[samba-winbind] wbinfo -i not showing real name

Latest response

Hello,

I have succesfully joined my RHEL 6.5 server to our 2008 R2 Active Directory using samba-winbind and the authconfig GUI.

The only issue is that when I open a terminal and type:

wbinfo -i DOMAIN\username (of course changing "DOMAIN" and "username" for their real values) (double backslash to represent single backslash as \ is a special escape character)

I obtain this:

[DOMAIN\username@host ~]$ wbinfo -i DOMAIN\username
DOMAIN\username:*:16777216:16777216::/home/DOMAIN/username:/bin/bash

But as you can see, between the second 166777216 and /home there are two :: without the real name between them, as I would expect. As a result, when I log into the system I see DOMAIN\username on the top right corner of the screen, just next to the system clock, instead of the real name.

However, if I log in with another AD account, then the user-switch-applet shows perfectly the real name and I can do wbinfo -i as follows:

[DOMAIN\someotheruser@host ~]$ wbinfo -i DOMAIN\someotheruser
DOMAIN\someotheruser:*:16777218:16777216:Some Other User:/home/DOMAIN/username:/bin/bash

(notice the "Some Other User" string between 16777216 and /home)

The result is the same if I type the wbinfo -i DOMAIN\somotheruser from the username cli:

[DOMAIN\username@host ~]$ wbinfo -i DOMAIN\someotheruser
DOMAIN\someotheruser:*:16777218:16777216:Some Other User:/home/DOMAIN/username:/bin/bash

Please excuse this terminology, I am not allowed to post real domain and names here. Any ideas?? It is not a fatal issue, but it only happens to my AD account and I don't know why it happens. Of course my AD account has the real name correctly written. My AD account was the first one I used once the server was joined to the domain.

It also happened me on a 6.4 fresh install.

Steps to reproduce:

Fresh install of 6.4 or 6.5 RHEL Server
yum install samba-winbind, if not installed during the installation process
Run authconfig GUI: System --> Administration --> Authentication
Config the correct values to use Winbind
Press Join Domain
Reboot
Log with the AD account in the way DOMAIN\username and the AD password.
You probably get the real name working.
Reboot
Log again with the same AD account
You will not get the real name shown anymore.
If you right-click on the top right corner and select "edit personal info" you will see "Unkwnown" as the user's real name.

I also tried getting a Kerberos ticket for the user "username" with:

kinit username@REALM

and obtained a TGT ticket that allowed me to get SSO working instantly, as I tested ssh-ing other AD-Joined-linux server with no password request. But this did not solve the issue.

Could be a ID map issue?

Anyone having the same problem?

As English is not my native language, please excuse typing errors.

Jorge Garcia

Responses

There is a typo:

/home/DOMAIN/username is the home path for "username"
/home/DOMAIN/someotheruser is the home path for "someotheruser"

I writed the first one for both users, sorry

I have just checked that once you login with any not-previously-logged into the system AD account, the wbinfo -i command does not show the real name anymore.

So it seems some kind of idmap issue with samba in the smb.conf file...

Any ideas how to fix this?

I have also just discovered this issue with RHEL 6.5 updated as of this month (August 2014).

Also using Windows 2008 R2 in a heavily security environment (STIGs).

I am wondering one possible fix for this issue. Not very sure, but in RHEL's smb.conf file there's a line like:

winbind use default domain = false

That means that you need to type "DOMAIN\username" in gdm's login screen instead of just "username". If we change it to:

winbind use default domain = true

Perhaps that makes the trick on the search performed by samba against the DC. Obviosly only one domain is going to be available, so if your setup has two or more domains I think this won't be possible, as you won't be able to choose the domain to login into.

I have not tested it possible fix yet, beacuse I am afraid that the /home/DOMAIN/username path become changed to /home/username and therefore there will be lot's of troubles.

I'm going to test it in a VM and will report the results here.

Jorge G.

Mine is already set to "true". I would of been surprised that that setting would of made a difference, only due to the fact that we can successfully look up, lack of a better term, "non-cached" winbind user information. So if someone in the domain has never logged on to the RHEL workstation, or has not logged in for quite some time, the wbinfo command returns all the proper account information from the domain.

I've not found a solution for this yet. It's not critical, but it would help to enhance a project I'm working on.

I think I MAY HAVE solved the problem. I did try to clear the winbind cache using "net cache flush". That didn't seem to change anything. Then I noticed a pattern that the Windows IDs that did not pull the full name from the domain also, at one time, but not currently, had local linux user accounts. Mine included. So Jorge, you were pretty much on the mark with the whole "DOMAIN" thing, but I used it in the wbinfo command itself. I did this:

wbinfo -i user_name --all-domains

results:
BUILTIN
HOSTNAME123
WIN_DOMAIN_NAME

Even though I no longer have a local linux account, it shows up has still have a local machine user account.

I'm not sure where to clear that out! Ideas?

So now, simply tell wbinfo to call the userid from the correct "DOMAIN".

wbinfo -i USERNAME -D YOURDOMAINNAME

Did that work for you?

Better yet, use

wbinfo -u USERNAME --domain DOMAIN_NAME

Hi Cris,

Thank you very much for your comments. Sorry for being away so long, I was sick but I'm now ok :). It didn't work at the very first time I tried your patch, but when I removed my local account (just leaving only the root account) and after some updates it started working smooth.

That testing server was powered off for three months beacuse of my sick leave, but after I came back last week I believe it could've been the 6.6 minor release update that fixed the problem, but I have not checked yet which changes -if any- applied to winbind or samba packages. Perhaps it's possible that any system network cache were cleared after that long poweroff period. I've tried rebooting many times and always appears the name, so It seems that some update fixed that issue. Because of that long RHN disconnection, I have updated lots of packages at once, so I cannot determine which update solved the problem.

Now your patch seems to work nicely.

Are you still having this issue? Have you fully upgraded your system to 6.6?

If I get more info, I will post it here.

Thanks

Jorge,

I see my last post was difficult to follow, even for myself. Today I tried to duplicate the "fix" which I thought was a way around the problem of the AD "Display Name" from showing up in the 'wbinfo' output, but I do not believe it's the fix.

I have now patched a host to RHEL 6.6, patches as of December 2014. This also did not correct the issue. When I type the command below, this is the result, but ONLY MOST of the time, not always. (Notice there's no Display Name showing up)

wbinfo -i myusername
myusername:*:16778213:16778213::/home/MYDOMAIN/myusername:/bin/bash

If I type this, I also do not see the User description (or Display Name) info between those two colons.
wbinfo -i myusername --domain MYDOMAIN

  • this shows all the domain info, but still no "Display Name" - there's still no info between those two colons.

If I become root user on the system the RHEL host ( using 'su' or 'su -') I still get the same result.

BUT, if I become another AD user on the same RHEL host (using su adusername) I can THEN get ALL the domain info from the wbinfo command (including "Display Name" info) for ANY user, EXCEPT for the for user which I initially used to log on to the RHEL host. Again, I can look up ANY user in AD from the RHEL host and obtain their full name (Display Name). But not mine (the username I used to ssh into RHEL host). I hope that's more clear.

I did notice one time while running the 'wbinfo -i myusername' command that the "Display Name" info DID appear. I did nothing other than repeat the command and I repeated several times and was able to obtain the "Display Name" info. But then it vanished again. I thought then it may be a DC mis-communicating with the RHEL host. So I tried to comment one of the two DCs in the Samba config file and in /etc/krb5.conf and restart winbind. Same results, Display Name" did not show up for my account. I tried this for each DC, but no luck.

This doesn't hurt anything, but it does interfere with one of my scripts which tried to pull the AD user's full name. Just annoying, that's all.

I'm going to perform a while loop to re-run the wbinfo command to see if I can pull my Display Name info and how often. I'm not sure where else to look.

Thanks again for the reply. Maybe yours is a periodical fluke too.

On a side note, our DCs are heavily locked down with security measures, so that could be something we have in common.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.