[Samba] Domain users not resolving...

Achim Gottinger achim at ag-web.biz
Fri Aug 22 21:07:05 MDT 2014

Am 23.08.2014 04:44, schrieb Ryan Ashley:
> I fixed it on the second DC by using its own idmap.ldb through 
> "samba-tool ntacl sysvolreset". That set the permissions according to 
> the ID's on itself. Yes, wbinfo returns domain users and groups. I 
> have to run it by calling the absolute path however, since it is 
> installed in that odd location.
> On 8/22/2014 9:43 PM, Achim Gottinger wrote:
>> Am 23.08.2014 02:19, schrieb Ryan Ashley:
>>> Rowland, I did not do this. This is a new client who dropped their 
>>> old IT support due to issues on the network. I found out it was not 
>>> having access to the sysvol. That is where I figured out what I 
>>> have. I do use FHS in my builds, but I would never put it into a 
>>> root directory like this. I guess the other team was testing Samba 
>>> and using a client to test on! I do agree 100% that the issue is the 
>>> path. However, I can feel good that I didn't do such a bone-headed 
>>> move!
>>> Sorry for the lack of files, I had to figure out how it was set up. 
>>> Everything, including the configuration file is in "/samba", which 
>>> appears to be a separate partition. Here is what you requested.
>>> Samba 4.1.11 64bit
>>> Debian Squeeze 64bit
>>> =========
>>> smb.conf:
>>> =========
>>> # Global parameters
>>> [global]
>>>         workgroup = DOMAIN
>>>         realm = DOMAIN.LOCAL
>>>         netbios name = DC01
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>         interfaces =,
>>> [netlogon]
>>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>>         read only = No
>>> [sysvol]
>>>         path = /samba/var/locks/sysvol
>>>         read only = No
>>> =========
>>> krb5.conf:
>>> =========
>>> [libdefaults]
>>>         default_realm = DOMAIN.LOCAL
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>> =================
>>> Rowland's Request:
>>> =================
>>> root at dc01:~# /samba/sbin/samba -b
>>> Samba version: 4.1.11
>>> Build environment:
>>>    Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 
>>> UTC 2014 x86_64 GNU/Linux
>>> Paths:
>>>    BINDIR: /samba/bin
>>>    SBINDIR: /samba/sbin
>>>    CONFIGFILE: /samba/etc/smb.conf
>>>    NCALRPCDIR: /samba/var/run/ncalrpc
>>>    LOGFILEBASE: /samba/var
>>>    LMHOSTSFILE: /samba/etc/lmhosts
>>>    DATADIR: /samba/share
>>>    MODULESDIR: /samba/lib
>>>    LOCKDIR: /samba/var/lock
>>>    STATEDIR: /samba/var/locks
>>>    CACHEDIR: /samba/var/cache
>>>    PIDDIR: /samba/var/run
>>>    PRIVATE_DIR: /samba/private
>>>    CODEPAGEDIR: /samba/share/codepages
>>>    SETUPDIR: /samba/share/setup
>>>    WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /samba/var/lib/winbindd_privileged
>>>    NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>> No ID's have been setup. The rfc2307 stuff is there, but they're not 
>>> using it. They have two Samba DC's and everything else is Windows 7. 
>>> They were using rsync to sync the sysvol, which had caused issues 
>>> with GID/UID on the second DC, but I fixed that already. Well, tried 
>>> to anyway. It is setup the EXACT same way. It also has issues with 
>>> this stuff.
>>> I have a theory as to how to fix this but want advice first. If I am 
>>> wrong, so be it. I would like to build Samba the STANDARD way (FHS, 
>>> bin files go to /bin, etc) but have one concern. If I do this, do I 
>>> simply need to adjust the paths in the configuration file and move 
>>> the sysvol to the proper location? On all of the systems I do, this 
>>> is always "/var/lib/samba/sysvol". I would obviously have to move 
>>> the tdb files and such to "/var/lib/samba" as well. Would that work, 
>>> or am I going to have to deal with this the way it is?
>>> If you need anything else, please ask. Remember, this is a DC and 
>>> while rfc2307 attributes exist, they're not being used. Probably due 
>>> to no Linux member servers.
>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>> Hello,
>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>> I stepped into a setup where Samba was compiled and installed into
>>>>>> "/samba". The configure command on the DC is "configure
>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and 
>>>>>> libnss_winbind.so.2
>>>>>> are there and nsswitch.conf is told to use winbind. However, "getent
>>>>>> group" returns only local users, "id" finds NO domain users, and 
>>>>>> "getent
>>>>>> passwd" returns only local users. I did do a rebuild of Samba after
>>>>>> verifying the dependencies were there and configured/installed 
>>>>>> the same
>>>>>> way so everything is in place. Still no dice. This guy was still 
>>>>>> running
>>>>>> Debian Squeeze so the install is probably old. Things seem to 
>>>>>> run, but
>>>>>> no systems can access the sysvol even after a reset, which led to 
>>>>>> this
>>>>>> discovery.
>>>>>> Now, my thinking is that maybe the binaries in "/samba/bin" 
>>>>>> should be
>>>>>> linked to "/bin" and the same goes for the sbin stuff. Is this my 
>>>>>> issue
>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>> It would be much easier to help, if you give some information 
>>>>> about your
>>>>> environment.
>>>>> - smb.conf
>>>>> - Samba version
>>>>> - IDs, etc. configured in your backend (depending on your Idmap 
>>>>> config)
>>>>> - etc.
>>>>> Regards,
>>>>> Marc
>>>> It would also help if you followed the howto and didn't change bits 
>>>> that you don't like, just why did you install into /samba instead 
>>>> of /usr/local/samba ?
>>>> Everything out there is based on self compiling into 
>>>> /usr/local/samba, the wiki gives you the instructions based on this.
>>>> having said this, it is possibly/probably a path problem, could you 
>>>> please post (along with what Marc has asked for) the result of 
>>>> 'samba -b'
>>>> Rowland
>> As you say the setup does not use rfc2307. You mentioned that you 
>> fixed an issue with idmap uid/gid mapping, which you fixed. Did you 
>> copy idmap.ldb from dc1 to dc2? Or did you use an different one maybe 
>> from an other domain as an template?
>> Does wbinfo -g and -u return domain groups and users?
>> achim~
What does ldd /lib/libnss_winbind.so show? Any missing libs whom reside 
in /samba/lib?

Do you have /samba/lib in your library path? If not create 
~#echo /samba/lib > /etc/ld.so.conf.d/samba.conf

More information about the samba mailing list