[prev in list] [next in list] [prev in thread] [next in thread]
List: netbsd-current-users
Subject: nss_winbind not functional anymore on NetBSD 9.99.106 and Samba 4.16.5
From: Matthias Petermann <mp () petermann-it ! de>
Date: 2022-11-14 10:06:20
Message-ID: c5c5c852-b738-0fc1-271b-cbb50e350881 () petermann-it ! de
[Download RAW message or body]
Hello all,
I have been using NetBSD 9.99.99 with Samba 4.15.9 (from pkgsrc 2022Q2)
as Windows Domain Controller for a while now which worked well.
Since I switched to the combination NetBSD 9.99.106 and Samba 4.16.5
(from pkgsrc 2022Q3), the name resolution for usernames / groups via
nss_winbind does not work anymore.
The Windows clients are not directly affected by this, since the nss
mechanism, especially on the Unix side, ensures that the correct
plaintext names can be displayed for the numeric user and group ids
assigned by Samba - for example, with ls. The workaround at the moment
is to work with the numeric IDs. This is inconvenient and error-prone.
As proof, I try to display the user information for the built-in domain
administrator account via id command:
```
net$ id Administrator
id: Administrator: No such user
```
I have checked the following so far:
1) Basic function kerberos with kinit / klist.
```
net$ kinit Administrator
Administrator@TEST.LOCAL's Password:
net$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: Administrator@TEST.LOCAL
Issued Expires Principal
Nov 14 10:42:45 2022 Nov 14 20:42:45 2022 krbtgt/TEST.LOCAL@TEST.LOCAL
```
2) Joining the Domain from a Windows 11 Prof 22H2 based host
- works
3) Basic function winbind
```
net$ wbinfo -i Administrator
TEST\administrator:*:0:100::/home/TEST/administrator:/bin/false
net$ wbinfo -g Administrator
TEST\cert publishers
TEST\ras and ias servers
TEST\allowed rodc password replication group
TEST\denied rodc password replication group
TEST\dnsadmins
TEST\enterprise read-only domain controllers
TEST\domain admins
TEST\domain users
TEST\domain guests
TEST\domain computers
TEST\domain controllers
TEST\schema admins
TEST\enterprise admins
TEST\group policy creator owners
TEST\read-only domain controllers
TEST\dnsupdateproxy
```
4) /etc/nsswitch.conf
```
group: files winbind
group_compat: nis
hosts: files dns
netgroup: files [notfound=return] nis
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
```
5) libnss winbind
```
net$ ls -la /usr/lib/nss_winbind.so.0
lrwxr-xr-x 1 root wheel 30 Nov 14 09:56 /usr/lib/nss_winbind.so.0 ->
/usr/pkg/lib/libnss_winbind.so
```
6) Ktrace of the "id" command (excerpts)
```
net$ ktrace id Administrator
id: Administrator: No such user
net$ kdump
....
592 592 id CALL open(0x785c601b43b8,0x400000,0x1b6)
592 592 id NAMI "/etc/nsswitch.conf"
592 592 id RET open 3
592 592 id CALL
mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338150055936/0x785c606ca000
592 592 id CALL
mmap(0,0x7000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338150027264/0x785c606c3000
592 592 id CALL
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338150006784/0x785c606be000
592 592 id CALL
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338149986304/0x785c606b9000
592 592 id CALL __fstat50(3,0x7f7fff082110)
592 592 id RET __fstat50 0
592 592 id CALL
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338149965824/0x785c606b4000
592 592 id CALL read(3,0x785c606b4740,0x4000)
592 592 id GIO fd 3 read 667 bytes
"# $NetBSD: nsswitch.conf,v 1.6 2009/10/25 00:17:06 tsarna
Exp $\n#\n# nsswitch.conf(5) -\n# name service switch configurat\
ion file\n#\n\n\n# These are the defaults in libc\n#\n#group:
compat\ngroup: files winbind\ngroup_compat: nis\nh\
osts: files dns\nnetgroup: files [notfound=return]
nis\nnetworks: files\n#passwd: compat\npasswd: files winbind\
\npasswd_compat: nis\nshells: files\n\n\n#
List of supported sources for each database\n#\n# group: compat\
, dns, files, nis\n# group_compat: dns, nis\n#
hosts: dns, files, nis, mdnsd, multicast_dns\n# netgroup:\
files, nis\n# networks: dns, files,
nis\n# passwd: compat, dns, files, nis\n# passwd_compat:\
dns, nis\n# shells: dns, files, nis\n"
592 592 id RET read 667/0x29b
592 592 id CALL read(3,0x785c606b4740,0x4000)
592 592 id GIO fd 3 read 0 bytes
""
....
