FreeBSD 7.2 domain member problem

Hi!

I am trying to set a FreeBSD 7.2, Samba 3.3.8 as an AD domain member server.
I am not using LDAP, but idmap_rid. I have properly configured nsswitch.conf.

Joining to domain and wbinfo -u work OK, but when I try
pw show user -a
I get only user accounts of FreeBSD. So, I cannot set owners, ACLs...

My main source is Samba guide chapter 7: http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#id2597100
All tests from Procedure 7.4 of the guide, except getent (eq. to pw show user -a) work OK.

It seems that FreeBSD does not use nsswitch. What should I do or what I am missing?

Thanks in advance fro your help.

2009/11/4 Ivo Karabojkov <ivo@...>: [...]

I have no idea what the problem is, but FreeBSD does seem to use nsswitch:
http://www.freebsd.org/cgi/man.cgi?query=nsswitch.conf&apropos=0&sektion=0&manpath=FreeBSD+7.2-RELEASE&format=html

--
Michael Wood <esiotrot@...>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 5 Nov 2009, Michael Wood wrote: It does indeed use nsswitch.

I suggest testing with getent rather than pw. I believe pw only handles
local users/groups (this is a bug ;)

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Yes, FreeBSD supports nsswitch and I tried getent passwd - the result is the same.
Maybe I should show my config files in my previous post, sorry:

smb.conf:
(very similar to Chapter 7, example 7.7 and 7.8 of the Samba Guide)

[global]
# unix charset = LOCALE
workgroup = DOMAIN
realm = domain.local
#
server string = sambaserver.domain.local
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
#printcap name = CUPS
#idmap backend = idmap_rid:DOMAIN=10000-100000000
idmap backend = rid
# ldap ssl = no
idmap uid = 10000-100000000
idmap gid = 10000-100000000
allow trusted domains = No
winbind enum users = yes
winbind enum groups = yes
#
winbind refresh tickets = Yes
winbind nested groups = No

hosts allow = 192.168.1. 10.1.55. 127.0.0.1
interfaces = localhost, nfe0, tun*
bind interfaces only = Yes
case sensitive = No

[pub]
comment = Public
path = /var/samba/pub
guest ok = No
browseable = Yes
nt acl support = Yes


/etc/nsswitch.conf:

group: files winbind
group_compat: nis
hosts: files dns
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

/etc/pam.d/login:
(I don't think I need this, I don't need AD users to access anything but some samba shares with ACL, but I keep trying)

# auth
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so

# account
account         requisite       pam_securetty.so
account         required        pam_nologin.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

# password
password        include         system


So I'm stil trying, but AD users do not appear in password or group databases of FreeBSD.
Should I try LDAP?

Is it necessary to install MS Windows services for Unix on AD controller??

On Thu, 5 Nov 2009, Ivo Karabojkov wrote: Can you try commenting out group_compat and passwd_compat?

The other thing to try would be running ktrace on getent and see what
it's doing.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I noticed some error messages in log files too:

winbindd-idmap.log:
winbindd/idmap.c:idmap_init_passdb_domain(438)
  Could not init passdb idmap domain
[2009/11/06 13:21:23,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
  idmap_alloc module ldap already registered!
[2009/11/06 13:21:23,  0] winbindd/idmap.c:smb_register_idmap_alloc(201)
  idmap_alloc module tdb already registered!
[2009/11/06 13:21:23,  0] winbindd/idmap.c:smb_register_idmap(149)
  Idmap module passdb already registered!

winbindd.log
winbindd/idmap.c:smb_register_idmap(149)
  Idmap module nss already registered!
[2009/11/06 13:21:33,  1] winbindd/winbindd_group.c:winbindd_getgrent(1366)
  could not look up gid for group HelpServicesGroup
> This message repeats for all AD global groups and also AD users.

I also attach my ktrace output.
 ktrace getent passwd
ktrace.outktrace.out

Sorry I don't know what caused everyone to lose interest in my previous post...

