are the default settings.

>
>
> I added "password server" thinking that it will help, to no avail.

You should let Samba find the password server, so you should remove it.

> Anythink else I should be aware of?
>
> The worst thing is I tried with prestine fedora image, done everything
> along the lines of the wiki for Domain Member and was stopped at the
> same issue. What is wrong?
> What does successful net ads join -U administrator tell us? Shouldn't
> it check for winbind?
>

I think you are falling into thinking because 'wbinfo -u' is working
(by the way, this shows winbind is working) that 'getent passwd user'
will as well, without doing anything else.
You are using the winbind 'ad' backend, do your users have a
'uidNumber' attribute containing a unique number inside the range
'10000-999999' ?
Does 'Domain Users' have a 'gidNumber' attribute inside the same range ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
On Fri, 17 Feb 2017 12:04:43 -0600
Lin Pro <[hidden email]> wrote:

> >>> You are using the winbind 'ad' backend, do your users have a
> 'uidNumber' attribute containing a unique number inside the range
> '10000-999999' ?
> Does 'Domain Users' have a 'gidNumber' attribute inside the same
> range ? <<<
>
>
> I do not know. "samba-tool user help" does not reveal a "view"
> argument to have a look.

ldbsearch does though, or ADUC on a windows version less than 10

The sheer fact that you do not know, tells me that you don't have
'uidNumber' or 'gidNumber' attributes in AD. You personally have to add
them! They are not created automatically.

> But remember - on the Ubuntu AD DC the getent passwd <user> works. Let
> me list it for you:
>
> root@dc1:~# getent passwd justin
> SF\justin:*:3000020:100:Justin Falon:/home/SF/justin:/bin/false

Well it would work on the DC, these numbers are coming from idmap.ldb

>
> Is the big number "3000020" a uidNumber attribute?

No, it is an 'xidNumber' that is mapped to the users SID in idmap.ldb

>
> Removal of the lines that you mentioned (there were added in
> desparation to look for a solution anyway) did not produce expected
> results.

It won't have made it worse either ;-)

> So at this moment the following is the result:
> root@ubuntu-dm1:~# getent group "Domain Users"
> root@ubuntu-dm1:~# getent group "Admin Users"
> root@ubuntu-dm1:~# getent passwd justin
> root@ubuntu-dm1:~#

Have you read the Samba wiki ?

https://wiki.samba.org/index.php/User_Documentation

Especially:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

>
> Let me show you the /etc/smb.conf on both machines, AD DC and teh
> Memeber Domain
>
>
> AD DC smb.conf
>
> # Global parameters
> [global]
> workgroup = SF
> realm = SF.TEST.ORG
> netbios name = DC1
> server role = active directory domain controller
> # dns forwarder just for testing

What do you mean 'just for testing' ? if you use the internal DNS
server, you need the forwarder.
 
> And member Domain server
>
> root@ubuntu-dm1:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = SF.TEST.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
>

That is correct for the Unix domain member, it is also all you need on
the DC as well.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
On Fri, 17 Feb 2017 15:37:27 -0600
Lin Pro <[hidden email]> wrote:

> ////ldbsearch does though, or ADUC on a windows version less than
> 10////
>
> Are you saying then that the problem would be in the group ID numbers
> and user ID numbers in the case that I'm describing?

What I am saying is that it looks like your users in AD do not have a
uidNumber attribute and/or Domain Users does not have a gidNumber
attribute.

>
> I installed LTB tools and I'm trying to figure out how to find out
> about those uid numbers
>
OK, run this on your Samba AD DC:

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub
"(&(objectClass=person)(uidNumber=*))" dn uidNumber

Just in case it has got split up, the above should be all one line.

/usr/local/samba/private/sam.ldb is the full path to sam.ldb, yours may be different

dc=samdom,dc=example,dc=com is the base DN of your AD, yours will be different, it is your dns name with the dots replaced.

If you have any 'uidNumber' attributes in AD, it will print the DN and uidNumber

Run this to check if Domain Users has a gidNumber

ldbsearch -H /usr/local/samba/private/sam.ldb -b
'dc=samdom,dc=example,dc=com' -s sub "(&(objectClass=group)(cn=Domain
Users)(gidNumber=*))" dn gidNumber

If you don't get any results, this is your problem and I am very sure
this is your problem. In which case read up on ldbmodify and/or the
Unix Attributes tab on RSAT ADUC, both of which are on the Samba wiki.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
Is using ADUC from a windows machine a complete substitute of what the
wiki below explains?
https://wiki.samba.org/index.php/LDB#ldbmodify

Just curiuos because it seems beyond me at the moment to dig into it.

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi, I have run the ldbsearch command substituting my correct path
/var/lib/samba/private and the correct domain. In both cases I am
getting the following results:

# returned 3 records
# 0 entries
# 3 referrals

# returned 3 records
# 0 entries
# 3 referrals

thank you for gibing me hope in the tunnel.
I will read the man page about ldbmodify and see what I can come up with.

In the mean time, it seams that ldbsearch can reach ADDC when launched from DM:
root@ubuntu-dm1:~# ldbsearch -H ldap://dc1 -U administrator

...produces

# returned 272 records
# 269 entries
# 3 referrals

Hopefully I am on the right path.

On Fri, Feb 17, 2017 at 4:11 PM, Rowland Penny via samba
<[hidden email]> wrote:

> On Fri, 17 Feb 2017 15:37:27 -0600
> Lin Pro <[hidden email]> wrote:
>
>> ////ldbsearch does though, or ADUC on a windows version less than
>> 10////
>>
>> Are you saying then that the problem would be in the group ID numbers
>> and user ID numbers in the case that I'm describing?
>
> What I am saying is that it looks like your users in AD do not have a
> uidNumber attribute and/or Domain Users does not have a gidNumber
> attribute.
>
>>
>> I installed LTB tools and I'm trying to figure out how to find out
>> about those uid numbers
>>
> OK, run this on your Samba AD DC:
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub
> "(&(objectClass=person)(uidNumber=*))" dn uidNumber
>
> Just in case it has got split up, the above should be all one line.
>
> /usr/local/samba/private/sam.ldb is the full path to sam.ldb, yours may be different
>
> dc=samdom,dc=example,dc=com is the base DN of your AD, yours will be different, it is your dns name with the dots replaced.
>
> If you have any 'uidNumber' attributes in AD, it will print the DN and uidNumber
>
> Run this to check if Domain Users has a gidNumber
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'dc=samdom,dc=example,dc=com' -s sub "(&(objectClass=group)(cn=Domain
> Users)(gidNumber=*))" dn gidNumber
>
> If you don't get any results, this is your problem and I am very sure
> this is your problem. In which case read up on ldbmodify and/or the
> Unix Attributes tab on RSAT ADUC, both of which are on the Samba wiki.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
best regards
linforpros

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: getent passwd user no output, addc + dm

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 17 Feb 2017 19:36:40 -0600
Lin Pro <[hidden email]> wrote:

> Is using ADUC from a windows machine a complete substitute of what the
> wiki below explains?
> https://wiki.samba.org/index.php/LDB#ldbmodify
>
> Just curiuos because it seems beyond me at the moment to dig into it.
>
> Regards

Using the Unix Attribute tab in ADUC is probably your easiest way to
add the required attributes. This does mean using a version of windows
less than 10, windows 10 does not have the Unix attributes tab.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba