[Samba] Domain users not resolving...

Ryan Ashley ryana at reachtechfp.com
Mon Aug 25 07:34:25 MDT 2014 

On 8/25/2014 9:20 AM, Rowland Penny wrote:
> On 25/08/14 13:59, Ryan Ashley wrote:
>> On 08/23/2014 04:26 AM, Rowland Penny wrote:
>>> On 23/08/14 01:19, Ryan Ashley wrote:
>>>> Rowland, I did not do this. This is a new client who dropped their 
>>>> old IT support due to issues on the network. I found out it was not 
>>>> having access to the sysvol. That is where I figured out what I 
>>>> have. I do use FHS in my builds, but I would never put it into a 
>>>> root directory like this. I guess the other team was testing Samba 
>>>> and using a client to test on! I do agree 100% that the issue is 
>>>> the path. However, I can feel good that I didn't do such a 
>>>> bone-headed move!
>>>>
>>>> Sorry for the lack of files, I had to figure out how it was set up. 
>>>> Everything, including the configuration file is in "/samba", which 
>>>> appears to be a separate partition. Here is what you requested.
>>>>
>>>> Samba 4.1.11 64bit
>>>> Debian Squeeze 64bit
>>>>
>>>> =========
>>>> smb.conf:
>>>> =========
>>>> # Global parameters
>>>> [global]
>>>>         workgroup = DOMAIN
>>>>         realm = DOMAIN.LOCAL
>>>>         netbios name = DC01
>>>>         server role = active directory domain controller
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>         interfaces = 127.0.0.1, 192.168.0.1
>>>>
>>>> [netlogon]
>>>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>         read only = No
>>>>
>>>> [sysvol]
>>>>         path = /samba/var/locks/sysvol
>>>>         read only = No
>>>>
>>>> =========
>>>> krb5.conf:
>>>> =========
>>>> [libdefaults]
>>>>         default_realm = DOMAIN.LOCAL
>>>>         dns_lookup_realm = false
>>>>         dns_lookup_kdc = true
>>>>
>>>> =================
>>>> Rowland's Request:
>>>> =================
>>>> root at dc01:~# /samba/sbin/samba -b
>>>> Samba version: 4.1.11
>>>> Build environment:
>>>>    Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13 
>>>> 16:34:35 UTC 2014 x86_64 GNU/Linux
>>>> Paths:
>>>>    BINDIR: /samba/bin
>>>>    SBINDIR: /samba/sbin
>>>>    CONFIGFILE: /samba/etc/smb.conf
>>>>    NCALRPCDIR: /samba/var/run/ncalrpc
>>>>    LOGFILEBASE: /samba/var
>>>>    LMHOSTSFILE: /samba/etc/lmhosts
>>>>    DATADIR: /samba/share
>>>>    MODULESDIR: /samba/lib
>>>>    LOCKDIR: /samba/var/lock
>>>>    STATEDIR: /samba/var/locks
>>>>    CACHEDIR: /samba/var/cache
>>>>    PIDDIR: /samba/var/run
>>>>    PRIVATE_DIR: /samba/private
>>>>    CODEPAGEDIR: /samba/share/codepages
>>>>    SETUPDIR: /samba/share/setup
>>>>    WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /samba/var/lib/winbindd_privileged
>>>>    NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>>
>>>> No ID's have been setup. The rfc2307 stuff is there, but they're 
>>>> not using it. They have two Samba DC's and everything else is 
>>>> Windows 7. They were using rsync to sync the sysvol, which had 
>>>> caused issues with GID/UID on the second DC, but I fixed that 
>>>> already. Well, tried to anyway. It is setup the EXACT same way. It 
>>>> also has issues with this stuff.
>>>>
>>>> I have a theory as to how to fix this but want advice first. If I 
>>>> am wrong, so be it. I would like to build Samba the STANDARD way 
>>>> (FHS, bin files go to /bin, etc) but have one concern. If I do 
>>>> this, do I simply need to adjust the paths in the configuration 
>>>> file and move the sysvol to the proper location? On all of the 
>>>> systems I do, this is always "/var/lib/samba/sysvol". I would 
>>>> obviously have to move the tdb files and such to "/var/lib/samba" 
>>>> as well. Would that work, or am I going to have to deal with this 
>>>> the way it is?
>>>>
>>>> If you need anything else, please ask. Remember, this is a DC and 
>>>> while rfc2307 attributes exist, they're not being used. Probably 
>>>> due to no Linux member servers.
>>>>
>>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>>> I stepped into a setup where Samba was compiled and installed into
>>>>>>> "/samba". The configure command on the DC is "configure
>>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and 
>>>>>>> libnss_winbind.so.2
>>>>>>> are there and nsswitch.conf is told to use winbind. However, 
>>>>>>> "getent
>>>>>>> group" returns only local users, "id" finds NO domain users, and 
>>>>>>> "getent
>>>>>>> passwd" returns only local users. I did do a rebuild of Samba after
>>>>>>> verifying the dependencies were there and configured/installed 
>>>>>>> the same
>>>>>>> way so everything is in place. Still no dice. This guy was still 
>>>>>>> running
>>>>>>> Debian Squeeze so the install is probably old. Things seem to 
>>>>>>> run, but
>>>>>>> no systems can access the sysvol even after a reset, which led 
>>>>>>> to this
>>>>>>> discovery.
>>>>>>>
>>>>>>> Now, my thinking is that maybe the binaries in "/samba/bin" 
>>>>>>> should be
>>>>>>> linked to "/bin" and the same goes for the sbin stuff. Is this 
>>>>>>> my issue
>>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>>
>>>>>> It would be much easier to help, if you give some information 
>>>>>> about your
>>>>>> environment.
>>>>>>
>>>>>> - smb.conf
>>>>>> - Samba version
>>>>>> - IDs, etc. configured in your backend (depending on your Idmap 
>>>>>> config)
>>>>>> - etc.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Marc
>>>>>>
>>>>> It would also help if you followed the howto and didn't change 
>>>>> bits that you don't like, just why did you install into /samba 
>>>>> instead of /usr/local/samba ?
>>>>> Everything out there is based on self compiling into 
>>>>> /usr/local/samba, the wiki gives you the instructions based on this.
>>>>>
>>>>> having said this, it is possibly/probably a path problem, could 
>>>>> you please post (along with what Marc has asked for) the result of 
>>>>> 'samba -b'
>>>>>
>>>>> Rowland
>>>>
>>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' & 
>>> '/samba/bin' in it ?
>>>
>>> If not, try this:
>>>
>>> export PATH=/samba/sbin:/samba/bin:$PATH
>>>
>>> if everything now works correctly, do this:
>>>
>>> echo "PATH=/samba/sbin:/samba/bin:$PATH" > /etc/profile.d/samba4.sh
>>>
>>> Rowland
>> Rowland, nothing in /samba is in the path. I had already tried your 
>> suggestion, but I did it again this morning and here are my results. 
>> It does not fix the issue. I also included some configuration files 
>> and such.
>>
>> root at dc01:~# echo "$PATH"
>> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>> root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>
> Ryan, why do you never read anything correctly <sigh>
>
> It should have been:
>
> export PATH=/samba/sbin:/samba/bin:$PATH
>
>
> The way you have it, if there are ANY other samba binaries in your 
> PATH, they will be found before the ones you have installed in /samba.
>
> Also, and this came up on another recent post, you may have to create 
> the winbind symlinks to get getent to work with AD. See the wiki, on 
> the member servers page.
>
> Rowland
>
>> root at dc01:~# id maliag
>> id: maliag: No such user
>> root at dc01:~# id michaelh
>> id: michaelh: No such user
>> root at dc01:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>> bin:x:2:2:bin:/bin:/bin/sh
>> sys:x:3:3:sys:/dev:/bin/sh
>> sync:x:4:65534:sync:/bin:/bin/sync
>> games:x:5:60:games:/usr/games:/bin/sh
>> man:x:6:12:man:/var/cache/man:/bin/sh
>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>> mail:x:8:8:mail:/var/mail:/bin/sh
>> news:x:9:9:news:/var/spool/news:/bin/sh
>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>> proxy:x:13:13:proxy:/bin:/bin/sh
>> www-data:x:33:33:www-data:/var/www:/bin/sh
>> backup:x:34:34:backup:/var/backups:/bin/sh
>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>> ntp:x:101:103::/home/ntp:/bin/false
>> sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>> bind:x:103:105::/var/cache/bind:/bin/false
>> root at dc01:~# cat /samba/etc/smb.conf
>> # Global parameters
>> [global]
>>         workgroup = KIGM
>>         realm = KIGM.LOCAL
>>         netbios name = DC01
>>         server role = active directory domain controller
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>         interfaces = 127.0.0.1, 192.168.0.1
>>
>> [netlogon]
>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /samba/var/locks/sysvol
>>         read only = No
>> root at dc01:~# cat /etc/nsswitch.conf
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages 
>> installed, try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files dns wins
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>> root at dc01:~# wbinfo -g
>> Enterprise Read-Only Domain Controllers
>> Domain Admins
>> Domain Users
>> Domain Guests
>> Domain Computers
>> Domain Controllers
>> Schema Admins
>> Enterprise Admins
>> Group Policy Creator Owners
>> Read-Only Domain Controllers
>> DnsUpdateProxy
>> Operations
>> AV
>> Graphics
>> WAFA
>> Finance
>> Logos
>> Streaming
>> root at dc01:~# cat /etc/krb5.conf
>> [libdefaults]
>>         default_realm = KIGM.LOCAL
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>> Thanks for the help. What about my suggestion to perform a normal 
>> install per the book and then move everything in /samba/var/lib to 
>> the correct location? Would that not work? I agree with you that this 
>> issue is caused by the odd install location.
>
Rowland, you did not ask for the symlink info, but they are there. I 
will post the directory listing now. Also, there are no other Samba 
binaries on the system, but I did reverse it the way you did it and no 
difference. That is simply a habit stemming from the days of DOS int hat 
you always appended your stuff after the main path. Since I already knew 
there were no other Samba binaries on the system, I just did it that 
way. Again, I have tried it your way and had the same results. Here is 
the directory listing.

root at dc01:~# l /lib | grep win
lrwxrwxrwx  1 root root      30 Aug 22 14:03 libnss_winbind.so -> 
/samba/lib/libnss_winbind.so.2
lrwxrwxrwx  1 root root      30 Aug 22 14:03 libnss_winbind.so.2 -> 
/lib/libnss_winbind.so
lrwxrwxrwx  1 root root      27 Aug 22 14:41 libnss_wins.so -> 
/samba/lib/libnss_wins.so.2
lrwxrwxrwx  1 root root      27 Aug 22 14:41 libnss_wins.so.2 -> 
/lib/libnss_wins.so

I created those last week before ever coming to the list. On Debian 
Squeeze, "lib64" is a symlink to "lib". That is why I listed "/lib". I 
also double-checked and there are NO Samba binaries on the system 
outside of "/samba".

More information about the samba mailing list