What may be the reason for the error:

winbindd/idmap.c:idmap_init_passdb_domain(438)
  Could not init passdb idmap domain

I have another problem too:
winbindd/winbindd_user.c:winbindd_fill_pwent(97)
error getting user id for sid S-1-5..........

I tried adding passdb backend=tdbsam in my smb.conf but no result at all.
Do I have to use LDAP backend for IDMAP? Is there something with idmap:rid?

Any help or advice would be appreciated!

Ivo Karabojkov wrote:  From your smb.conf, the "idmap backend" that you have commented out is
the correct one.  Try changing that, then see if there is any improvement.
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2606608


http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/48cc0808ab6fee08

#idmap backend = idmap_rid:DOMAIN=10000-100000000 [*this is the correct
one*]
idmap backend = rid
# ldap ssl = no
idmap uid = 10000-100000000
idmap gid = 10000-100000000
allow trusted domains = No
winbind enum users = yes
winbind enum groups = yes
#
winbind refresh tickets = Yes
winbind nested groups = No
<http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/48cc0808ab6fee08>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Thank you very much for your reply!

I commented the correct line in my tries to get this working.
I have partial success WITHOUT idmap backend, with following smb.conf:

[global]
netbios name = SERVER
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = Samba Server
security = ADS
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
# printcap name = CUPS
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# template primary group = "Domain Users"  // seems no longer supported
template shell = /sbin/nologin
# winbind separator = + // backslash is OK for me
# printing = cups

hosts allow = 192.168.1. 10.1.55. 127.0.0.1
interfaces = localhost, nfe0
bind interfaces only = Yes

[pub]
comment = Public
path = /var/samba/pub
guest ok = No
browseable = Yes

I can join the AD, see users with wbinfo -u and I can not find the users with getent passwd!
I can still chown a folder stating "DOMAIN\user or group" and in ls -l owner:group is displayed OK.

When I add:
idmap backend = idmap_rid:DOMAIN=10000-100000000
I get the warning: [2009/11/12 23:17:45,  1] winbindd/idmap.c:parse_idmap_module(244)
  idmap_init: idmap backend uses deprecated 'idmap_' prefix.  Please replace 'idmap_rid:DOMAIN=10000-100000000' by 'rid:DOMAIN=10000-100000000'

Now I see only uid/gid for previously chowned directory, no users with getent ... Changing the syntax according to message changes nothing.
winbindd log shows something like:
[2009/11/12 23:19:20,  1] winbindd/winbindd_group.c:getgrgid_recv(1015)
  could not convert gid 10005 to sid

I have my partial success back commenting the idmap backend.

I still can't see all domain users / groups neither with getent nor pw usershow -a

Sorry for my triple answer, the message was rejected by the mailing list last few days and I tried to resend it over and over again.

So I kept "hitting my head in the wall" and here is my partial but satisfying solution:

I was totally unable to get idmap_rid working! So I am using the default IDMAP backend - tdb.
The problem with not working pw user / group show -a or getent passwd / group was that nss_winbind.so was not where it supposed to. To correct this I used:

ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2

Now all my users and groups are visible with pw or getent!
rid backend would give predictable sid <-> uid/gid mapping, with this solution mapping changes every time server is joined to AD domain. But I failed setting it up - it seems idmap_rid does not map anything...

If someone may help with better solution I will be grateful.

Ivo Karabojkov wrote:

> I was totally unable to get idmap_rid working! So I am using the default
> IDMAP backend - tdb.
Not good if you need that the same user receives the same UID on
different machines.

> The problem with not working pw user / group show -a or getent passwd /
> group was that nss_winbind.so was not where it supposed to. To correct this
> I used:
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
That's really ugly and shouldn't be needed on ANY distro. And it seems
you're looking for troubles (.1 and .2 IIRC have different ABI).

