AD Authentication - wbinfo Works, getent Doesn't work, Can't Login
Hi all,
I'm trying to bring up a RHEL5.6 server and have SSH users authenticate against Windows 2008r2 AD. As I noted in the subject, I can retrieve AD information using both wbinfo -u and wbinfo -g. All kerberos tests seem to run fine, but when I try getent passwd or group I only see local information, nothing from AD. I also cannot SSH in as an AD user, but I think I should be able to get getent working before I worry about that? I turned up the log level on samba to 10, but about the only issue I can see at the moment is in /var/log/samba/winbindd.log [2011/06/07 22:03:32.896639, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2011/06/07 22:03:32.896736, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: Input/output error Anything I might be able to try would be greatly appreciated. Thanks! I currently have installed: samba3x.x86_64 3.5.4-0.70.el5_6.1 samba3x-client.x86_64 3.5.4-0.70.el5_6.1 samba3x-common.x86_64 3.5.4-0.70.el5_6.1 samba3x-winbind.x86_64 3.5.4-0.70.el5_6.1 /etc/nsswitch.conf (partial): passwd: files winbind shadow: files winbind group: files winbind /etc/samba/smb.conf (partial): workgroup = MYDOMAIN password server = 10.1.60.10 encrypt passwords = Yes realm = MYDOMAIN.COM security = ADS idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes |
when wbinfo -u (wbinfo -g) works, but getent passwd (getent group) doesn't
My Debian v5 (aka Lenny) file server was that way (even after successfully joining the domain and like you, wbinfo commands showed AD users and groups); went back into the samba config file and uncommented the winbind enum lines (note: comments stated "was the default behavior" but now not because "it might induce performance issues in large organizations", as was in my case); stopped winbind, restarted samba, started winbind, and poof (okay, took a few moments to get the results), getent showed ids for the various groups and users!
sudo pico /etc/samba/smb.conf uncomment (i.e. remove the leading semi-colon): winbind enum users = yes winbind enum groups = yes Ctrl (aka control) and "x", "y", Enter sudo /etc/init.d/winbind stop sudo /etc/init.d/samba restart sudo /etc/init.d/winbind start getent group But wait, you seem to show that your enum lines are uncommented; wonder if you have a firewall issue (e.g. for me, I use iptables, so something like "sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP DROP:" before "sudo iptables -A INPUT -p udp -j DROP" and then "dmesg" after trying the getent commands to see if dropped traffic is getting logged). I also left my "shadow: compat" in my /etc/nsswitch.conf, and I "sudo ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so" just in case. Hope this helps. |
note for smb and winbind 4 (deb 8)
you'll need to add "winbind expand groups = 1" to your /etc/samba/smb.conf (if you want to see members of a group with "getent group namehere")
also, idmap lines have changed their syntax: idmap config *:backend = rid idmap config *:range = 10000-1000000 and because I'm part of large org: winbind enum users = no winbind enum groups = no and I noticed haste makes waste in my previous restarting of smb and winbind services, should be stop smb, restart winbind, start samba: sudo /etc/init.d/samba stop; sudo /etc/init.d/winbind restart; sudo /etc/init.d/samba start |
All times are GMT -5. The time now is 03:32 AM. |