[Samba] getent group is not working

Gregory Cushing ioudas at gmail.com
Wed Aug 27 13:06:01 MDT 2014 

Eduardo, to piggy back on Rowlands comment. I have only seen gid's/uid's
require an id if they are using the below id map. Using a rid idmap I have
never had to set a gid/uid. One thing to note. The rfc2307 requires unix
extentions to be installed. Then groups will need a gid within that.



    idmap config *:range = 50000-60000
    idmap config SIENIC:backend = ad
    idmap config SIENIC:schema_mode = rfc2307
    idmap config SIENIC:range = 10000-20000

Eduardo, per my other email the rest is identical.

Requires Unix Extensions to be installed in an AD environment. I can tell
you this though assuming you had a working setup; otherwise in samba. IE
local auth works and nsswitch/kerberos look great etc. then check the
following.

1) Unix Extensions from what I have seen in samba are not enabled by
default nor in normal AD.

2) When ever troubleshooting a getent translation issue there are a few
things to check which you have not listed in this email

There are 3-4 things that need to be setup to have getent working.

1) Confirm your nsswitch conf. Here it appears working.

2) Have you confirmed the pam winbind module is installed and pam is
configured?

3) Have you done a wbinfo sid to id call to check that sid translation and
uid translation is working? wbinfo's help or man page will give you the
flags for this. You want to test sid and uid/guid resolution within winbind.

4) Check your id map to confirm the ID map is properly mapped.
My initial suspicion is that you havnt properly configured your id map.

I am known on irc.freenode.net #samba as ioudas.. and I am known for some
winbind knowledge there. If you would like further help. Feel free to reply
or let me know.

-Greg


On Wed, Aug 27, 2014 at 2:57 PM, Rowland Penny <rowlandpenny at googlemail.com>
wrote:

> On 27/08/14 19:39, Eduardo Sotomayor wrote:
>
>> getent group is not working in an opensuse 13.1 member server for an
>> active directory samba 4 domain
>> wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are
>> working, these are my configuration files and the output of the commands.
>>
>> Note: the domain controller has samba installed from source (4.1.11), the
>> member server has the distro packages installed (4.1.0)
>>
>>
>>
>> blue25:/home/SIENIC/administrator # wbinfo -u
>> SIENIC\administrator
>> SIENIC\dns-server01
>> SIENIC\krbtgt
>> SIENIC\guest
>>
>> blue25:/home/SIENIC/administrator # wbinfo -g
>> SIENIC\allowed rodc password replication group
>> SIENIC\enterprise read-only domain controllers
>> SIENIC\denied rodc password replication group
>> SIENIC\read-only domain controllers
>> SIENIC\group policy creator owners
>> SIENIC\ras and ias servers
>> SIENIC\domain controllers
>> SIENIC\enterprise admins
>> SIENIC\domain computers
>> SIENIC\cert publishers
>> SIENIC\dnsupdateproxy
>> SIENIC\domain admins
>> SIENIC\domain guests
>> SIENIC\schema admins
>> SIENIC\domain users
>> SIENIC\dnsadmins
>>
>> blue25:/home/SIENIC/administrator # wbinfo -t
>> checking the trust secret for domain SIENIC via RPC calls succeeded
>>
>> blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC
>> SIENIC\administrator:*:10000:10004:Administrator:/home/
>> SIENIC/administrator:/bin/bash
>> SIENIC\dns-server01:*:10001:10004:dns-server01:/home/
>> SIENIC/dns-server01:/bin/bash
>> SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash
>> SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash
>>
>> blue25:/home/SIENIC/administrator # getent group | grep SIENIC
>>
>> blue25:/home/SIENIC/administrator # getent group
>>
>>
>> /etc/nsswitch.conf
>>
>>
>> #
>> # /etc/nsswitch.conf
>> #
>> # An example Name Service Switch config file. This file should be
>> # sorted with the most-used services at the beginning.
>> #
>> # The entry '[NOTFOUND=return]' means that the search for an
>> # entry should stop if the search in the previous entry turned
>> # up nothing. Note that if the search failed due to some other reason
>> # (like no NIS server responding) then the search continues with the
>> # next entry.
>> #
>> # Legal entries are:
>> #
>> #       compat                  Use compatibility setup
>> #       nisplus                 Use NIS+ (NIS version 3)
>> #       nis                     Use NIS (NIS version 2), also called YP
>> #       dns                     Use DNS (Domain Name Service)
>> #       files                   Use the local files
>> #       [NOTFOUND=return]       Stop searching if not found so far
>> #
>> # For more information, please read the nsswitch.conf.5 manual page.
>> #
>>
>> # passwd: files nis
>> # shadow: files nis
>> # group:  files nis
>>
>> passwd:    compat winbind
>> group:    compat winbind
>>
>> hosts:    files mdns_minimal [NOTFOUND=return] dns
>> networks:    files dns
>>
>> services:    files
>> protocols:    files
>> rpc:    files
>> ethers:    files
>> netmasks:    files
>> netgroup:    files nis
>> publickey:    files
>>
>> bootparams:    files
>> automount:    files nis
>> aliases:    files
>>
>>
>> /etc/krb5
>>
>> [libdefaults]
>>      default_realm = SIENIC.SITE
>>      clockskew = 300
>> #    default_realm = EXAMPLE.COM
>>
>> [realms]
>> SIENIC.SITE = {
>>      kdc = server01.sienic.site
>>      default_domain = sienic.site
>>      admin_server = server01.sienic.site
>> }
>> #    EXAMPLE.COM = {
>> #                kdc = kerberos.example.com
>> #        admin_server = kerberos.example.com
>> #    }
>>
>> [logging]
>>      kdc = FILE:/var/log/krb5/krb5kdc.log
>>      admin_server = FILE:/var/log/krb5/kadmind.log
>>      default = SYSLOG:NOTICE:DAEMON
>> [domain_realm]
>>      .sienic.site = SIENIC.SITE
>> [appdefaults]
>> pam = {
>>      ticket_lifetime = 1d
>>      renew_lifetime = 1d
>>      forwardable = true
>>      proxiable = false
>>      minimum_uid = 1
>> }
>>
>>
>> /etc/samba/smb.conf
>>
>>
>> [global]
>>      workgroup = SIENIC
>>      passdb backend = tdbsam
>>      printing = cups
>>      printcap name = cups
>>      printcap cache time = 750
>>      cups options = raw
>>      map to guest = Bad User
>>      include = /etc/samba/dhcp.conf
>>      logon path = \\%L\profiles\.msprofile
>>      logon home = \\%L\%U\.9xprofile
>>      logon drive = P:
>>      usershare allow guests = No
>>      #idmap gid = 10000-20000
>>      #idmap uid = 10000-20000
>>      kerberos method = secrets and keytab
>>      realm = SIENIC.SITE
>>      security = ADS
>>      template homedir = /home/%D/%U
>>      template shell = /bin/bash
>>      usershare max shares = 100
>>      winbind offline logon = yes
>>      winbind refresh tickets = yes
>>      vfs objects = acl_xattr
>>      map acl inherit = yes
>>      store dos attributes = yes
>>      idmap config *:range = 50000-60000
>>      idmap config SIENIC:backend = ad
>>      idmap config SIENIC:schema_mode = rfc2307
>>      idmap config SIENIC:range = 10000-20000
>>      winbind enum users = yes
>>      winbind enum groups = yes
>>
>>
>> thanks
>>
>>
>>
> Hi, does 'getent group Domain\ Users' produce a result ? I think that you
> will find it does. Welcome to the wonderful world of Samba ;-)
>
> 'getent group' will only display the groups if you give all the groups in
> AD a gidNumber, but 'getent group <groupname>' will display the info for
> the group if it has a gidNumber.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list