> Now all my users and groups are visible with pw or getent!
> rid backend would give predictable sid <-> uid/gid mapping, with this
> solution mapping changes every time server is joined to AD domain. But I
> failed setting it up - it seems idmap_rid does not map anything...
>
> If someone may help with better solution I will be grateful.
In my config I map users in two domains to different UID/GID values with
the following config:
         winbind uid = 100000-100000000
         winbind gid = 100000-100000000

         idmap config DOM1:backend = rid
         idmap config DOM1:base_rid  = 500
         idmap config DOM1:range = 100000 - 49999999
         idmap config DOM2:backend = rid
         idmap config DOM2:base_rid  = 500
         idmap config DOM2:range = 50000000 - 99999999

Maybe you need just:
         winbind uid = 100000-100000000
         winbind gid = 100000-100000000
         idmap config backend = rid

And be sure to "testparm -v" any changes to smb.conf

--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato@...
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 23 Nov 2009, Diego Zuccato wrote:
> > The problem with not working pw user / group show -a or getent
> > passwd / group was that nss_winbind.so was not where it supposed
> > to. To correct this I used:
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> > ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
>
> That's really ugly and shouldn't be needed on ANY distro. And it
> seems you're looking for troubles (.1 and .2 IIRC have different
> ABI).

Indeed, that certainly shouldn't be necessary..

I use nss/pam_ldap (on FreeBSD) and it works just fine living
in /usr/local/lib as you'd expect.

I don't know why you'd need nss_winbind.so.2 either.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Without links (maybe just 1 is enough, I'll test) no resolution to the OS occurred at all - users and groups were visible via wbinfo, but not with getent or pw.

With RID I tried a lot of combinations (including shown by you or just
idmap backend = rid:DOMAIN:10000-20000) with totally no success.

I should try this again with linked .so.1 library and I'll write back

Diego Zuccato-2 wrote:

Ivo Karabojkov wrote:

> I was totally unable to get idmap_rid working! So I am using the default
> IDMAP backend - tdb.
Not good if you need that the same user receives the same UID on
different machines.

> The problem with not working pw user / group show -a or getent passwd /
> group was that nss_winbind.so was not where it supposed to. To correct this
> I used:
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/
> ln -s /usr/local/lib/nss_winbind.so.1 /usr/lib/nss_winbind.so.2
That's really ugly and shouldn't be needed on ANY distro. And it seems
you're looking for troubles (.1 and .2 IIRC have different ABI).

> Now all my users and groups are visible with pw or getent!
> rid backend would give predictable sid <-> uid/gid mapping, with this
> solution mapping changes every time server is joined to AD domain. But I
> failed setting it up - it seems idmap_rid does not map anything...
>
> If someone may help with better solution I will be grateful.
In my config I map users in two domains to different UID/GID values with
the following config:
         winbind uid = 100000-100000000
         winbind gid = 100000-100000000

         idmap config DOM1:backend = rid
         idmap config DOM1:base_rid  = 500
         idmap config DOM1:range = 100000 - 49999999
         idmap config DOM2:backend = rid
         idmap config DOM2:base_rid  = 500
         idmap config DOM2:range = 50000000 - 99999999

Maybe you need just:
         winbind uid = 100000-100000000
         winbind gid = 100000-100000000
         idmap config backend = rid

And be sure to "testparm -v" any changes to smb.conf

--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zuccato@unibo.it
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

I am sure it should work without these strange links I've made.
I don't know what is the problem. I use ports, just to keep my installations more standard.

May you point me a good manual how to set up nss/ldap with Samba?

Daniel O'Connor-2 wrote:

Indeed, that certainly shouldn't be necessary..

I use nss/pam_ldap (on FreeBSD) and it works just fine living
in /usr/local/lib as you'd expect.

I don't know why you'd need nss_winbind.so.2 either.
 

On Mon, 23 Nov 2009, Ivo Karabojkov wrote:
> I am sure it should work without these strange links I've made.
> I don't know what is the problem. I use ports, just to keep my
> installations more standard.
>
> May you point me a good manual how to set up nss/ldap with Samba?

I used the samba how to guide and googled, the net/smbldap-tools is
pretty helpful.

That said it wasn't especially simple to setup :(

However I don't use winbind on my FreeBSD machine, I use nss/pam_ldap
and Samba talks to the LDAP server as well.

--
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba