From owner-freebsd-questions@FreeBSD.ORG Fri Sep 16 19:48:17 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B2DE16A41F for ; Fri, 16 Sep 2005 19:48:17 +0000 (GMT) (envelope-from dougs@dawnsign.com) Received: from mercury.dawnsign.com (216-70-236-236.cust.telepacific.net [216.70.236.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DFC843D5C for ; Fri, 16 Sep 2005 19:48:08 +0000 (GMT) (envelope-from dougs@dawnsign.com) Received: by mercury.dawnsign.com with Internet Mail Service (5.5.2657.72) id ; Fri, 16 Sep 2005 12:48:08 -0700 Message-ID: From: Doug Sampson To: 'Dan Nelson' Date: Fri, 16 Sep 2005 12:48:07 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2657.72) Content-Type: text/plain; charset="iso-8859-1" Cc: "'freebsd-questions@freebsd.org'" Subject: RE: [Samba] getent & winbindd on FreeBSD 5.4 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Sep 2005 19:48:17 -0000 > Yes, that getent command should suffice for printing users and groups, > including any NSS-provided ones. You can also use the 'id' > or 'pw user > show' commands to print similar info. aries-root@/usr/local/etc: pw group show DSP-PRODUCTION pw: unknown group `DSP-PRODUCTION' aries-root@/usr/local/etc: > PAM only handles authentication during login; looking up user/group > names is handled by NSS. If your nsswitch.conf has "passwd: compat > winbind" in it, you have a /usr/local/lib/nss_winbind.so.1 file, and > getent can't find users that windbind should be providing, I'd start > looking for nss_winbind debugging options. I don't know if this helps but here we go. I looked at /var/log/debug.log and I'm seeing lots of entries similar to the ones below: Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found Sep 16 03:01:21 aries sendmail[6838]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6838]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6843]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found Sep 16 03:01:21 aries sendmail[6843]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found Sep 16 09:55:07 aries sshd[7716]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found Sep 16 09:55:07 aries sshd[7716]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found Sep 16 09:55:09 aries sshd[7719]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found Sep 16 09:55:09 aries sshd[7719]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found Sep 16 10:18:19 aries sshd[7771]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found Sep 16 10:18:19 aries sshd[7771]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found Does this mean there is a problem with NSSWITCH? Please note that there are references to sshd and sendmail among other services but none related to winbindd as far as I can see. I ran winbindd -d4 per your suggestion to use debugging options and tried again by issuing getent passwd. Output of log.winbindd as follows: [2005/09/16 12:26:18, 1] nsswitch/winbindd.c:main(935) winbindd version 3.0.20 started. Copyright The Samba Team 2000-2004 [2005/09/16 12:26:18, 3] param/loadparm.c:lp_load(4082) lp_load: refreshing parameters [2005/09/16 12:26:18, 3] param/loadparm.c:init_globals(1366) Initialising global parameters [2005/09/16 12:26:18, 3] param/params.c:pm_process(574) params.c:pm_process() - Processing configuration file "/usr/local/etc/smb.conf" [2005/09/16 12:26:18, 3] param/loadparm.c:do_section(3542) Processing section "[global]" doing parameter workgroup = DSP doing parameter netbios name = Aries [2005/09/16 12:26:18, 4] param/loadparm.c:handle_netbios_name(2881) handle_netbios_name: set global_myname to: ARIES doing parameter server string = Samba Server doing parameter security = domain doing parameter hosts allow = 192.168.1. 192.168.2. 127. doing parameter encrypt passwords = yes doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter password server = * doing parameter passdb backend = tdbsam doing parameter auth methods = winbind doing parameter socket options = TCP_NODELAY doing parameter local master = no doing parameter os level = 33 doing parameter wins server = 192.168.1.1 doing parameter dns proxy = no doing parameter idmap uid = 15000-20000 doing parameter idmap gid = 15000-20000 doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind separator = - doing parameter template homedir = /usr/home/%D/%U doing parameter template shell = /bin/bash [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559) Processing section "[homes]" doing parameter comment = Home Directories doing parameter browseable = no doing parameter writable = yes [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559) Processing