Re: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5

[Christos Zoulas <christos%zoulas.com@localhost>]

Does this help? https://ogris.de/samba/unix-active-directory.html

christos

> On Dec 21, 2022, at 11:31 AM, Kunihiro Yasukouchi <kys%tbf.t-com.ne.jp@localhost> wrote:
> 
> Hi,
> 
> little bit old topic,,,
> 
>> combination NetBSD 9.99.106 and Samba 4.16.5(from pkgsrc 2022Q3),
>> the name resolution for usernames / groups via nss_winbind does not work anymore.
> I've also faced this issue on NetBSD 9.99.10[68], 10.99.1 and net/samba4 4.16.x, 4.17.x
> 
> however,
> NetBSD 9.99.108, 10.99.1, 10_BETA and net/samba4 4.15.x (latest pkgsrc-2022Q2) is no problem.
> 
> I could not find any change about winbind/nss_winbind on Samba release notes, but some libraries linked to nss_winbind.so would be changed,
> 
> for example, samba 4.15.x on NetBSD
> % ldd /usr/lib/nss_winbind.so.0
> /usr/lib/nss_winbind.so.0:
>    -lwinbind-client-samba4 => /usr/pkg/lib/samba/private/libwinbind-client-samba4.so
>    -lreplace-samba4 => /usr/pkg/lib/samba/private/libreplace-samba4.so
>    -lc.12 => /usr/lib/libc.so.12
>    -lpthread.1 => /usr/lib/libpthread.so.1
> 
> 
> on the other hands, samba 4.16.x or later on NetBSD
> % ldd /usr/lib/nss_winbind.so.0
> /usr/lib/nss_winbind.so.0:
>    -lpthread.1 => /usr/lib/libpthread.so.1
>    -lc.12 => /usr/lib/libc.so.12
> 
> on any Linux or FreeBSD are also same, but working appropriately.
> 
> like Matthias, winbind itself works well. wbinfo -u/-g retrieve information from AD.
> only via nss don't work well.
> 
> 
>> Is there a way to view nsdispatch or the name service switch mechanism
>> in more detail or to enable additional logging?
> 
>> Has anyone observed the same problem and might have an idea what the
>> problem is?
> I'm looking for any solution, too...
> 
> Regards,
> --
> kei
> 
> 
> In article (Subject: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5
>            Date: Mon, 14 Nov 2022 11:06:20 +0100)
>   You(Matthias Petermann <mp%petermann-it.de@localhost>) wrote :
> 
>> Hello all,
>> 
>> I have been using NetBSD 9.99.99 with Samba 4.15.9 (from pkgsrc
>> 2022Q2) as Windows Domain Controller for a while now which worked
>> well.
>> 
>> Since I switched to the combination NetBSD 9.99.106 and Samba 4.16.5
>> (from pkgsrc 2022Q3), the name resolution for usernames / groups via
>> nss_winbind does not work anymore.
>> 
>> The Windows clients are not directly affected by this, since the nss
>> mechanism, especially on the Unix side, ensures that the correct
>> plaintext names can be displayed for the numeric user and group ids
>> assigned by Samba - for example, with ls. The workaround at the moment
>> is to work with the numeric IDs. This is inconvenient and error-prone.
>> 
>> As proof, I try to display the user information for the built-in
>> domain administrator account via id command:
>> 
>> ```
>> net$ id Administrator
>> id: Administrator: No such user
>> ```
>> 
>> I have checked the following so far:
>> 
>> 1) Basic function kerberos with kinit / klist.
>> 
>> ```
>> net$ kinit Administrator
>> Administrator@TEST.LOCAL's Password:
>> 
>> net$ klist
>> Credentials cache: FILE:/tmp/krb5cc_1000
>>        Principal: Administrator@TEST.LOCAL
>> 
>>  Issued                Expires               Principal
>> Nov 14 10:42:45 2022 Nov 14 20:42:45 2022 krbtgt/TEST.LOCAL@TEST.LOCAL
>> ```
>> 
>> 2) Joining the Domain from a Windows 11 Prof 22H2 based host
>> 
>> - works
>> 
>> 3) Basic function winbind
>> 
>> ```
>> net$ wbinfo -i Administrator
>> TEST\administrator:*:0:100::/home/TEST/administrator:/bin/false
>> 
>> net$ wbinfo -g Administrator
>> TEST\cert publishers
>> TEST\ras and ias servers
>> TEST\allowed rodc password replication group
>> TEST\denied rodc password replication group
>> TEST\dnsadmins
>> TEST\enterprise read-only domain controllers
>> TEST\domain admins
>> TEST\domain users
>> TEST\domain guests
>> TEST\domain computers
>> TEST\domain controllers
>> TEST\schema admins
>> TEST\enterprise admins
>> TEST\group policy creator owners
>> TEST\read-only domain controllers
>> TEST\dnsupdateproxy
>> ```
>> 
>> 4) /etc/nsswitch.conf
>> 
>> ```
>> group:          files winbind
>> group_compat:   nis
>> hosts:          files dns
>> netgroup:       files [notfound=return] nis
>> networks:       files
>> passwd:         files winbind
>> passwd_compat:  nis
>> shells:         files
>> ```
>> 
>> 5) libnss winbind
>> 
>> ```
>> net$ ls -la /usr/lib/nss_winbind.so.0
>> 
>> lrwxr-xr-x 1 root wheel 30 Nov 14 09:56 /usr/lib/nss_winbind.so.0 ->
>> /usr/pkg/lib/libnss_winbind.so
>> ```
>> 
>> 6) Ktrace of the "id" command (excerpts)
>> 
>> ```
>> net$ ktrace id Administrator
>> id: Administrator: No such user
>> net$ kdump
>> ....
>> 592    592 id       CALL  open(0x785c601b43b8,0x400000,0x1b6)
>>   592    592 id       NAMI  "/etc/nsswitch.conf"
>>   592    592 id       RET   open 3
>>   592 592 id CALL
>>   mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338150055936/0x785c606ca000
>>   592 592 id CALL
>>   mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338150027264/0x785c606c3000
>>   592 592 id CALL
>>   mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338150006784/0x785c606be000
>>   592 592 id CALL
>>   mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338149986304/0x785c606b9000
>>   592    592 id       CALL  __fstat50(3,0x7f7fff082110)
>>   592    592 id       RET   __fstat50 0
>>   592 592 id CALL
>>   mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338149965824/0x785c606b4000
>>   592    592 id       CALL  read(3,0x785c606b4740,0x4000)
>>   592    592 id       GIO   fd 3 read 667 bytes
>>       "# $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna Exp $\n#\n#
>>       nsswitch.conf(5) -\n# name service switch configurat\
>>        ion file\n#\n\n\n# These are the defaults in libc\n#\n#group:
>>        compat\ngroup: files winbind\ngroup_compat: nis\nh\
>>        osts: files dns\nnetgroup: files [notfound=return] nis\nnetworks:
>>        files\n#passwd: compat\npasswd: files winbind\
>>        \npasswd_compat: nis\nshells: files\n\n\n# List of supported sources
>>        for each database\n#\n# group: compat\
>>        , dns, files, nis\n# group_compat: dns, nis\n# hosts: dns, files, nis,
>>        mdnsd, multicast_dns\n# netgroup:\
>>                        files, nis\n# networks: dns, files, nis\n# passwd: compat, dns, files,
>>                        nis\n# passwd_compat:\
>>                dns, nis\n# shells:             dns, files, nis\n"
>>   592    592 id       RET   read 667/0x29b
>>   592    592 id       CALL  read(3,0x785c606b4740,0x4000)
>>   592    592 id       GIO   fd 3 read 0 bytes
>>       ""
>> ....
>> 592    592 id       CALL  open(0x7f7fff0817b8,0,7)
>>   592    592 id       NAMI  "/usr/lib/nss_files.so.0"
>>   592    592 id       RET   open -1 errno 2 No such file or directory
>>   592    592 id       CALL  __sigprocmask14(3,0x7f7fff081e60,0)
>>   592    592 id       RET   __sigprocmask14 0
>>   592 592 id CALL
>>   mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338149941248/0x785c606ae000
>>   592    592 id       CALL  _lwp_self
>>   592    592 id       RET   _lwp_self 592/0x250
>>   592 592 id CALL __sigprocmask14(1,0x7f7fff081e20,0x7f7fff081e60)
>>   592    592 id       RET   __sigprocmask14 0
>>   592    592 id       CALL  open(0x7f7fff0817b8,0,1)
>>   592    592 id       NAMI  "/usr/lib/nss_winbind.so.0"
>>   592    592 id       RET   open 4
>>   592    592 id       CALL  __fstat50(4,0x7f7fff0816b8)
>>   592    592 id       RET   __fstat50 0
>>   592 592 id CALL
>>   mmap(0,0x1000,PROT_READ,0x1<SHARED,FILE,ALIGN=NONE>,4,0,0)
>>   592    592 id       RET   mmap 132338149937152/0x785c606ad000
>>   592    592 id       CALL  munmap(0x785c606ad000,0x1000)
>>   592    592 id       RET   munmap 0
>>   592 592 id CALL
>>   mmap(0,0x21b000,PROT_READ|PROT_EXEC,0x15000002<PRIVATE,FILE,ALIGN=2MB>,4,0,0)
>>   592    592 id       RET   mmap 132338132451328/0x785c5f600000
>>   592 592 id CALL
>>   mmap(0x785c5f810000,0x2000,PROT_READ|PROT_WRITE,0x12<PRIVATE,FIXED,FILE,ALIGN=NONE>,4,0,0x10000)
>>   592    592 id       RET   mmap 132338134614016/0x785c5f810000
>>   592 592 id CALL
>>   mmap(0x785c5f812000,0x9000,PROT_READ|PROT_WRITE,0x1012<PRIVATE,FIXED,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
>>   592    592 id       RET   mmap 132338134622208/0x785c5f812000
>>   592    592 id       CALL  mprotect(0x785c5f611000,0x1ff000,PROT_NONE)
>>   592    592 id       RET   mprotect 0
>>   592    592 id       CALL  close(4)
>>   592    592 id       RET   close 0
>>   592    592 id       CALL  open(0x7f7fff081728,0,4)
>>   592    592 id       NAMI  "/usr/pkg/lib/libpthread.so.1"
>>   592    592 id       RET   open -1 errno 2 No such file or directory
>>   592    592 id       CALL  open(0x7f7fff081728,0,2)
>>   592    592 id       NAMI  "/usr/pkg/lib/samba/private/libpthread.so.1"
>>   592    592 id       RET   open -1 errno 2 No such file or directory
>>   592    592 id       CALL  open(0x7f7fff081728,0,0)
>>   592    592 id       NAMI  "/usr/lib/libpthread.so.1"
>>   592    592 id       RET   open 4
>>   592    592 id       CALL  __fstat50(4,0x7f7fff081628)
>> ```
>> 
>> There are no peculiarities in the logfiles of Samba or Winbindd, not
>> even in the usual syslog logfiles.
>> 
>> Is there a way to view nsdispatch or the name service switch mechanism
>> in more detail or to enable additional logging?
>> 
>> Has anyone observed the same problem and might have an idea what the
>> problem is?
>> 
>> Kind regards
>> Matthias

Attachment: signature.asc
Description: Message signed with OpenPGP