CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the server can be a member of an existing Active Directory (AD). Correct configuration of kerbos was verified using kinit and klist. The samba configuration was verified by using "smbclient -k -L server". winbind was verified by using "wbinfo -g". The problem seems to be nsswitch accessing winbindd to get group information via the "getent group" command. I added winbind to the /etc/nsswitch.conf file like so:
[root@nagios ~]# grep winbind /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind
I verified that all dynamic libraries are being accessed correctly by using "strace getent group".
Below is the debug output of winbindd when issuing various commands that interact with it. The commands are noted in (parenthesis).
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK
("getent group" command issued)
accepted socket 17 [17171]: request interface version [17171]: request location of privileged pipe accepted socket 18 [17171]: setgrent [17171]: endgrent
("getent passwd" command issued)
accepted socket 17 [17172]: request interface version [17172]: request location of privileged pipe accepted socket 18 [17172]: setpwent [17172]: endpwent
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK
("wbinfo -g" command issued)
accepted socket 17 [17158]: request interface version [17158]: request location of privileged pipe accepted socket 18 [17158]: list groups get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init get_sam_group_entries: Returned 2 local groups get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well get_sam_group_entries: Returned 0 local groups get_cache: Setting ADS methods for domain COMPANY ads: enum_dom_groups
NOTES:
[root@nagios ~]# uname -a Linux nagios.hq.company.local 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 09:53:14 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@nagios ~]# rpm -qa samba krb* nss* nss_db-2.2-35.3 nss_db-2.2-35.3 krb5-libs-1.6.1-31.el5 nss-tools-3.12.2.0-4.el5.centos nss_ldap-253-17.el5 krb5-libs-1.6.1-31.el5 samba-3.0.33-3.7.el5 krb5-auth-dialog-0.7-1 nss-3.12.2.0-4.el5.centos nss-3.12.2.0-4.el5.centos nss_ldap-253-17.el5 krb5-workstation-1.6.1-31.el5
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the server can be a member of an existing Active Directory (AD). Correct configuration of kerbos was verified using kinit and klist. The samba configuration was verified by using "smbclient -k -L server". winbind was verified by using "wbinfo -g". The problem seems to be nsswitch accessing winbindd to get group information via the "getent group" command. I added winbind to the /etc/nsswitch.conf file like so:
[root@nagios ~]# grep winbind /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind
--- Try "hosts: files dns wins" "hosts: files winbind" You realy don't say if your authenticating what and where @. But I do know you did not list "the hosts:" line in nsswitch. One of those should do it. getent group_name will never work with out changing it.
On Tue, Apr 7, 2009 at 4:03 PM, JohnS jses27@gmail.com wrote:
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the server can be a member of an existing Active Directory (AD). Correct configuration of kerbos was verified using kinit and klist. The samba configuration was verified by using "smbclient -k -L server". winbind was verified by using "wbinfo -g". The problem seems to be nsswitch accessing winbindd to get group information via the "getent group" command. I added winbind to the /etc/nsswitch.conf file like so:
[root@nagios ~]# grep winbind /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind
Try "hosts: files dns wins" "hosts: files winbind" You realy don't say if your authenticating what and where @. But I do know you did not list "the hosts:" line in nsswitch. One of those should do it. getent group_name will never work with out changing it.
JohnS,
getent is used to get entries from the administrative databases, not particular items. it is my understanding that "getent group_name" would never work. i feel really in the dark here, could you please explain how getent works on your system? is yours modified?
-Jason Ellison
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2009-04-07 at 16:53 -0500, Jason Ellison wrote:
On Tue, Apr 7, 2009 at 4:03 PM, JohnS jses27@gmail.com wrote:
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the server can be a member of an existing Active Directory (AD). Correct configuration of kerbos was verified using kinit and klist. The samba configuration was verified by using "smbclient -k -L server". winbind was verified by using "wbinfo -g". The problem seems to be nsswitch accessing winbindd to get group information via the "getent group" command. I added winbind to the /etc/nsswitch.conf file like so:
[root@nagios ~]# grep winbind /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind
Try "hosts: files dns wins" "hosts: files winbind" You realy don't say if your authenticating what and where @. But I do know you did not list "the hosts:" line in nsswitch. One of those should do it. getent group_name will never work with out changing it.
JohnS,
getent is used to get entries from the administrative databases, not particular items. it is my understanding that "getent group_name" would never work. i feel really in the dark here, could you please explain how getent works on your system? is yours modified?
-Jason Ellison
--- Used to enumerate groups and names and it works the same as does on yours. I think you misunderstood what I said. getent want make samba work against ad if that is what your refering to. I was refering to the nsswitch lines. But they appear to be correct. I should have said so.