section "[MacData]" doing parameter comment = Production Data doing parameter path = /data doing parameter valid users = @Production doing parameter public = no doing parameter writable = yes doing parameter printable = no doing parameter create mask = 0765 [2005/09/16 12:26:18, 4] param/loadparm.c:lp_load(4113) pm_process() returned Yes [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475) adding IPC service [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475) adding IPC service [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0 [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0 [2005/09/16 12:26:18, 2] lib/tallocmsg.c:register_msg_pool_usage(56) Registered MSG_REQ_POOL_USAGE [2005/09/16 12:26:18, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain DSP S-1-5-21-2008768363-1786319642-1659389152 [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain BUILTIN S-1-5-32 [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166) Added domain ARIES S-1-5-21-249124048-3777273079-1200472844 [2005/09/16 12:26:25, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/09/16 12:26:25, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/09/16 12:26:25, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(406) [ 0]: gid to sid 65534 [2005/09/16 12:26:37, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/09/16 12:26:37, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/09/16 12:26:37, 3] nsswitch/winbindd_user.c:winbindd_list_users(735) [ 0]: list users [2005/09/16 12:26:37, 4] passdb/secrets.c:secrets_fetch_trust_account_password(281) Using cleartext machine password [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1406) get_dc_list: returning 2 ip addresses in an unordered list [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1407) get_dc_list: 192.168.1.1:0 192.168.1.6:0 [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1826) fcntl_lock: fcntl lock gave errno 35 (Resource temporarily unavailable) [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1845) fcntl_lock: lock failed at offset 0 count 1 op 8 type 1 (Resource temporarily unavailable) [2005/09/16 12:26:37, 4] libsmb/clidgram.c:cli_send_mailslot(100) send_mailslot: Sending to mailslot \MAILSLOT\NET\NTLOGON from ARIES<00> to DSP<1c> IP 192.168.1.6 [2005/09/16 12:26:37, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(102) cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [DSP\dspadmin] [2005/09/16 12:26:37, 4] lib/time.c:get_serverzone(125) Serverzone is 25200 [2005/09/16 12:26:37, 3] nsswitch/winbindd_rpc.c:query_user_list(46) rpc: query_user_list [2005/09/16 12:26:42, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/09/16 12:26:42, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/09/16 12:26:42, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811) [ 0]: list groups [2005/09/16 12:26:42, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2005/09/16 12:26:42, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526) get_sam_group_entries: Failed to enumerate domain local groups! [2005/09/16 12:26:42, 4] nsswitch/winbindd_group.c:get_sam_group_entries(521) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well [2005/09/16 12:26:42, 3] nsswitch/winbindd_group.c:get_sam_group_entries(526) get_sam_group_entries: Failed to enumerate domain local groups! [2005/09/16 12:26:42, 3] nsswitch/winbindd_rpc.c:enum_dom_groups(141) rpc: enum_dom_groups After issuing 'pw group show DSP-PRODUCTION', the following pops up in the debug log: [2005/09/16 12:32:47, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(460) [ 0]: request interface version [2005/09/16 12:32:47, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493) [ 0]: request location of privileged pipe [2005/09/16 12:32:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535) [ 0]: pam auth crap domain: [] user: First question: why does NSSWITCH think I have a W2K domain instead of a NT4 domain? Second question: DSP is the actual domain name. Aries is the NetBIOS name of the server. I don't understand why winbindd tries to enumerate ARIES as a domain name. Aren't the BUILT-IN accounts sufficient for the local samba machine? Content of /etc/nsswitch.conf as follows: passwd: compat winbind group: compat winbind hosts: files winbind wins dns networks: files shells: files <*blank line*> The original nsswitch.conf file was as follows prior to editing: group: compat group_compat: files nis hosts: files dns networks: files passwd: compat passwd_compat: files nis shells: files <*blank line*> Note I have not installed NIS server nor NIS client. Comments? ~Doug