Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5
Hi,
little bit old topic,,,
> combination NetBSD 9.99.106 and Samba 4.16.5(from pkgsrc 2022Q3),
> the name resolution for usernames / groups via nss_winbind does not work anymore.
I've also faced this issue on NetBSD 9.99.10[68], 10.99.1 and net/samba4 4.16.x, 4.17.x
however,
NetBSD 9.99.108, 10.99.1, 10_BETA and net/samba4 4.15.x (latest pkgsrc-2022Q2) is no problem.
I could not find any change about winbind/nss_winbind on Samba release notes, but some libraries linked to nss_winbind.so would be changed,
for example, samba 4.15.x on NetBSD
% ldd /usr/lib/nss_winbind.so.0
/usr/lib/nss_winbind.so.0:
-lwinbind-client-samba4 => /usr/pkg/lib/samba/private/libwinbind-client-samba4.so
-lreplace-samba4 => /usr/pkg/lib/samba/private/libreplace-samba4.so
-lc.12 => /usr/lib/libc.so.12
-lpthread.1 => /usr/lib/libpthread.so.1
on the other hands, samba 4.16.x or later on NetBSD
% ldd /usr/lib/nss_winbind.so.0
/usr/lib/nss_winbind.so.0:
-lpthread.1 => /usr/lib/libpthread.so.1
-lc.12 => /usr/lib/libc.so.12
on any Linux or FreeBSD are also same, but working appropriately.
like Matthias, winbind itself works well. wbinfo -u/-g retrieve information from AD.
only via nss don't work well.
> Is there a way to view nsdispatch or the name service switch mechanism
> in more detail or to enable additional logging?
> Has anyone observed the same problem and might have an idea what the
> problem is?
I'm looking for any solution, too...
Regards,
--
kei
In article (Subject: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5
Date: Mon, 14 Nov 2022 11:06:20 +0100)
You(Matthias Petermann <mp%petermann-it.de@localhost>) wrote :
> Hello all,
>
> I have been using NetBSD 9.99.99 with Samba 4.15.9 (from pkgsrc
> 2022Q2) as Windows Domain Controller for a while now which worked
> well.
>
> Since I switched to the combination NetBSD 9.99.106 and Samba 4.16.5
> (from pkgsrc 2022Q3), the name resolution for usernames / groups via
> nss_winbind does not work anymore.
>
> The Windows clients are not directly affected by this, since the nss
> mechanism, especially on the Unix side, ensures that the correct
> plaintext names can be displayed for the numeric user and group ids
> assigned by Samba - for example, with ls. The workaround at the moment
> is to work with the numeric IDs. This is inconvenient and error-prone.
>
> As proof, I try to display the user information for the built-in
> domain administrator account via id command:
>
> ```
> net$ id Administrator
> id: Administrator: No such user
> ```
>
> I have checked the following so far:
>
> 1) Basic function kerberos with kinit / klist.
>
> ```
> net$ kinit Administrator
> Administrator@TEST.LOCAL's Password:
>
> net$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: Administrator@TEST.LOCAL
>
> Issued Expires Principal
> Nov 14 10:42:45 2022 Nov 14 20:42:45 2022 krbtgt/TEST.LOCAL@TEST.LOCAL
> ```
>
> 2) Joining the Domain from a Windows 11 Prof 22H2 based host
>
> - works
>
> 3) Basic function winbind
>
> ```
> net$ wbinfo -i Administrator
> TEST\administrator:*:0:100::/home/TEST/administrator:/bin/false
>
> net$ wbinfo -g Administrator
> TEST\cert publishers
> TEST\ras and ias servers
> TEST\allowed rodc password replication group
> TEST\denied rodc password replication group
> TEST\dnsadmins
> TEST\enterprise read-only domain controllers
> TEST\domain admins
> TEST\domain users
> TEST\domain guests
> TEST\domain computers
> TEST\domain controllers
> TEST\schema admins
> TEST\enterprise admins
> TEST\group policy creator owners
> TEST\read-only domain controllers
> TEST\dnsupdateproxy
> ```
>
> 4) /etc/nsswitch.conf
>
> ```
> group: files winbind
> group_compat: nis
> hosts: files dns
> netgroup: files [notfound=return] nis
> networks: files
> passwd: files winbind
> passwd_compat: nis
> shells: files
> ```
>
> 5) libnss winbind
>
> ```
> net$ ls -la /usr/lib/nss_winbind.so.0
>
> lrwxr-xr-x 1 root wheel 30 Nov 14 09:56 /usr/lib/nss_winbind.so.0 ->
> /usr/pkg/lib/libnss_winbind.so
> ```
>
> 6) Ktrace of the "id" command (excerpts)
>
> ```
> net$ ktrace id Administrator
> id: Administrator: No such user
> net$ kdump
> ....
> 592 592 id CALL open(0x785c601b43b8,0x400000,0x1b6)
> 592 592 id NAMI "/etc/nsswitch.conf"
> 592 592 id RET open 3
> 592 592 id CALL
> mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338150055936/0x785c606ca000
> 592 592 id CALL
> mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338150027264/0x785c606c3000
> 592 592 id CALL
> mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338150006784/0x785c606be000
> 592 592 id CALL
> mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338149986304/0x785c606b9000
> 592 592 id CALL __fstat50(3,0x7f7fff082110)
> 592 592 id RET __fstat50 0
> 592 592 id CALL
> mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338149965824/0x785c606b4000
> 592 592 id CALL read(3,0x785c606b4740,0x4000)
> 592 592 id GIO fd 3 read 667 bytes
> "# $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna Exp $\n#\n#
> nsswitch.conf(5) -\n# name service switch configurat\
> ion file\n#\n\n\n# These are the defaults in libc\n#\n#group:
> compat\ngroup: files winbind\ngroup_compat: nis\nh\
> osts: files dns\nnetgroup: files [notfound=return] nis\nnetworks:
> files\n#passwd: compat\npasswd: files winbind\
> \npasswd_compat: nis\nshells: files\n\n\n# List of supported sources
> for each database\n#\n# group: compat\
> , dns, files, nis\n# group_compat: dns, nis\n# hosts: dns, files, nis,
> mdnsd, multicast_dns\n# netgroup:\
> files, nis\n# networks: dns, files, nis\n# passwd: compat, dns, files,
> nis\n# passwd_compat:\
> dns, nis\n# shells: dns, files, nis\n"
> 592 592 id RET read 667/0x29b
> 592 592 id CALL read(3,0x785c606b4740,0x4000)
> 592 592 id GIO fd 3 read 0 bytes
> ""
> ....
> 592 592 id CALL open(0x7f7fff0817b8,0,7)
> 592 592 id NAMI "/usr/lib/nss_files.so.0"
> 592 592 id RET open -1 errno 2 No such file or directory
> 592 592 id CALL __sigprocmask14(3,0x7f7fff081e60,0)
> 592 592 id RET __sigprocmask14 0
> 592 592 id CALL
> mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338149941248/0x785c606ae000
> 592 592 id CALL _lwp_self
> 592 592 id RET _lwp_self 592/0x250
> 592 592 id CALL __sigprocmask14(1,0x7f7fff081e20,0x7f7fff081e60)
> 592 592 id RET __sigprocmask14 0
> 592 592 id CALL open(0x7f7fff0817b8,0,1)
> 592 592 id NAMI "/usr/lib/nss_winbind.so.0"
> 592 592 id RET open 4
> 592 592 id CALL __fstat50(4,0x7f7fff0816b8)
> 592 592 id RET __fstat50 0
> 592 592 id CALL
> mmap(0,0x1000,PROT_READ,0x1<SHARED,FILE,ALIGN=NONE>,4,0,0)
> 592 592 id RET mmap 132338149937152/0x785c606ad000
> 592 592 id CALL munmap(0x785c606ad000,0x1000)
> 592 592 id RET munmap 0
> 592 592 id CALL
> mmap(0,0x21b000,PROT_READ|PROT_EXEC,0x15000002<PRIVATE,FILE,ALIGN=2MB>,4,0,0)
> 592 592 id RET mmap 132338132451328/0x785c5f600000
> 592 592 id CALL
> mmap(0x785c5f810000,0x2000,PROT_READ|PROT_WRITE,0x12<PRIVATE,FIXED,FILE,ALIGN=NONE>,4,0,0x10000)
> 592 592 id RET mmap 132338134614016/0x785c5f810000
> 592 592 id CALL
> mmap(0x785c5f812000,0x9000,PROT_READ|PROT_WRITE,0x1012<PRIVATE,FIXED,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
> 592 592 id RET mmap 132338134622208/0x785c5f812000
> 592 592 id CALL mprotect(0x785c5f611000,0x1ff000,PROT_NONE)
> 592 592 id RET mprotect 0
> 592 592 id CALL close(4)
> 592 592 id RET close 0
> 592 592 id CALL open(0x7f7fff081728,0,4)
> 592 592 id NAMI "/usr/pkg/lib/libpthread.so.1"
> 592 592 id RET open -1 errno 2 No such file or directory
> 592 592 id CALL open(0x7f7fff081728,0,2)
> 592 592 id NAMI "/usr/pkg/lib/samba/private/libpthread.so.1"
> 592 592 id RET open -1 errno 2 No such file or directory
> 592 592 id CALL open(0x7f7fff081728,0,0)
> 592 592 id NAMI "/usr/lib/libpthread.so.1"
> 592 592 id RET open 4
> 592 592 id CALL __fstat50(4,0x7f7fff081628)
> ```
>
> There are no peculiarities in the logfiles of Samba or Winbindd, not
> even in the usual syslog logfiles.
>
> Is there a way to view nsdispatch or the name service switch mechanism
> in more detail or to enable additional logging?
>
> Has anyone observed the same problem and might have an idea what the
> problem is?
>
> Kind regards
> Matthias
Home |
Main Index |
Thread Index |
Old Index