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
By the way looking again:
("getent passwd" command issued)
Should be "getent passwd | grep user_name"
accepted socket 17 [17172]: request interface version [17172]: request location of privileged pipe accepted socket 18 [17172]: setpwent [17172]: endpwent
So as "getent group | grep "group_name"
JohnStanley
On Tue, Apr 7, 2009 at 4:17 PM, JohnS jses27@gmail.com wrote:
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
By the way looking again:
("getent passwd" command issued)
Should be "getent passwd | grep user_name"
JohnS,
Why are you suggesting I filter the output of getent? What does this have to do with getent retrieving information from the active directory? Please help me understand you logic here... also I would like to know the following:
1) are you using samba 2) is your server a memeber of the active directory? 3) are you using winbind via nsswitch so local utilities can enumerate users and groups from the active directory?
-Jason Ellison
accepted socket 17 [17172]: request interface version [17172]: request location of privileged pipe accepted socket 18 [17172]: setpwent [17172]: endpwent
So as "getent group | grep "group_name"
Same here.
JohnStanley
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2009-04-07 at 16:47 -0500, Jason Ellison wrote:
On Tue, Apr 7, 2009 at 4:17 PM, JohnS jses27@gmail.com wrote:
On Tue, 2009-04-07 at 15:33 -0500, Jason Ellison wrote:
By the way looking again:
("getent passwd" command issued)
Should be "getent passwd | grep user_name"
JohnS,
Why are you suggesting I filter the output of getent? What does this have to do with getent retrieving information from the active directory? Please help me understand you logic here... also I would like to know the following:
Why? Why not? Has a lot to do with it when you don't have winbindd working right to enumerate. Also it would be the correct way in doing so. Either way is correct and getent doesn't make windbind work.
- are you using samba
I use it every day. Even with samba-vfs module. Just not with Server 2008 AD.
- is your server a memeber of the active directory?
Would it make sense for it to be if it's in a totaly Windows Controled Domain? Yes
- are you using winbind via nsswitch so local utilities can enumerate
users and groups from the active directory?
If there is a way around using nsswitch then inform me of it. Every AD config for samba adds a change to nsswitch that I am aware of.
How is your samba config file. Also, I am not aware of wbinfo working with out being a member server which you would have to "net ads join -U admin". For 2003 the samba config is different than a 2000 AD Controler config. That is in the [globals] section.
Have you browsed the LDAP entries in ActiveDirectory to see if they match similar entries for working windows hosts. Under the computer entry, look carefully at dnsHostname and servicePrincipalName. For a server, there are many many entries for these two variables. CIFS/x2, HOSTx2, LDAPS?/, ..... and so on.
On 4/7/09, Jason Ellison infotek@gmail.com wrote:
CentOS 5.3 getent does not return data from the active directory (ads)
I have installed and configured kerberos and samba so that the server can be a member of an existing Active Directory (AD). Correct configuration of kerbos was verified using kinit and klist. The samba configuration was verified by using "smbclient -k -L server". winbind was verified by using "wbinfo -g". The problem seems to be nsswitch accessing winbindd to get group information via the "getent group" command. I added winbind to the /etc/nsswitch.conf file like so:
[root@nagios ~]# grep winbind /etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind
I verified that all dynamic libraries are being accessed correctly by using "strace getent group".
Below is the debug output of winbindd when issuing various commands that interact with it. The commands are noted in (parenthesis).
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK("getent group" command issued)
accepted socket 17 [17171]: request interface version [17171]: request location of privileged pipe accepted socket 18 [17171]: setgrent [17171]: endgrent
("getent passwd" command issued)
accepted socket 17 [17172]: request interface version [17172]: request location of privileged pipe accepted socket 18 [17172]: setpwent [17172]: endpwent
(winbindd -i -d 9)
00a0 status: NT_STATUS_OK("wbinfo -g" command issued)
accepted socket 17 [17158]: request interface version [17158]: request location of privileged pipe accepted socket 18 [17158]: list groups get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init get_sam_group_entries: Returned 2 local groups get_sam_group_entries: BUILTIN or local domain; enumerating local groups as well get_sam_group_entries: Returned 0 local groups get_cache: Setting ADS methods for domain COMPANY ads: enum_dom_groups
NOTES:
[root@nagios ~]# uname -a Linux nagios.hq.company.local 2.6.18-128.1.6.el5xen #1 SMP Wed Apr 1 09:53:14 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@nagios ~]# rpm -qa samba krb* nss* nss_db-2.2-35.3 nss_db-2.2-35.3 krb5-libs-1.6.1-31.el5 nss-tools-3.12.2.0-4.el5.centos nss_ldap-253-17.el5 krb5-libs-1.6.1-31.el5 samba-3.0.33-3.7.el5 krb5-auth-dialog-0.7-1 nss-3.12.2.0-4.el5.centos nss-3.12.2.0-4.el5.centos nss_ldap-253-17.el5 krb5-workstation-1.6.1-31.el5 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Jason Ellison -
JohnS -
Rob Townley