[Samba] wbinfo -u returns no domain users

Gregory Cushing ioudas at gmail.com
Tue Jun 3 14:30:37 MDT 2014 

Carla, as another point. You may not end up wanting an idmap and just a
local cache (which for me makes no sense) one thing to check I left out is
your kerberos configuration in /etc/krb5.conf.

This will have to be right for a lookup to occur.

gregc2 at NRFVUTIL1:~$ cat /etc/krb5.conf
[libdefaults]
 default_realm = NRFDIST.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 48h
 renew_lifetime = 7d
 forwardable = true
[realms]
 NRFDIST.LOCAL = {
  kdc = nrfdc1.nrfdist.local
  admin_server = nrfdc1.nrfdist.local
 }
[domain_realm]
 .nrfdist.local = NRFDIST.LOCAL
 nrfdist.local = NRFDIST.LOCAL



On Tue, Jun 3, 2014 at 4:19 PM, Gregory Cushing <ioudas at gmail.com> wrote:

> Carla, no worries we all have to start some where.
>
> Here is my .02 from samba.
>
> So imagine you are a windows domain controller. You have users represented
> in a SID fashion IE S-1234
>
> What winbind does is query the domain controller. Then handle the
> translation from the SID into the PAM linux authentication module. The pam
> module handles user logins for ssh/console etc. Winbind hooks into this
> system to provide unix ID translation from SID id's on the domain
> controller.
>
> You will need to conf nsswitch, pam and smb.conf to do this. make sure
> modules are defined and working and installed in the nsswitch confs and pam
> module confs. Then you will have to verify id map settings
>
> Here is a link with different id mapping:
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>
> Below is stuff done on debian. But the process is the same on AIX or
> debian or Cent OS.  I also kinit to confirm kerberos status.
>
>
> Here is an example from a spare box i have:
>
> conf:
>
> gregc2 at NRFVUTIL1:~$ cat /etc/samba/smb.conf
> [global]
> workgroup = NRFDIST
> security = ads
> realm = nrfdist.local
> password server = nrfdc1.nrfdist.local
> domain logons = no
> template homedir = /home/%U
> template shell = /bin/bash
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> winbind refresh tickets = yes
> domain master = no
> local master = no
> prefered master = no
> os level = 0
> idmap config *:backend = tdb
> idmap config *:range = 11000-20000 (here you can use a RID backend or any
> you choose)
> printing = bsd
> printcap name = /dev/null
> [ADShare]
>     path = /shares/ADShareTest
>     create mask = 0775
>     read only = no
>     valid users = NRFDIST\gregc3, "@Domain Admins""
>     writeable = yes
>     directory mask = 775
> [ddreports]
>     path = /shares/ddreports
>     create mask = 0775
>     read only = no
>     valid users = NRFDIST\nrfst, "@Domain Admins""
>     writeable = yes
>     directory mask = 775
> [cadec]
>     path = /shares/cadec
>     create mask = 0775
>     read only = no
>     valid users = NRFDIST\nrfcadecservice, "@Domain Admins""
>     writeable = yes
>     directory mask = 775
>
>
>
> gregc2 at NRFVUTIL1:~$ getent passwd
>
> lists all users in the domain you have configured.
>
> getent group lists group info found
>
> wbinfo -a tests authentication
> wbinfo -g lists winbinds cache of group info
> wbinfo -u lists user info in cache
>
>
> gregc2 at NRFVUTIL1:~$ cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> example of pam conf module change (this should be done by your distro, but
> ive seen cent os not do this multiple times.
>
> gregc2 at NRFVUTIL1:~$ cat /etc/pam.d/common-auth
> #
> # /etc/pam.d/common-auth - authentication settings common to all services
> #
> # This file is included from other service-specific PAM config files,
> # and should contain a list of the authentication modules that define
> # the central authentication scheme for use on the system
> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
> # traditional Unix authentication mechanisms.
> #
> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
> # To take advantage of this, it is recommended that you configure any
> # local modules either before or after the default block, and use
> # pam-auth-update to manage selection of other modules.  See
> # pam-auth-update(8) for details.
>
> # here are the per-package modules (the "Primary" block)
> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
> try_first_pass
> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
> krb5_ccache_type=FILE cached_login try_first_pass
> # here's the fallback if no module succeeds
> auth    requisite                       pam_deny.so
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success
> code
> # since the modules above will each just jump around
> auth    required                        pam_permit.so
> # and here are more per-package modules (the "Additional" block)
> # end of pam-auth-update config
>
>
>
> there are several other files.... that need to be confed correctly. I can
> provide those files to you if needed.
>
>
> If you have specific questions feel free to come chat on irc.freenode.net
> #samba on an irc client. I am there as ioudas and can walk you through as
> well.
>
> -Greg
>
>
>
>
>
> On Tue, Jun 3, 2014 at 3:48 PM, Carla Nurse <packethelp at gmail.com> wrote:
>
>> Gregory,
>>
>> I should have mentioned that I am a novice when it comes to Samba. This
>> is literally my first interaction. I'm not sure what winbind idmapping is.
>> I will attach a copy of my smb.conf file though.
>>
>> smb.conf
>> [global]
>>  workgroup = CAVEHILL
>> server string = %h
>> security = ads
>> passdb backend = tdbsam
>> realm = CAVEHILL.UWI.EDU
>> encrypt passwords = yes
>> winbind use default domain = yes
>> client NTLMv2 auth = yes
>> preferred master = no
>> domain master = no
>> local master = no
>> load printers = no
>> log level = 1 winbind:5 auth:3
>> winbind max clients = 750
>> winbind max domain connections = 15
>>
>> I really am not sure what any of the other stuff is. Would you mind
>> breaking it down for me?
>>
>>
>> Carla
>>
>
>

More information about the samba mailing list