[samba-winbind] wbinfo -i not showing real name
Hello,
I have succesfully joined my RHEL 6.5 server to our 2008 R2 Active Directory using samba-winbind and the authconfig GUI.
The only issue is that when I open a terminal and type:
wbinfo -i DOMAIN\username (of course changing "DOMAIN" and "username" for their real values) (double backslash to represent single backslash as \ is a special escape character)
I obtain this:
[DOMAIN\username@host ~]$ wbinfo -i DOMAIN\username
DOMAIN\username:*:16777216:16777216::/home/DOMAIN/username:/bin/bash
But as you can see, between the second 166777216 and /home there are two :: without the real name between them, as I would expect. As a result, when I log into the system I see DOMAIN\username on the top right corner of the screen, just next to the system clock, instead of the real name.
However, if I log in with another AD account, then the user-switch-applet shows perfectly the real name and I can do wbinfo -i as follows:
[DOMAIN\someotheruser@host ~]$ wbinfo -i DOMAIN\someotheruser
DOMAIN\someotheruser:*:16777218:16777216:Some Other User:/home/DOMAIN/username:/bin/bash
(notice the "Some Other User" string between 16777216 and /home)
The result is the same if I type the wbinfo -i DOMAIN\somotheruser from the username cli:
[DOMAIN\username@host ~]$ wbinfo -i DOMAIN\someotheruser
DOMAIN\someotheruser:*:16777218:16777216:Some Other User:/home/DOMAIN/username:/bin/bash
Please excuse this terminology, I am not allowed to post real domain and names here. Any ideas?? It is not a fatal issue, but it only happens to my AD account and I don't know why it happens. Of course my AD account has the real name correctly written. My AD account was the first one I used once the server was joined to the domain.
It also happened me on a 6.4 fresh install.
Steps to reproduce:
Fresh install of 6.4 or 6.5 RHEL Server
yum install samba-winbind, if not installed during the installation process
Run authconfig GUI: System --> Administration --> Authentication
Config the correct values to use Winbind
Press Join Domain
Reboot
Log with the AD account in the way DOMAIN\username and the AD password.
You probably get the real name working.
Reboot
Log again with the same AD account
You will not get the real name shown anymore.
If you right-click on the top right corner and select "edit personal info" you will see "Unkwnown" as the user's real name.
I also tried getting a Kerberos ticket for the user "username" with:
kinit username@REALM
and obtained a TGT ticket that allowed me to get SSO working instantly, as I tested ssh-ing other AD-Joined-linux server with no password request. But this did not solve the issue.
Could be a ID map issue?
Anyone having the same problem?
As English is not my native language, please excuse typing errors.
Jorge Garcia
Responses
Mine is already set to "true". I would of been surprised that that setting would of made a difference, only due to the fact that we can successfully look up, lack of a better term, "non-cached" winbind user information. So if someone in the domain has never logged on to the RHEL workstation, or has not logged in for quite some time, the wbinfo command returns all the proper account information from the domain.
I've not found a solution for this yet. It's not critical, but it would help to enhance a project I'm working on.
I think I MAY HAVE solved the problem. I did try to clear the winbind cache using "net cache flush". That didn't seem to change anything. Then I noticed a pattern that the Windows IDs that did not pull the full name from the domain also, at one time, but not currently, had local linux user accounts. Mine included. So Jorge, you were pretty much on the mark with the whole "DOMAIN" thing, but I used it in the wbinfo command itself. I did this:
wbinfo -i user_name --all-domains
results:
BUILTIN
HOSTNAME123
WIN_DOMAIN_NAME
Even though I no longer have a local linux account, it shows up has still have a local machine user account.
I'm not sure where to clear that out! Ideas?
So now, simply tell wbinfo to call the userid from the correct "DOMAIN".
wbinfo -i USERNAME -D YOURDOMAINNAME
Did that work for you?
Jorge,
I see my last post was difficult to follow, even for myself. Today I tried to duplicate the "fix" which I thought was a way around the problem of the AD "Display Name" from showing up in the 'wbinfo' output, but I do not believe it's the fix.
I have now patched a host to RHEL 6.6, patches as of December 2014. This also did not correct the issue. When I type the command below, this is the result, but ONLY MOST of the time, not always. (Notice there's no Display Name showing up)
wbinfo -i myusername
myusername:*:16778213:16778213::/home/MYDOMAIN/myusername:/bin/bash
If I type this, I also do not see the User description (or Display Name) info between those two colons.
wbinfo -i myusername --domain MYDOMAIN
- this shows all the domain info, but still no "Display Name" - there's still no info between those two colons.
If I become root user on the system the RHEL host ( using 'su' or 'su -') I still get the same result.
BUT, if I become another AD user on the same RHEL host (using su adusername) I can THEN get ALL the domain info from the wbinfo command (including "Display Name" info) for ANY user, EXCEPT for the for user which I initially used to log on to the RHEL host. Again, I can look up ANY user in AD from the RHEL host and obtain their full name (Display Name). But not mine (the username I used to ssh into RHEL host). I hope that's more clear.
I did notice one time while running the 'wbinfo -i myusername' command that the "Display Name" info DID appear. I did nothing other than repeat the command and I repeated several times and was able to obtain the "Display Name" info. But then it vanished again. I thought then it may be a DC mis-communicating with the RHEL host. So I tried to comment one of the two DCs in the Samba config file and in /etc/krb5.conf and restart winbind. Same results, Display Name" did not show up for my account. I tried this for each DC, but no luck.
This doesn't hurt anything, but it does interfere with one of my scripts which tried to pull the AD user's full name. Just annoying, that's all.
I'm going to perform a while loop to re-run the wbinfo command to see if I can pull my Display Name info and how often. I'm not sure where else to look.
Thanks again for the reply. Maybe yours is a periodical fluke too.
On a side note, our DCs are heavily locked down with security measures, so that could be something we have in common.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