592 592 id CALL open(0x7f7fff0817b8,0,7)
592 592 id NAMI "/usr/lib/nss_files.so.0"
592 592 id RET open -1 errno 2 No such file or directory
592 592 id CALL __sigprocmask14(3,0x7f7fff081e60,0)
592 592 id RET __sigprocmask14 0
592 592 id CALL
mmap(0,0x5000,PROT_READ|PROT_WRITE,0x1002<PRIVATE,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338149941248/0x785c606ae000
592 592 id CALL _lwp_self
592 592 id RET _lwp_self 592/0x250
592 592 id CALL
__sigprocmask14(1,0x7f7fff081e20,0x7f7fff081e60)
592 592 id RET __sigprocmask14 0
592 592 id CALL open(0x7f7fff0817b8,0,1)
592 592 id NAMI "/usr/lib/nss_winbind.so.0"
592 592 id RET open 4
592 592 id CALL __fstat50(4,0x7f7fff0816b8)
592 592 id RET __fstat50 0
592 592 id CALL
mmap(0,0x1000,PROT_READ,0x1<SHARED,FILE,ALIGN=NONE>,4,0,0)
592 592 id RET mmap 132338149937152/0x785c606ad000
592 592 id CALL munmap(0x785c606ad000,0x1000)
592 592 id RET munmap 0
592 592 id CALL
mmap(0,0x21b000,PROT_READ|PROT_EXEC,0x15000002<PRIVATE,FILE,ALIGN=2MB>,4,0,0)
592 592 id RET mmap 132338132451328/0x785c5f600000
592 592 id CALL
mmap(0x785c5f810000,0x2000,PROT_READ|PROT_WRITE,0x12<PRIVATE,FIXED,FILE,ALIGN=NONE>,4,0,0x10000)
592 592 id RET mmap 132338134614016/0x785c5f810000
592 592 id CALL
mmap(0x785c5f812000,0x9000,PROT_READ|PROT_WRITE,0x1012<PRIVATE,FIXED,ANONYMOUS,ALIGN=NONE>,0xffffffff,0,0)
592 592 id RET mmap 132338134622208/0x785c5f812000
592 592 id CALL mprotect(0x785c5f611000,0x1ff000,PROT_NONE)
592 592 id RET mprotect 0
592 592 id CALL close(4)
592 592 id RET close 0
592 592 id CALL open(0x7f7fff081728,0,4)
592 592 id NAMI "/usr/pkg/lib/libpthread.so.1"
592 592 id RET open -1 errno 2 No such file or directory
592 592 id CALL open(0x7f7fff081728,0,2)
592 592 id NAMI "/usr/pkg/lib/samba/private/libpthread.so.1"
592 592 id RET open -1 errno 2 No such file or directory
592 592 id CALL open(0x7f7fff081728,0,0)
592 592 id NAMI "/usr/lib/libpthread.so.1"
592 592 id RET open 4
592 592 id CALL __fstat50(4,0x7f7fff081628)
```
There are no peculiarities in the logfiles of Samba or Winbindd, not
even in the usual syslog logfiles.
Is there a way to view nsdispatch or the name service switch mechanism
in more detail or to enable additional logging?
Has anyone observed the same problem and might have an idea what the
problem is?
Kind regards
Matthias
["smime.p7s" (application/pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic