[Samba] getent shows only local entries.
Roy Eastwood
spindles7 at gmail.com
Sun Jan 26 11:06:18 UTC 2020
In addition to Rowland's comments see inline comment below:
On 26 January 2020 10:26 Rowland penny wrote:
> On 26/01/2020 09:37, Daniel Lang via samba wrote:
> > Hello,
> >
> > i installed a fresh Version as AD DC Domain under Debian Bullseye with
> > Version 4.11.3, this works perfectly. Windows Machines can be sign
> > into the Domain. Now i create a Fileserver as Domainmember for Service
> > e.g. Profil and Shares. The Domainjoin succeeded. wbinfo -u shows the
> > AD User, also wbinfo -g but, i can't retrieve User and Groups with ad
> > Backend. getent shows only local entries. Both Machines run into an
> > unprivileged LXC Container. The timing coordinates by Host and are right.
Not specifically relevant to the problem you cite but you will need to use Privileged LXD/LXC containers for both the DC and the
member server as the container needs to set the underlying filing system ACLs for samba to work correctly.
> >
> > Here are my both configuration files:
> >
> > krb5.conf
> > [libdefaults]
> > default_realm = INTERN.EXAMPLE.DE
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> > smb.conf
> > # Global parameters
> > [global]
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > realm = INTERN.EXAMPLE.DE
> > security = ADS
> > server min protocol = SMB2
> > winbind enum groups = Yes
> > winbind enum users = Yes
> > winbind refresh tickets = Yes
> > workgroup = INTERN
> > idmap config intern:range = 10000-999999
> > idmap config intern:schema_mode = rfc2307
> > idmap config intern:backend = ad
> > idmap config *:range = 3000-7999
> > idmap config * : backend = tdb
> > map acl inherit = Yes
> > vfs objects = acl_xattr
> >
> >
> > The winbindd service started correctly.
> >
> > winbindd version 4.11.3-Debian started.
> > Copyright Andrew Tridgell and the Samba Team 1992-2019
> > [2020/01/26 08:46:50.212310, 0]
> > ../../source3/winbindd/winbindd_cache.c:3164(initialize_winbindd_cache)
> > initialize_winbindd_cache: clearing cache and re-creating with
> > version number 2
> > [2020/01/26 08:46:50.213156, 0]
> > ../../lib/util/become_daemon.c:135(daemon_ready)
> > daemon_ready: daemon 'winbindd' finished starting up and ready to
> > serve connections
> >
> >
> > I am grateful for any suggestion.
> >
> > Best regards
> > Daniel
>
> Whilst wbinfo is showing your users and groups, this does not mean that Unix knows who they are.
>
> Do you have libnss-winbind, libpam-winbind and libpam-krb5 installed ?
>
> Have you set 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
> Have you added uidNumber attributes to your users and a gidNumber to 'Domain Users' ?
>
> They are not added automatically, you need to add them manually.
>
> Rowland
HTH
Roy
More information about the samba
mailing list