[Samba] Domain users not resolving...

L.P.H. van Belle belle at bazuin.nl
Mon Aug 25 07:22:17 MDT 2014


Why dont you upgrade to debian Wheezy and start using or wheezy-backports samba of sernet-samba. 
If you backup all your old samba files, the transfer for an own build of samba to debian samba ( or sernet samba )
isnt that hard.

about the id. 

on my DC : id user  => not found, but must say, i dont use my dc for anything else but being a DC with sysvol.
getent passwd = > nothing  ( and correct i dont have winbind set in my nsswitch.conf ) 
wbinfo -u = all my users
wbinfo -g = all my groups. 

on my member server : id user1 : uid=5003(user1) gid=5000(domain users) groups=5000(domain users),4294967295,4294967295,4294967295,4294967295,50002(BUILTIN\users) 
getent passwd => only the users with UID assigned. 
getent group => only groups with GID assigned. 
wbinfo -u = all my users
wbinfo -g = all my groups.

but just a question for what are you using the RFC2307 uid on the DC server for? 


Check if your smb.conf on all your Domain Controllers contain the following parameter in the „[global]“ section: 
idmap_ldb:use rfc2307 = yes

( see http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC  ) 


Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com 
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 25 augustus 2014 14:59
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Domain users not resolving...
>
>On 08/23/2014 04:26 AM, Rowland Penny wrote:
>> On 23/08/14 01:19, Ryan Ashley wrote:
>>> Rowland, I did not do this. This is a new client who dropped their 
>>> old IT support due to issues on the network. I found out it was not 
>>> having access to the sysvol. That is where I figured out 
>what I have. 
>>> I do use FHS in my builds, but I would never put it into a root 
>>> directory like this. I guess the other team was testing Samba and 
>>> using a client to test on! I do agree 100% that the issue is the 
>>> path. However, I can feel good that I didn't do such a 
>bone-headed move!
>>>
>>> Sorry for the lack of files, I had to figure out how it was set up. 
>>> Everything, including the configuration file is in "/samba", which 
>>> appears to be a separate partition. Here is what you requested.
>>>
>>> Samba 4.1.11 64bit
>>> Debian Squeeze 64bit
>>>
>>> =========
>>> smb.conf:
>>> =========
>>> # Global parameters
>>> [global]
>>>         workgroup = DOMAIN
>>>         realm = DOMAIN.LOCAL
>>>         netbios name = DC01
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>         interfaces = 127.0.0.1, 192.168.0.1
>>>
>>> [netlogon]
>>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /samba/var/locks/sysvol
>>>         read only = No
>>>
>>> =========
>>> krb5.conf:
>>> =========
>>> [libdefaults]
>>>         default_realm = DOMAIN.LOCAL
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>
>>> =================
>>> Rowland's Request:
>>> =================
>>> root at dc01:~# /samba/sbin/samba -b
>>> Samba version: 4.1.11
>>> Build environment:
>>>    Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13 
>16:34:35 
>>> UTC 2014 x86_64 GNU/Linux
>>> Paths:
>>>    BINDIR: /samba/bin
>>>    SBINDIR: /samba/sbin
>>>    CONFIGFILE: /samba/etc/smb.conf
>>>    NCALRPCDIR: /samba/var/run/ncalrpc
>>>    LOGFILEBASE: /samba/var
>>>    LMHOSTSFILE: /samba/etc/lmhosts
>>>    DATADIR: /samba/share
>>>    MODULESDIR: /samba/lib
>>>    LOCKDIR: /samba/var/lock
>>>    STATEDIR: /samba/var/locks
>>>    CACHEDIR: /samba/var/cache
>>>    PIDDIR: /samba/var/run
>>>    PRIVATE_DIR: /samba/private
>>>    CODEPAGEDIR: /samba/share/codepages
>>>    SETUPDIR: /samba/share/setup
>>>    WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>    WINBINDD_PRIVILEGED_SOCKET_DIR: 
>/samba/var/lib/winbindd_privileged
>>>    NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>
>>> No ID's have been setup. The rfc2307 stuff is there, but 
>they're not 
>>> using it. They have two Samba DC's and everything else is 
>Windows 7. 
>>> They were using rsync to sync the sysvol, which had caused issues 
>>> with GID/UID on the second DC, but I fixed that already. 
>Well, tried 
>>> to anyway. It is setup the EXACT same way. It also has issues with 
>>> this stuff.
>>>
>>> I have a theory as to how to fix this but want advice 
>first. If I am 
>>> wrong, so be it. I would like to build Samba the STANDARD way (FHS, 
>>> bin files go to /bin, etc) but have one concern. If I do this, do I 
>>> simply need to adjust the paths in the configuration file and move 
>>> the sysvol to the proper location? On all of the systems I do, this 
>>> is always "/var/lib/samba/sysvol". I would obviously have 
>to move the 
>>> tdb files and such to "/var/lib/samba" as well. Would that work, or 
>>> am I going to have to deal with this the way it is?
>>>
>>> If you need anything else, please ask. Remember, this is a DC and 
>>> while rfc2307 attributes exist, they're not being used. 
>Probably due 
>>> to no Linux member servers.
>>>
>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>> Hello,
>>>>>
>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>> I stepped into a setup where Samba was compiled and 
>installed into
>>>>>> "/samba". The configure command on the DC is "configure
>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and 
>>>>>> libnss_winbind.so.2
>>>>>> are there and nsswitch.conf is told to use winbind. 
>However, "getent
>>>>>> group" returns only local users, "id" finds NO domain users, and 
>>>>>> "getent
>>>>>> passwd" returns only local users. I did do a rebuild of 
>Samba after
>>>>>> verifying the dependencies were there and 
>configured/installed the 
>>>>>> same
>>>>>> way so everything is in place. Still no dice. This guy was still 
>>>>>> running
>>>>>> Debian Squeeze so the install is probably old. Things 
>seem to run, 
>>>>>> but
>>>>>> no systems can access the sysvol even after a reset, 
>which led to 
>>>>>> this
>>>>>> discovery.
>>>>>>
>>>>>> Now, my thinking is that maybe the binaries in 
>"/samba/bin" should be
>>>>>> linked to "/bin" and the same goes for the sbin stuff. 
>Is this my 
>>>>>> issue
>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>
>>>>> It would be much easier to help, if you give some 
>information about 
>>>>> your
>>>>> environment.
>>>>>
>>>>> - smb.conf
>>>>> - Samba version
>>>>> - IDs, etc. configured in your backend (depending on your Idmap 
>>>>> config)
>>>>> - etc.
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>> Marc
>>>>>
>>>> It would also help if you followed the howto and didn't 
>change bits 
>>>> that you don't like, just why did you install into /samba 
>instead of 
>>>> /usr/local/samba ?
>>>> Everything out there is based on self compiling into 
>>>> /usr/local/samba, the wiki gives you the instructions 
>based on this.
>>>>
>>>> having said this, it is possibly/probably a path problem, 
>could you 
>>>> please post (along with what Marc has asked for) the result of 
>>>> 'samba -b'
>>>>
>>>> Rowland
>>>
>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' & 
>> '/samba/bin' in it ?
>>
>> If not, try this:
>>
>> export PATH=/samba/sbin:/samba/bin:$PATH
>>
>> if everything now works correctly, do this:
>>
>> echo "PATH=/samba/sbin:/samba/bin:$PATH" > /etc/profile.d/samba4.sh
>>
>> Rowland
>Rowland, nothing in /samba is in the path. I had already tried your 
>suggestion, but I did it again this morning and here are my 
>results. It 
>does not fix the issue. I also included some configuration 
>files and such.
>
>root at dc01:~# echo "$PATH"
>/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>root at dc01:~# id maliag
>id: maliag: No such user
>root at dc01:~# id michaelh
>id: michaelh: No such user
>root at dc01:~# getent passwd
>root:x:0:0:root:/root:/bin/bash
>daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>bin:x:2:2:bin:/bin:/bin/sh
>sys:x:3:3:sys:/dev:/bin/sh
>sync:x:4:65534:sync:/bin:/bin/sync
>games:x:5:60:games:/usr/games:/bin/sh
>man:x:6:12:man:/var/cache/man:/bin/sh
>lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>mail:x:8:8:mail:/var/mail:/bin/sh
>news:x:9:9:news:/var/spool/news:/bin/sh
>uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>proxy:x:13:13:proxy:/bin:/bin/sh
>www-data:x:33:33:www-data:/var/www:/bin/sh
>backup:x:34:34:backup:/var/backups:/bin/sh
>list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>ntp:x:101:103::/home/ntp:/bin/false
>sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>bind:x:103:105::/var/cache/bind:/bin/false
>root at dc01:~# cat /samba/etc/smb.conf
># Global parameters
>[global]
>         workgroup = KIGM
>         realm = KIGM.LOCAL
>         netbios name = DC01
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>drepl, winbind, ntp_signd, kcc, dnsupdate
>         interfaces = 127.0.0.1, 192.168.0.1
>
>[netlogon]
>         path = /samba/var/locks/sysvol/kigm.local/scripts
>         read only = No
>
>[sysvol]
>         path = /samba/var/locks/sysvol
>         read only = No
>root at dc01:~# cat /etc/nsswitch.conf
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages 
>installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd:         compat winbind
>group:          compat winbind
>shadow:         compat
>
>hosts:          files dns wins
>networks:       files
>
>protocols:      db files
>services:       db files
>ethers:         db files
>rpc:            db files
>
>netgroup:       nis
>root at dc01:~# wbinfo -g
>Enterprise Read-Only Domain Controllers
>Domain Admins
>Domain Users
>Domain Guests
>Domain Computers
>Domain Controllers
>Schema Admins
>Enterprise Admins
>Group Policy Creator Owners
>Read-Only Domain Controllers
>DnsUpdateProxy
>Operations
>AV
>Graphics
>WAFA
>Finance
>Logos
>Streaming
>root at dc01:~# cat /etc/krb5.conf
>[libdefaults]
>         default_realm = KIGM.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
>Thanks for the help. What about my suggestion to perform a normal 
>install per the book and then move everything in /samba/var/lib to the 
>correct location? Would that not work? I agree with you that 
>this issue 
>is caused by the odd install location.
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list