[Samba] wbinfo works fine, getent only works for builtin groups
Hi I am having a lot of trouble getting users from a trusted domain to access shares and files. getent passwd / get group doesn't retrieve domain users or groups, so I can't set permissions for the users or groups from the trusted domain The domain having problems is: Ubuntu 6.06 Server Samba Version 3.0.22 The trusted domain is: Ubuntu 8.04 Server Samba Version 3.0.28a wbinfo -u and wbinfo -g work fine and bring up a list of the trusted domain users and groups wbinfo --sid-to-name=SID, --authenticate=user%password, -t, --trusted-domains all work fine for the local domain and the trusted domain When I do a getent passwd, I only get the local /etc/passwd users When I do a getent group, I get the local /etc/group groups, and the BUILTIN\administrators and BUILTIN\users After a getent, log.winbind is full of entries like this: [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(1006) SID S-1-5-21-2824201121-3407686785-855272569-3033 not in idmap [2008/08/26 00:29:10, 1] nsswitch/winbindd_group.c:winbindd_getgrent(1011) could not look up gid for group CADUsers [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(961) entry_index = 3, num_entries = 8 [2008/08/26 00:29:10, 10] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258) Adding cache entry with key = IDMAP/SID/S-1-5-21-2824201121-3407686785-855272569-3039; value = 1219667470/IDMAP/NEGATIVE and timeout = Tue Aug 26 00:31:10 200 8 (120 seconds ahead) [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(1006) SID S-1-5-21-2824201121-3407686785-855272569-3039 not in idmap [2008/08/26 00:29:10, 1] nsswitch/winbindd_group.c:winbindd_getgrent(1011) could not look up gid for group dundirectors [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(961) entry_index = 4, num_entries = 8 [2008/08/26 00:29:10, 10] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258) Adding cache entry with key = IDMAP/SID/S-1-5-21-2824201121-3407686785-855272569-513; value = 1219667470/IDMAP/NEGATIVE and timeout = Tue Aug 26 00:31:10 2008 (120 seconds ahead) [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(1006) SID S-1-5-21-2824201121-3407686785-855272569-513 not in idmap [2008/08/26 00:29:10, 1] nsswitch/winbindd_group.c:winbindd_getgrent(1011) could not look up gid for group Domain Users [2008/08/26 00:29:10, 10] nsswitch/winbindd_group.c:winbindd_getgrent(961) entry_index = 5, num_entries = 8 [2008/08/26 00:29:10, 10] nsswitch/idmap_cache.c:idmap_cache_set_negative_sid(258) Adding cache entry with key = IDMAP/SID/S-1-5-21-2824201121-3407686785-855272569-3029; value = 1219667470/IDMAP/NEGATIVE and timeout = Tue Aug 26 00:31:10 200 8 (120 seconds ahead) Can anyone suggest what I can do to fix this? Thanks for any help Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Interdomain Trust, wbinfo works on both servers, getent doesn't work on one server
Hi I have a problem with an interdomain trust where on the PDC for DomainA, everything works perfectly. getent returns local and DomainB usernames. On the PDC for DomainB, it's DomainB works fine, but getent only returns local usernames and groups, it doesn't return the usernames or groups for DomainA. wbinfo -u and wbinfo -g work fine and return all DomainA's usernames and groups. This means that I can set permissions for DomainB staff on DomainA, and they can successfully map shares and access files on DomainA. I can't set permissions for DomainA staff on DomainB, and DomainA staff cannot access DomainB using their own username and password :-( I initially tried with a single WINS server on PDCA, then local WINS servers with static pointers to the other Domain and PDC. The behaviour was the same as above for both configurations of WINS. Given that wbinfo is working, is there a misconfiguration or a corrupted database somewhere that is stopping getent working? ServerA (PDC for DomainA) Ubuntu 6.06 LTS /etc/samba/smb.conf #=== Global Settings === [global] workgroup = DOMAINA wins support = yes netbios name = SERVERA host msdfs = yes time server = yes Networking interfaces = 127.0.0.0/8 192.168.2.1 bind interfaces only = true name resolve order = wins bcast hosts ### Authentication ### ; security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes ## Domains ### domain logons = yes logon drive = M: logon path = \\%N\profiles\%U logon script = %U.cmd domain master = yes preferred master = yes enable privileges = yes # # Winbind # idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash ServerB (PDC for DomainB) Ubuntu 8.04 LTS #=== Global Settings === [global] workgroup = DOMAINB time server = yes netbios name = SERVERB Networking interfaces = 127.0.0.0/8 192.168.3.0/24 bind interfaces only = true wins support = no wins server = 192.168.2.1 name resolve order = wins bcast hosts ### Authentication ### ; security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes ## Domains ### domain logons = yes logon drive = M: logon path = \\%N\profiles\%U logon script = %U.cmd domain master = yes preferred master = yes enable privileges = yes host msdfs = yes # Winbind # idmap uid = 3-4 idmap gid = 3-4 template shell = /bin/bash winbind enum users = yes winbind enum groups = yes ServerB's /var/log/samba/log.winbindd log shows [2008/07/17 12:12:18, 3] nsswitch/winbindd_misc.c:winbindd_ping(470) [10049]: ping [2008/07/17 12:15:44, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [10059]: request interface version [2008/07/17 