Sunday, June 27, 2010

Linux error id: cannot find name for user ID xxxxx when using Domain Authentication

We recently had a problem, after re-doing some samba configurations on RHEL 5, in which a user would log in (successfully), but then be presented with the follow errors:
id: cannot find name for user ID 10001
id: cannot find name for group ID 10000
id: cannot find name for user ID 10001
Of course, none of our domain ACLs worked for this user, either, which was a real problem. Finally, after running through the more obvious problems (communication with domain controllers: verified with wbinfo; uid and gid allocation and linking: set explicitly with wbinfo; winbind cache (cleared, both in /var/cache/samba and /var/lib/samba); date/time discrepancies; domain membership), we found the culprit: file permissions.
One of the perplexing things about this problem was that it was user-specific: all other users could log in just fine, and in fact, this user could be identified on the domain by other users. If you run into this problem, there are a couple of really useful troubleshooting commands:
id
Id gives information about users and groups. In this case, other users could get information about this user using the id command, but the user couldn't get any data either about his own ID or anyone else's.
strace
Ah, how I love strace. I often forget to use it, which is a shame, because it would short-circuit a lot of my problems. (man strace for more info; you'll be glad you did.) In this case, the strace stack for id when run as the offending user included the following:
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 EACCES (Permission denied)
Our GID mapping had gotten out of whack, and the /var directory, as it turned out, had some extended permissions (ACLs) that excluded this particular user from accessing anything within the /var directory. Removing those extended permissions cleared up the problem for us.

5 comments:

  1. Cool Thanks.

    I used strace for the same problem. I don't use nscd in my env I found the same permission denied for /etc/nsswitch

    chmod a+x /etc/nsswitch did the trick.

    ReplyDelete
  2. It also helped me. Thank you.

    ReplyDelete
  3. Who ever you are "Anonymous" THANKS a million! you saved the day
    chmod a+x /etc/nsswitch did the trick for me as well!!

    ReplyDelete
  4. Bless you anon! Truly a hero for all ages.nsswitch was the culprit for my org, too (trolling admins did something as root and permissions were lost)

    ReplyDelete

Thanks for leaving a comment!