Re: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5

[Kunihiro Yasukouchi <kys%tbf.t-com.ne.jp@localhost>]

Hi,

little bit old topic,,,

> combination NetBSD 9.99.106 and Samba 4.16.5(from pkgsrc 2022Q3),
> the name resolution for usernames / groups via nss_winbind does not work anymore.
I've also faced this issue on NetBSD 9.99.10[68], 10.99.1 and net/samba4 4.16.x, 4.17.x

however,
NetBSD 9.99.108, 10.99.1, 10_BETA and net/samba4 4.15.x (latest pkgsrc-2022Q2) is no problem.

I could not find any change about winbind/nss_winbind on Samba release notes, but some libraries linked to nss_winbind.so would be changed,

for example, samba 4.15.x on NetBSD
% ldd /usr/lib/nss_winbind.so.0
/usr/lib/nss_winbind.so.0:
    -lwinbind-client-samba4 => /usr/pkg/lib/samba/private/libwinbind-client-samba4.so
    -lreplace-samba4 => /usr/pkg/lib/samba/private/libreplace-samba4.so
    -lc.12 => /usr/lib/libc.so.12
    -lpthread.1 => /usr/lib/libpthread.so.1


on the other hands, samba 4.16.x or later on NetBSD
% ldd /usr/lib/nss_winbind.so.0
/usr/lib/nss_winbind.so.0:
    -lpthread.1 => /usr/lib/libpthread.so.1
    -lc.12 => /usr/lib/libc.so.12

on any Linux or FreeBSD are also same, but working appropriately.

like Matthias, winbind itself works well. wbinfo -u/-g retrieve information from AD.
only via nss don't work well.


> Is there a way to view nsdispatch or the name service switch mechanism
> in more detail or to enable additional logging?

> Has anyone observed the same problem and might have an idea what the
> problem is?
I'm looking for any solution, too...

Regards,
--
kei


In article (Subject: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5 
            Date: Mon, 14 Nov 2022 11:06:20 +0100)
   You(Matthias Petermann <mp%petermann-it.de@localhost>) wrote :

> Hello all,
> 
> I have been using NetBSD 9.99.99 with Samba 4.15.9 (from pkgsrc
> 2022Q2) as Windows Domain Controller for a while now which worked
> well.
> 
> Since I switched to the combination NetBSD 9.99.106 and Samba 4.16.5
> (from pkgsrc 2022Q3), the name resolution for usernames / groups via
> nss_winbind does not work anymore.
> 
> The Windows clients are not directly affected by this, since the nss
> mechanism, especially on the Unix side, ensures that the correct
> plaintext names can be displayed for the numeric user and group ids
> assigned by Samba - for example, with ls. The workaround at the moment
> is to work with the numeric IDs. This is inconvenient and error-prone.
> 
> As proof, I try to display the user information for the built-in
> domain administrator account via id command:
> 
> ```
> net$ id Administrator
> id: Administrator: No such user
> ```
> 
> I have checked the following so far:
> 
> 1) Basic function kerberos with kinit / klist.
> 
> ```
> net$ kinit Administrator
> Administrator@TEST.LOCAL's Password:
> 
> net$ klist
> Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: Administrator@TEST.LOCAL
> 
>   Issued                Expires               Principal
> Nov 14 10:42:45 2022 Nov 14 20:42:45 2022 krbtgt/TEST.LOCAL@TEST.LOCAL
> ```
> 
> 2) Joining the Domain from a Windows 11 Prof 22H2 based host
> 
>  - works
> 
> 3) Basic function winbind
> 
> ```
> net$ wbinfo -i Administrator
> TEST\administrator:*:0:100::/home/TEST/administrator:/bin/false
> 
> net$ wbinfo -g Administrator
> TEST\cert publishers
> TEST\ras and ias servers
> TEST\allowed rodc password replication group
> TEST\denied rodc password replication group
> TEST\dnsadmins
> TEST\enterprise read-only domain controllers
> TEST\domain admins
> TEST\domain users
> TEST\domain guests
> TEST\domain computers
> TEST\domain controllers
> TEST\schema admins
> TEST\enterprise admins
> TEST\group policy creator owners
> TEST\read-only domain controllers
> TEST\dnsupdateproxy
> ```
> 
> 4) /etc/nsswitch.conf
> 
> ```
> group:          files winbind
> group_compat:   nis
> hosts:          files dns
> netgroup:       files [notfound=return] nis
> networks:       files
> passwd:         files winbind
> passwd_compat:  nis
> shells:         files
> ```
> 
> 5) libnss winbind
> 
> ```
> net$ ls -la /usr/lib/nss_winbind.so.0 
> 
> lrwxr-xr-x 1 root wheel 30 Nov 14 09:56 /usr/lib/nss_winbind.so.0 ->
> /usr/pkg/lib/libnss_winbind.so
> ```
> 
> 6) Ktrace of the "id" command (excerpts)
> 
> ```
> net$ ktrace id Administrator
> id: Administrator: No such user
> net$ kdump
> ....
> 592    592 id       CALL  open(0x785c601b43b8,0x400000,0x1b6)
>    592    592 id       NAMI  "/etc/nsswitch.conf"
>    592    592 id       RET   open 3
>    592 592 id CALL
>    mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338150055936/0x785c606ca000
>    592 592 id CALL
>    mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338150027264/0x785c606c3000
>    592 592 id CALL
>    mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338150006784/0x785c606be000
>    592 592 id CALL
>    mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338149986304/0x785c606b9000
>    592    592 id       CALL  __fstat50(3,0x7f7fff082110)
>    592    592 id       RET   __fstat50 0
>    592 592 id CALL
>    mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338149965824/0x785c606b4000
>    592    592 id       CALL  read(3,0x785c606b4740,0x4000)
>    592    592 id       GIO   fd 3 read 667 bytes
>        "# $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna Exp $\n#\n#
>        nsswitch.conf(5) -\n# name service switch configurat\
>         ion file\n#\n\n\n# These are the defaults in libc\n#\n#group:
>         compat\ngroup: files winbind\ngroup_compat: nis\nh\
>         osts: files dns\nnetgroup: files [notfound=return] nis\nnetworks:
>         files\n#passwd: compat\npasswd: files winbind\
>         \npasswd_compat: nis\nshells: files\n\n\n# List of supported sources
>         for each database\n#\n# group: compat\
>         , dns, files, nis\n# group_compat: dns, nis\n# hosts: dns, files, nis,
>         mdnsd, multicast_dns\n# netgroup:\
>                         files, nis\n# networks: dns, files, nis\n# passwd: compat, dns, files,
>                         nis\n# passwd_compat:\
>                 dns, nis\n# shells:             dns, files, nis\n"
>    592    592 id       RET   read 667/0x29b
>    592    592 id       CALL  read(3,0x785c606b4740,0x4000)
>    592    592 id       GIO   fd 3 read 0 bytes
>        ""
> ....
>  592    592 id       CALL  open(0x7f7fff0817b8,0,7)
>    592    592 id       NAMI  "/usr/lib/nss_files.so.0"
>    592    592 id       RET   open -1 errno 2 No such file or directory
>    592    592 id       CALL  __sigprocmask14(3,0x7f7fff081e60,0)
>    592    592 id       RET   __sigprocmask14 0
>    592 592 id CALL
>    mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338149941248/0x785c606ae000
>    592    592 id       CALL  _lwp_self
>    592    592 id       RET   _lwp_self 592/0x250
>    592 592 id CALL __sigprocmask14(1,0x7f7fff081e20,0x7f7fff081e60)
>    592    592 id       RET   __sigprocmask14 0
>    592    592 id       CALL  open(0x7f7fff0817b8,0,1)
>    592    592 id       NAMI  "/usr/lib/nss_winbind.so.0"
>    592    592 id       RET   open 4
>    592    592 id       CALL  __fstat50(4,0x7f7fff0816b8)
>    592    592 id       RET   __fstat50 0
>    592 592 id CALL
>    mmap(0,0x1000,PROT_READ,0x1<SHARED,FILE,ALIGN=NONE>,4,0,0)
>    592    592 id       RET   mmap 132338149937152/0x785c606ad000
>    592    592 id       CALL  munmap(0x785c606ad000,0x1000)
>    592    592 id       RET   munmap 0
>    592 592 id CALL
>    mmap(0,0x21b000,PROT_READ|PROT_EXEC,0x15000002<PRIVATE,FILE,ALIGN=2MB>,4,0,0)
>    592    592 id       RET   mmap 132338132451328/0x785c5f600000
>    592 592 id CALL
>    mmap(0x785c5f810000,0x2000,PROT_READ|PROT_WRITE,0x12<PRIVATE,FIXED,FILE,ALIGN=NONE>,4,0,0x10000)
>    592    592 id       RET   mmap 132338134614016/0x785c5f810000
>    592 592 id CALL
>    mmap(0x785c5f812000,0x9000,PROT_READ|PROT_WRITE,0x1012<PRIVATE,FIXED,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>    592    592 id       RET   mmap 132338134622208/0x785c5f812000
>    592    592 id       CALL  mprotect(0x785c5f611000,0x1ff000,PROT_NONE)
>    592    592 id       RET   mprotect 0
>    592    592 id       CALL  close(4)
>    592    592 id       RET   close 0
>    592    592 id       CALL  open(0x7f7fff081728,0,4)
>    592    592 id       NAMI  "/usr/pkg/lib/libpthread.so.1"
>    592    592 id       RET   open -1 errno 2 No such file or directory
>    592    592 id       CALL  open(0x7f7fff081728,0,2)
>    592    592 id       NAMI  "/usr/pkg/lib/samba/private/libpthread.so.1"
>    592    592 id       RET   open -1 errno 2 No such file or directory
>    592    592 id       CALL  open(0x7f7fff081728,0,0)
>    592    592 id       NAMI  "/usr/lib/libpthread.so.1"
>    592    592 id       RET   open 4
>    592    592 id       CALL  __fstat50(4,0x7f7fff081628)
> ```
> 
> There are no peculiarities in the logfiles of Samba or Winbindd, not
> even in the usual syslog logfiles.
> 
> Is there a way to view nsdispatch or the name service switch mechanism
> in more detail or to enable additional logging?
> 
> Has anyone observed the same problem and might have an idea what the
> problem is?
> 
> Kind regards
> Matthias