From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 16 21:27:36 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C0B8B16A41F
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Sep 2005 21:27:36 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 439C043D45
	for <freebsd-questions@freebsd.org>;
	Fri, 16 Sep 2005 21:27:36 +0000 (GMT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.13.1/8.13.3) id j8GLRXLI077751;
	Fri, 16 Sep 2005 16:27:33 -0500 (CDT) (envelope-from dan)
Date: Fri, 16 Sep 2005 16:27:33 -0500
From: Dan Nelson <dnelson@allantgroup.com>
To: Doug Sampson <dougs@dawnsign.com>
Message-ID: <20050916212733.GG72150@dan.emsphone.com>
References: <EFADFCBA81EEBC4FA93D573B32AFFE270124A4C3@mercury.dawnsign.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <EFADFCBA81EEBC4FA93D573B32AFFE270124A4C3@mercury.dawnsign.com>
X-OS: FreeBSD 5.4-STABLE
X-message-flag: Outlook Error
User-Agent: Mutt/1.5.10i
Cc: "'freebsd-questions@freebsd.org'" <freebsd-questions@freebsd.org>
Subject: Re: [Samba] getent & winbindd on FreeBSD 5.4
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2005 21:27:36 -0000

In the last episode (Sep 16), Doug Sampson said:
> > PAM only handles authentication during login; looking up user/group
> > names is handled by NSS.  If your nsswitch.conf has "passwd: compat
> > winbind" in it, you have a /usr/local/lib/nss_winbind.so.1 file, and
> > getent can't find users that windbind should be providing, I'd start
> > looking for nss_winbind debugging options.
> 
> I don't know if this helps but here we go. I looked at /var/log/debug.log
> and I'm seeing lots of entries similar to the ones below:
> 
> Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyname, not found
> Sep 16 03:01:21 aries sendmail[6798]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyname, not found
> Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): wins, hosts, ghbyaddr, not found
> Sep 16 03:01:21 aries sendmail[6837]: NSSWITCH(nss_method_lookup): winbind, hosts, ghbyaddr, not found

I think those are ipv6 lookup functions; you can probably ignore the
errors.

