SLES11, Samba, Kerberos, LDAP integration with Active Directory
I have a SLES11 x86_64 server running the versions of Samba, MIT Kerberos 5, SASL, OpenLDAP client supported by Novell, and have Active Directory integration as a member server working quite nicely, including enumeration of users and groups through nsswitch (getent passwd, getent group). That means in addition to authenticating to the Linux server using their AD identity, they also get filesystem permissions based on their AD identity and/or group membership using extended ACLs on the filesystems. This is in a multi-domain forest; all domains in the forest get enumerated.
I am trying to establish the same situation on a second SLES11 X86_64 server and have partial success - I can only enumerate users and groups through wbinfo -u and wbinfo -g, or individually using getent passwd <username>. This second system was upgraded from SLES10 SP2, but appears to be running all the same modules as the server that works. I tried using the exact same configurations for pam.d, ldap.conf, smb.conf, krb5.conf, nsswitch.conf, and establishing domain membership, but can't get it to work.
I have tried upgrading Samba from 3.2.7 (the Novell-supported version for SLES11) to 3.4.3 and 3.5.4, with mixed results. The problem with anything after 3.3 is that it no longer uses idmap domains, so it seems hit-or-miss which domain it decides to enumerate, when it does decide to enumerate a domain - and yes, I do have "winbind enum user = yes" and "winbind enum group = yes" set in smb.conf. Documentation for the proper usage of idmap in an AD environment post-3.3 is sketchy at best. I am back to the Novell "official" 3.2.7 version, since 3.4.3 and 3.5.4 also don't enumerate the users.
Does anyone have any insight as to where to look? Server is in DNS, both forward and reverse lookup zones. The computer is in the domain as a member server. The kerberos keytab is good, and I've had to re-create it several times through my troubleshooting efforts, both manually and automatically with the net ads join command. Logins appear to work fine. I have double- and triple-checked the libnss_winbind.so file, which is what I would assume to be the problem-child, and it has been replaced each time I have upgraded or downgraded Samba with the correct version for the version of Samba being installed. If I recall correctly, winbindd uses ldap to do the enumeration but I get no errors related to ldap. When I run getent passwd it lists the contents of the passwd file then sits for a minute or two before returning to the command prompt.
I think it has something to do with LDAP, but I am at a loss as to what. I can connect to a DC server with the LDAP browser in YaST and browse AD, using the user ID and password set up in ldap.conf, but it doesn't appear that the problem server is connecting to the AD DC like the fully functional server is, using the same LDAP bind user and credentials, to do the winbind enumeration.
I did a strace on getent passwd and getent group and found I'm getting an ECONNREFUSED on the socket /tmp/.winbindd/pipe. I can't find anything via google that applies to this situation, but that's where the getent enumeration breaks down.
Also, getent passwd <AD username> will properly enumerate the user in passwd file format; it just won't enumerate any AD users if you don't specify a user. More confusing is that getent group will enumerate a handful of AD groups after listing the contents of /etc/group. strace on getent group shows that it does get past /tmp/.winbind/pipe and connects to var/lib/samba/winbindd_privileged/pipe but only enumerates a few groups that are in a particular OU rather than all groups in the domain.
strace getent passwd <ad username> also shows that it's getting past /tmp/.winbindd/pipe and connecting to /var/lib/samba/winbindd_privileged/pipe. I need to track down why getent passwd gets that ECONNREFUSED at the /tmp/.winbindd/pipe stage, so any clues would be greatly appreciated.
Last edited by jstalewski; 07-22-2010 at 11:35 AM.
Reason: More information