[Samba] getent & winbindd on FreeBSD 5.4
Dan Nelson
dnelson at allantgroup.com
Fri Sep 16 14:27:36 PDT 2005
In the last episode (Sep 16), Doug Sampson said:
> > PAM only handles authentication during login; looking up user/group
> > names is handled by NSS. If your nsswitch.conf has "passwd: compat
> > winbind" in it, you have a /usr/local/lib/nss_winbind.so.1 file, and
> > getent can't find users that windbind should be providing, I'd start
> > looking for nss_winbind debugging options.
>
> I don't know if this helps but here we go. I looked at /var/log/debug.log
> and I'm seeing lots of entries similar to the ones below:
>
> Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found
> Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found
> Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found
> Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found
I think those are ipv6 lookup functions; you can probably ignore the
errors.
> Does this mean there is a problem with NSSWITCH? Please note that there are
> references to sshd and sendmail among other services but none related to
> winbindd as far as I can see.
>
> I ran winbindd -d4 per your suggestion to use debugging options and tried
> again by issuing getent passwd. Output of log.winbindd as follows:
>
> [2005/09/16 12:26:18, 1] nsswitch/winbindd.c:main(935)
> winbindd version 3.0.20 started.
> Copyright The Samba Team 2000-2004
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_load(4082)
> lp_load: refreshing parameters
> [2005/09/16 12:26:18, 3] param/loadparm.c:init_globals(1366)
> Initialising global parameters
> [2005/09/16 12:26:18, 3] param/params.c:pm_process(574)
> params.c:pm_process() - Processing configuration file
> "/usr/local/etc/smb.conf"
> [2005/09/16 12:26:18, 3] param/loadparm.c:do_section(3542)
> Processing section "[global]"
> doing parameter workgroup = DSP
> doing parameter netbios name = Aries
> [2005/09/16 12:26:18, 4] param/loadparm.c:handle_netbios_name(2881)
> handle_netbios_name: set global_myname to: ARIES
> doing parameter server string = Samba Server
> doing parameter security = domain
> doing parameter hosts allow = 192.168.1. 192.168.2. 127.
> doing parameter encrypt passwords = yes
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 50
> doing parameter password server = *
> doing parameter passdb backend = tdbsam
> doing parameter auth methods = winbind
> doing parameter socket options = TCP_NODELAY
> doing parameter local master = no
> doing parameter os level = 33
> doing parameter wins server = 192.168.1.1
> doing parameter dns proxy = no
> doing parameter idmap uid = 15000-20000
> doing parameter idmap gid = 15000-20000
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> doing parameter winbind separator = -
> doing parameter template homedir = /usr/home/%D/%U
> doing parameter template shell = /bin/bash
> [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559)
> Processing section "[homes]"
> doing parameter comment = Home Directories
> doing parameter browseable = no
> doing parameter writable = yes
> [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559)
> Processing section "[MacData]"
> doing parameter comment = Production Data
> doing parameter path = /data
> doing parameter valid users = @Production
> doing parameter public = no
> doing parameter writable = yes
> doing parameter printable = no
> doing parameter create mask = 0765
> [2005/09/16 12:26:18, 4] param/loadparm.c:lp_load(4113)
> pm_process() returned Yes
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475)
> adding IPC service
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475)
> adding IPC service
> [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81)
> added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0
> [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81)
> added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0
> [2005/09/16 12:26:18, 2] lib/tallocmsg.c:register_msg_pool_usage(56)
> Registered MSG_REQ_POOL_USAGE
> [2005/09/16 12:26:18, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
> Added domain DSP S-1-5-21-2008768363-1786319642-1659389152
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
> Added domain BUILTIN S-1-5-32
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
> Added domain ARIES S-1-5-21-249124048-3777273079-1200472844
> [2005/09/16 12:26:25, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/16 12:26:25, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/16 12:26:25, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(406)
> [ 0]: gid to sid 65534
> [2005/09/16 12:26:37, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/16 12:26:37, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_user.c:winbindd_list_users(735)
> [ 0]: list users
> [2005/09/16 12:26:37, 4]
> passdb/secrets.c:secrets_fetch_trust_account_password(281)
> Using cleartext machine password
> [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1406)
> get_dc_list: returning 2 ip addresses in an unordered list
> [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1407)
> get_dc_list: 192.168.1.1:0 192.168.1.6:0
> [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1826)
> fcntl_lock: fcntl lock gave errno 35 (Resource temporarily unavailable)
> [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1845)
> fcntl_lock: lock failed at offset 0 count 1 op 8 type 1 (Resource
> temporarily unavailable)
> [2005/09/16 12:26:37, 4] libsmb/clidgram.c:cli_send_mailslot(100)
> send_mailslot: Sending to mailslot \MAILSLOT\NET\NTLOGON from ARIES<00> to
> DSP<1c> IP 192.168.1.6
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(102)
> cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [DSP\dspadmin]
> [2005/09/16 12:26:37, 4] lib/time.c:get_serverzone(125)
> Serverzone is 25200
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_rpc.c:query_user_list(46)
> rpc: query_user_list
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/16 12:26:42, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
> [ 0]: list groups
> [2005/09/16 12:26:42, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(521)
> get_sam_group_entries: Native Mode 2k domain; enumerating local groups as
> well
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_group.c:get_sam_group_entries(526)
> get_sam_group_entries: Failed to enumerate domain local groups!
> [2005/09/16 12:26:42, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(521)
> get_sam_group_entries: Native Mode 2k domain; enumerating local groups as
> well
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_group.c:get_sam_group_entries(526)
> get_sam_group_entries: Failed to enumerate domain local groups!
> [2005/09/16 12:26:42, 3] nsswitch/winbindd_rpc.c:enum_dom_groups(141)
> rpc: enum_dom_groups
>
> After issuing 'pw group show DSP-PRODUCTION', the following pops up in the
> debug log:
>
> [2005/09/16 12:32:47, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
> [ 0]: request interface version
> [2005/09/16 12:32:47, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
> [ 0]: request location of privileged pipe
> [2005/09/16 12:32:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535)
> [ 0]: pam auth crap domain: [] user:
>
> First question: why does NSSWITCH think I have a W2K domain instead
> of a NT4 domain?
That would be a question to ask the samba folks; nsswitch doesn't think
anything. It just passes requests to the providers listed in its
config file.
> Second question: DSP is the actual domain name. Aries is the NetBIOS
> name of the server. I don't understand why winbindd tries to
> enumerate ARIES as a domain name. Aren't the BUILT-IN accounts
> sufficient for the local samba machine?
That's another samba question :)
> Content of /etc/nsswitch.conf as follows:
>
> passwd: compat winbind
> group: compat winbind
> hosts: files winbind wins dns
> networks: files
> shells: files
> <*blank line*>
>
> The original nsswitch.conf file was as follows prior to editing:
>
> group: compat
> group_compat: files nis
> hosts: files dns
> networks: files
> passwd: compat
> passwd_compat: files nis
> shells: files
> <*blank line*>
>
> Note I have not installed NIS server nor NIS client.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list