12:15:44, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [10059]: request location of privileged pipe [2008/07/17 12:15:44, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [10059]: getgroups root [2008/07/17 12:15:44, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(477) [ 6180]: gid to sid 0 [2008/07/17 12:15:45, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [10061]: request interface version [2008/07/17 12:15:45, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [10061]: request location of privileged pipe [2008/07/17 12:15:45, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [10061]: getgroups root [2008/07/17 12:16:09, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [10075]: request interface version [2008/07/17 12:16:09, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [10075]: request location of privileged pipe [2008/07/17 12:16:09, 3] nsswitch/winbindd_user.c:winbindd_setpwent_internal(445) [10075]: setpwent [2008/07/17 12:16:09, 3] nsswitch/winbindd_user.c:winbindd_getpwent(636) [10075]: getpwent [2008/07/17 12:16:09, 3] nsswitch/winbindd_rpc.c:query_user_list(46) rpc: query_user_list [2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) error getting user id for sid S-1-5-21-2824201121-3407686785-855272569-1010 [2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) could not lookup domain user user1 [2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) error getting user id for sid S-1-5-21-2824201121-3407686785-855272569-501 [2008/07/17 12:16:10, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) could not lookup domain user user2 etc etc through all the users There are quite a few of these as I suppose individual DomainA users try to access ServerB: [20557]: getpwnam user3 [2008/07/16 11:54:09, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(346) [20557]: getpwnam USER3 [2008/07/16 11:54:09, 3] nsswitch/w
[Samba] Application slowness after samba upgrade
Hi We have upgraded a very old Samba server to a new server running 3.0.22 on Ubuntu. The the workstations were Windows 98 on very old hardware and are now Windows XP on new hardware. Everything is now very fast compared to the old server, except for two applications - a payroll (Ace Payroll) and and finance system (Profax). Somewhat contrarily, these two apps are MUCH slower on the new server than they were on the old server. They have both been around for a while, although we are still getting updates for them. They both use some kind of file based "database" (data files and index files), although the actual "database" technology is different between the two. For the Payroll, if it is run locally on the workstation it is fast. I have turned off oplocks on the file types for the database files. The vendors are no help, and these two [EMAIL PROTECTED] applications have slightly soured an otherwise impressive upgrade. Can anyone suggest where I should be looking to catch performance problems? Many thanks Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Join to ADS seems to succeed, then immediately fails
Hi I am on samba 3.0.22 on Ubuntu 6.06, and am having a lot of trouble joining an ADS domain. The hostname is mail Basically, if I clear out all the tdbs in /var, and remove the mail$ machine account from AD, and do a kdestroy, then I do this: # kinit [EMAIL PROTECTED] password: #net ads join Using short domain name -- SERVICES Joined 'MAIL' to realm 'SERVICES.EXAMPLE.CO.NZ' it looks like the machine has successfully joined. If I immediately do this: # net ads testjoin I get this: [2006/11/03 14:32:18, 0] utils/net_ads.c:ads_startup(191) Nov 3 14:32:18 mail net: ads_connect: Invalid credentials I can get lots of data back if I go net ads user, net ads group, net ads status, net ads info, but I can not get net ads testjoin to report a successful join. If I try to go on and get windind running, I keep getting the "Invalid credentials" error messages. Can anyone point me to a solution? Many thanks Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ADS and Winbind problems with joining domain and listing users/ groups
Hi I am having trouble joining a Samba 3.0.22 (Ubuntu 6.06) machine to an AD. I have done a heap of googling and can't find anything that seems to fix the problem. This sequence of commands shows the problem (I have now tried to join the doain a number of times hence the modifying old account): # net ads join [2006/11/01 15:32:56, 0] libads/ldap.c:ads_add_machine_acct(1414) ads_add_machine_acct: Host account for mail already exists - modifying old account Using short domain name -- SERVICES Joined 'MAIL' to realm 'SERVICES.EXAMPLE.CO.NZ' # net ads testjoin [2006/11/01 15:34:02, 0] utils/net_ads.c:ads_startup(191) ads_connect: Invalid credentials Join to domain is not valid # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -u Error looking up domain users #wbinfo -g Error looking up domain groups # net ads user < a long list of domain users > # net ads group < a long list of domain groups > my smb.conf looks like this: [global] unix charset = LOCALE workgroup = SERVICES realm = SERVICES.EXAMPLE.CO.NZ server string = Samba mail security = ADS username map = /etc/samba/smbusers log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 # ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes template shell = /bin/bash winbind separator = + [homes] comment = Home Directories valid users = %S read only = No browseable = No Any help would be greatly appreciated. Thanks Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