> Does this mean there is a problem with NSSWITCH? Please note that there are
> references to sshd and sendmail among other services but none related to
> winbindd as far as I can see.
> 
> I ran winbindd -d4 per your suggestion to use debugging options and tried
> again by issuing getent passwd. Output of log.winbindd as follows:
> 
> [2005/09/16 12:26:18, 1] nsswitch/winbindd.c:main(935)
>   winbindd version 3.0.20 started.
>   Copyright The Samba Team 2000-2004
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_load(4082)
>   lp_load: refreshing parameters
> [2005/09/16 12:26:18, 3] param/loadparm.c:init_globals(1366)
>   Initialising global parameters
> [2005/09/16 12:26:18, 3] param/params.c:pm_process(574)
>   params.c:pm_process() - Processing configuration file
> "/usr/local/etc/smb.conf"
> [2005/09/16 12:26:18, 3] param/loadparm.c:do_section(3542)
>   Processing section "[global]"
>   doing parameter workgroup = DSP
>   doing parameter netbios name = Aries
> [2005/09/16 12:26:18, 4] param/loadparm.c:handle_netbios_name(2881)
>   handle_netbios_name: set global_myname to: ARIES
>   doing parameter server string = Samba Server
>   doing parameter security = domain
>   doing parameter hosts allow = 192.168.1. 192.168.2. 127.
>   doing parameter encrypt passwords = yes
>   doing parameter log file = /var/log/samba/log.%m
>   doing parameter max log size = 50
>   doing parameter password server = *
>   doing parameter passdb backend = tdbsam
>   doing parameter auth methods = winbind
>   doing parameter socket options = TCP_NODELAY
>   doing parameter local master = no
>   doing parameter os level = 33
>   doing parameter wins server = 192.168.1.1
>   doing parameter dns proxy = no
>   doing parameter idmap uid = 15000-20000
>   doing parameter idmap gid = 15000-20000
>   doing parameter winbind enum users = yes
>   doing parameter winbind enum groups = yes
>   doing parameter winbind separator = -
>   doing parameter template homedir = /usr/home/%D/%U
>   doing parameter template shell = /bin/bash
> [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559)
>   Processing section "[homes]"
>   doing parameter comment = Home Directories
>   doing parameter browseable = no
>   doing parameter writable = yes
> [2005/09/16 12:26:18, 2] param/loadparm.c:do_section(3559)
>   Processing section "[MacData]"
>   doing parameter comment = Production Data
>   doing parameter path = /data
>   doing parameter valid users = @Production
>   doing parameter public = no
>   doing parameter writable = yes
>   doing parameter printable = no
>   doing parameter create mask = 0765
> [2005/09/16 12:26:18, 4] param/loadparm.c:lp_load(4113)
>   pm_process() returned Yes
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475)
>   adding IPC service
> [2005/09/16 12:26:18, 3] param/loadparm.c:lp_add_ipc(2475)
>   adding IPC service
> [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81)
>   added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0
> [2005/09/16 12:26:18, 2] lib/interface.c:add_interface(81)
>   added interface ip=192.168.1.9 bcast=192.168.1.255 nmask=255.255.255.0
> [2005/09/16 12:26:18, 2] lib/tallocmsg.c:register_msg_pool_usage(56)
>   Registered MSG_REQ_POOL_USAGE
> [2005/09/16 12:26:18, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
>   Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
>   Added domain DSP  S-1-5-21-2008768363-1786319642-1659389152
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
>   Added domain BUILTIN  S-1-5-32
> [2005/09/16 12:26:18, 2] nsswitch/winbindd_util.c:add_trusted_domain(166)
>   Added domain ARIES  S-1-5-21-249124048-3777273079-1200472844
> [2005/09/16 12:26:25, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
>   [    0]: request interface version
> [2005/09/16 12:26:25, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
>   [    0]: request location of privileged pipe
> [2005/09/16 12:26:25, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(406)
>   [    0]: gid to sid 65534
> [2005/09/16 12:26:37, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
>   [    0]: request interface version
> [2005/09/16 12:26:37, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
>   [    0]: request location of privileged pipe
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_user.c:winbindd_list_users(735)
>   [    0]: list users
> [2005/09/16 12:26:37, 4]
> passdb/secrets.c:secrets_fetch_trust_account_password(281)
>   Using cleartext machine password
> [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1406)
>   get_dc_list: returning 2 ip addresses in an unordered list
> [2005/09/16 12:26:37, 4] libsmb/namequery.c:get_dc_list(1407)
>   get_dc_list: 192.168.1.1:0 192.168.1.6:0 
> [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1826)
>   fcntl_lock: fcntl lock gave errno 35 (Resource temporarily unavailable)
> [2005/09/16 12:26:37, 3] lib/util.c:fcntl_lock(1845)
>   fcntl_lock: lock failed at offset 0 count 1 op 8 type 1 (Resource
> temporarily unavailable)
> [2005/09/16 12:26:37, 4] libsmb/clidgram.c:cli_send_mailslot(100)
>   send_mailslot: Sending to mailslot \MAILSLOT\NET\NTLOGON from ARIES<00> to
> DSP<1c> IP 192.168.1.6
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(102)
>   cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb [DSP\dspadmin]
> [2005/09/16 12:26:37, 4] lib/time.c:get_serverzone(125)
>   Serverzone is 25200
> [2005/09/16 12:26:37, 3] nsswitch/winbindd_rpc.c:query_user_list(46)
>   rpc: query_user_list
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
>   [    0]: request interface version
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
>   [    0]: request location of privileged pipe
> [2005/09/16 12:26:42, 3] nsswitch/winbindd_group.c:winbindd_list_groups(811)
>   [    0]: list groups
> [2005/09/16 12:26:42, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(521)
>   get_sam_group_entries: Native Mode 2k domain; enumerating local groups as
> well
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_group.c:get_sam_group_entries(526)
>   get_sam_group_entries: Failed to enumerate domain local groups!
> [2005/09/16 12:26:42, 4]
> nsswitch/winbindd_group.c:get_sam_group_entries(521)
>   get_sam_group_entries: Native Mode 2k domain; enumerating local groups as
> well
> [2005/09/16 12:26:42, 3]
> nsswitch/winbindd_group.c:get_sam_group_entries(526)
>   get_sam_group_entries: Failed to enumerate domain local groups!
> [2005/09/16 12:26:42, 3] nsswitch/winbindd_rpc.c:enum_dom_groups(141)
>   rpc: enum_dom_groups
> 
> After issuing 'pw group show DSP-PRODUCTION', the following pops up in the
> debug log:
> 
> [2005/09/16 12:32:47, 3]
> nsswitch/winbindd_misc.c:winbindd_interface_version(460)
>   [    0]: request interface version
> [2005/09/16 12:32:47, 3]
> nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(493)
>   [    0]: request location of privileged pipe
> [2005/09/16 12:32:47, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(535)
>   [    0]: pam auth crap domain: [] user: 
> 
> First question: why does NSSWITCH think I have a W2K domain instead
> of a NT4 domain?

That would be a question to ask the samba folks; nsswitch doesn't think
anything.  It just passes requests to the providers listed in its
config file.
 
> Second question: DSP is the actual domain name. Aries is the NetBIOS
> name of the server. I don't understand why winbindd tries to
> enumerate ARIES as a domain name. Aren't the BUILT-IN accounts
> sufficient for the local samba machine?

That's another samba question :)
 
> Content of /etc/nsswitch.conf as follows:
> 
> passwd: compat winbind
> group: compat winbind
> hosts: files winbind wins dns
> networks: files
> shells: files
>  <*blank line*>
> 
> The original nsswitch.conf file was as follows prior to editing:
> 
> group: compat
> group_compat: files nis
> hosts: files dns
> networks: files
> passwd: compat
> passwd_compat: files nis
> shells: files
>  <*blank line*>
> 
> Note I have not installed NIS server nor NIS client.

-- 
	Dan Nelson
	dnelson@allantgroup.com