[Samba] Domain users not resolving...

Rowland Penny rowlandpenny at googlemail.com
Mon Aug 25 07:39:46 MDT 2014


On 25/08/14 14:34, Ryan Ashley wrote:
> On 8/25/2014 9:20 AM, Rowland Penny wrote:
>> On 25/08/14 13:59, Ryan Ashley wrote:
>>> On 08/23/2014 04:26 AM, Rowland Penny wrote:
>>>> On 23/08/14 01:19, Ryan Ashley wrote:
>>>>> Rowland, I did not do this. This is a new client who dropped their 
>>>>> old IT support due to issues on the network. I found out it was 
>>>>> not having access to the sysvol. That is where I figured out what 
>>>>> I have. I do use FHS in my builds, but I would never put it into a 
>>>>> root directory like this. I guess the other team was testing Samba 
>>>>> and using a client to test on! I do agree 100% that the issue is 
>>>>> the path. However, I can feel good that I didn't do such a 
>>>>> bone-headed move!
>>>>>
>>>>> Sorry for the lack of files, I had to figure out how it was set 
>>>>> up. Everything, including the configuration file is in "/samba", 
>>>>> which appears to be a separate partition. Here is what you requested.
>>>>>
>>>>> Samba 4.1.11 64bit
>>>>> Debian Squeeze 64bit
>>>>>
>>>>> =========
>>>>> smb.conf:
>>>>> =========
>>>>> # Global parameters
>>>>> [global]
>>>>>         workgroup = DOMAIN
>>>>>         realm = DOMAIN.LOCAL
>>>>>         netbios name = DC01
>>>>>         server role = active directory domain controller
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>         interfaces = 127.0.0.1, 192.168.0.1
>>>>>
>>>>> [netlogon]
>>>>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /samba/var/locks/sysvol
>>>>>         read only = No
>>>>>
>>>>> =========
>>>>> krb5.conf:
>>>>> =========
>>>>> [libdefaults]
>>>>>         default_realm = DOMAIN.LOCAL
>>>>>         dns_lookup_realm = false
>>>>>         dns_lookup_kdc = true
>>>>>
>>>>> =================
>>>>> Rowland's Request:
>>>>> =================
>>>>> root at dc01:~# /samba/sbin/samba -b
>>>>> Samba version: 4.1.11
>>>>> Build environment:
>>>>>    Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13 
>>>>> 16:34:35 UTC 2014 x86_64 GNU/Linux
>>>>> Paths:
>>>>>    BINDIR: /samba/bin
>>>>>    SBINDIR: /samba/sbin
>>>>>    CONFIGFILE: /samba/etc/smb.conf
>>>>>    NCALRPCDIR: /samba/var/run/ncalrpc
>>>>>    LOGFILEBASE: /samba/var
>>>>>    LMHOSTSFILE: /samba/etc/lmhosts
>>>>>    DATADIR: /samba/share
>>>>>    MODULESDIR: /samba/lib
>>>>>    LOCKDIR: /samba/var/lock
>>>>>    STATEDIR: /samba/var/locks
>>>>>    CACHEDIR: /samba/var/cache
>>>>>    PIDDIR: /samba/var/run
>>>>>    PRIVATE_DIR: /samba/private
>>>>>    CODEPAGEDIR: /samba/share/codepages
>>>>>    SETUPDIR: /samba/share/setup
>>>>>    WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>>>    WINBINDD_PRIVILEGED_SOCKET_DIR: /samba/var/lib/winbindd_privileged
>>>>>    NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>>>
>>>>> No ID's have been setup. The rfc2307 stuff is there, but they're 
>>>>> not using it. They have two Samba DC's and everything else is 
>>>>> Windows 7. They were using rsync to sync the sysvol, which had 
>>>>> caused issues with GID/UID on the second DC, but I fixed that 
>>>>> already. Well, tried to anyway. It is setup the EXACT same way. It 
>>>>> also has issues with this stuff.
>>>>>
>>>>> I have a theory as to how to fix this but want advice first. If I 
>>>>> am wrong, so be it. I would like to build Samba the STANDARD way 
>>>>> (FHS, bin files go to /bin, etc) but have one concern. If I do 
>>>>> this, do I simply need to adjust the paths in the configuration 
>>>>> file and move the sysvol to the proper location? On all of the 
>>>>> systems I do, this is always "/var/lib/samba/sysvol". I would 
>>>>> obviously have to move the tdb files and such to "/var/lib/samba" 
>>>>> as well. Would that work, or am I going to have to deal with this 
>>>>> the way it is?
>>>>>
>>>>> If you need anything else, please ask. Remember, this is a DC and 
>>>>> while rfc2307 attributes exist, they're not being used. Probably 
>>>>> due to no Linux member servers.
>>>>>
>>>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>>>> I stepped into a setup where Samba was compiled and installed into
>>>>>>>> "/samba". The configure command on the DC is "configure
>>>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and 
>>>>>>>> libnss_winbind.so.2
>>>>>>>> are there and nsswitch.conf is told to use winbind. However, 
>>>>>>>> "getent
>>>>>>>> group" returns only local users, "id" finds NO domain users, 
>>>>>>>> and "getent
>>>>>>>> passwd" returns only local users. I did do a rebuild of Samba 
>>>>>>>> after
>>>>>>>> verifying the dependencies were there and configured/installed 
>>>>>>>> the same
>>>>>>>> way so everything is in place. Still no dice. This guy was 
>>>>>>>> still running
>>>>>>>> Debian Squeeze so the install is probably old. Things seem to 
>>>>>>>> run, but
>>>>>>>> no systems can access the sysvol even after a reset, which led 
>>>>>>>> to this
>>>>>>>> discovery.
>>>>>>>>
>>>>>>>> Now, my thinking is that maybe the binaries in "/samba/bin" 
>>>>>>>> should be
>>>>>>>> linked to "/bin" and the same goes for the sbin stuff. Is this 
>>>>>>>> my issue
>>>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>>>
>>>>>>> It would be much easier to help, if you give some information 
>>>>>>> about your
>>>>>>> environment.
>>>>>>>
>>>>>>> - smb.conf
>>>>>>> - Samba version
>>>>>>> - IDs, etc. configured in your backend (depending on your Idmap 
>>>>>>> config)
>>>>>>> - etc.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Marc
>>>>>>>
>>>>>> It would also help if you followed the howto and didn't change 
>>>>>> bits that you don't like, just why did you install into /samba 
>>>>>> instead of /usr/local/samba ?
>>>>>> Everything out there is based on self compiling into 
>>>>>> /usr/local/samba, the wiki gives you the instructions based on this.
>>>>>>
>>>>>> having said this, it is possibly/probably a path problem, could 
>>>>>> you please post (along with what Marc has asked for) the result 
>>>>>> of 'samba -b'
>>>>>>
>>>>>> Rowland
>>>>>
>>>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' & 
>>>> '/samba/bin' in it ?
>>>>
>>>> If not, try this:
>>>>
>>>> export PATH=/samba/sbin:/samba/bin:$PATH
>>>>
>>>> if everything now works correctly, do this:
>>>>
>>>> echo "PATH=/samba/sbin:/samba/bin:$PATH" > /etc/profile.d/samba4.sh
>>>>
>>>> Rowland
>>> Rowland, nothing in /samba is in the path. I had already tried your 
>>> suggestion, but I did it again this morning and here are my results. 
>>> It does not fix the issue. I also included some configuration files 
>>> and such.
>>>
>>> root at dc01:~# echo "$PATH"
>>> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>>> root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>>
>> Ryan, why do you never read anything correctly <sigh>
>>
>> It should have been:
>>
>> export PATH=/samba/sbin:/samba/bin:$PATH
>>
>>
>> The way you have it, if there are ANY other samba binaries in your 
>> PATH, they will be found before the ones you have installed in /samba.
>>
>> Also, and this came up on another recent post, you may have to create 
>> the winbind symlinks to get getent to work with AD. See the wiki, on 
>> the member servers page.
>>
>> Rowland
>>
>>> root at dc01:~# id maliag
>>> id: maliag: No such user
>>> root at dc01:~# id michaelh
>>> id: michaelh: No such user
>>> root at dc01:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>> bin:x:2:2:bin:/bin:/bin/sh
>>> sys:x:3:3:sys:/dev:/bin/sh
>>> sync:x:4:65534:sync:/bin:/bin/sync
>>> games:x:5:60:games:/usr/games:/bin/sh
>>> man:x:6:12:man:/var/cache/man:/bin/sh
>>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>>> mail:x:8:8:mail:/var/mail:/bin/sh
>>> news:x:9:9:news:/var/spool/news:/bin/sh
>>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>>> proxy:x:13:13:proxy:/bin:/bin/sh
>>> www-data:x:33:33:www-data:/var/www:/bin/sh
>>> backup:x:34:34:backup:/var/backups:/bin/sh
>>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>>> gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>>> ntp:x:101:103::/home/ntp:/bin/false
>>> sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>>> bind:x:103:105::/var/cache/bind:/bin/false
>>> root at dc01:~# cat /samba/etc/smb.conf
>>> # Global parameters
>>> [global]
>>>         workgroup = KIGM
>>>         realm = KIGM.LOCAL
>>>         netbios name = DC01
>>>         server role = active directory domain controller
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>         interfaces = 127.0.0.1, 192.168.0.1
>>>
>>> [netlogon]
>>>         path = /samba/var/locks/sysvol/kigm.local/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /samba/var/locks/sysvol
>>>         read only = No
>>> root at dc01:~# cat /etc/nsswitch.conf
>>> # /etc/nsswitch.conf
>>> #
>>> # Example configuration of GNU Name Service Switch functionality.
>>> # If you have the `glibc-doc-reference' and `info' packages 
>>> installed, try:
>>> # `info libc "Name Service Switch"' for information about this file.
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat
>>>
>>> hosts:          files dns wins
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>> root at dc01:~# wbinfo -g
>>> Enterprise Read-Only Domain Controllers
>>> Domain Admins
>>> Domain Users
>>> Domain Guests
>>> Domain Computers
>>> Domain Controllers
>>> Schema Admins
>>> Enterprise Admins
>>> Group Policy Creator Owners
>>> Read-Only Domain Controllers
>>> DnsUpdateProxy
>>> Operations
>>> AV
>>> Graphics
>>> WAFA
>>> Finance
>>> Logos
>>> Streaming
>>> root at dc01:~# cat /etc/krb5.conf
>>> [libdefaults]
>>>         default_realm = KIGM.LOCAL
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>
>>> Thanks for the help. What about my suggestion to perform a normal 
>>> install per the book and then move everything in /samba/var/lib to 
>>> the correct location? Would that not work? I agree with you that 
>>> this issue is caused by the odd install location.
>>
> Rowland, you did not ask for the symlink info, but they are there. I 
> will post the directory listing now. Also, there are no other Samba 
> binaries on the system, but I did reverse it the way you did it and no 
> difference. That is simply a habit stemming from the days of DOS int 
> hat you always appended your stuff after the main path. Since I 
> already knew there were no other Samba binaries on the system, I just 
> did it that way. Again, I have tried it your way and had the same 
> results. Here is the directory listing.
>
> root at dc01:~# l /lib | grep win
> lrwxrwxrwx  1 root root      30 Aug 22 14:03 libnss_winbind.so -> 
> /samba/lib/libnss_winbind.so.2
> lrwxrwxrwx  1 root root      30 Aug 22 14:03 libnss_winbind.so.2 -> 
> /lib/libnss_winbind.so
> lrwxrwxrwx  1 root root      27 Aug 22 14:41 libnss_wins.so -> 
> /samba/lib/libnss_wins.so.2
> lrwxrwxrwx  1 root root      27 Aug 22 14:41 libnss_wins.so.2 -> 
> /lib/libnss_wins.so
>
> I created those last week before ever coming to the list. On Debian 
> Squeeze, "lib64" is a symlink to "lib". That is why I listed "/lib". I 
> also double-checked and there are NO Samba binaries on the system 
> outside of "/samba".

Ryan, can I suggest that you follow Louis's suggestion and upgrade to 
Wheezy with samba from backports, this will get you the latest samba and 
a fully supported debian release.

Rowland



More information about the samba mailing list