[Samba] getent group is not working

Wed Aug 27 20:34:41 MDT 2014

Hi!

 I think I'm facing the very same problem... "getent group" does not show
AD groups but, I still can, for example, use "chmod :"domain users"
/srv/tmp" as usual. No idea about whats going on...

 Nevertheless, it is on my todo list to replace Winbind for something more
robust, maybe `nss-ldap-pam` (http://arthurdejong.org/nss-pam-ldapd/)...

Best,
Thiago

On 27 August 2014 15:39, Eduardo Sotomayor <easgs at hotmail.com> wrote:

> getent group is not working in an opensuse 13.1 member server for an
> active directory samba 4 domain
> wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are
> working, these are my configuration files and the output of the commands.
>
> Note: the domain controller has samba installed from source (4.1.11), the
> member server has the distro packages installed (4.1.0)
>
>
>
> blue25:/home/SIENIC/administrator # wbinfo -u
> SIENIC\administrator
> SIENIC\dns-server01
> SIENIC\krbtgt
> SIENIC\guest
>
> blue25:/home/SIENIC/administrator # wbinfo -g
> SIENIC\allowed rodc password replication group
> SIENIC\enterprise read-only domain controllers
> SIENIC\denied rodc password replication group
> SIENIC\read-only domain controllers
> SIENIC\group policy creator owners
> SIENIC\ras and ias servers
> SIENIC\domain controllers
> SIENIC\enterprise admins
> SIENIC\domain computers
> SIENIC\cert publishers
> SIENIC\dnsupdateproxy
> SIENIC\domain admins
> SIENIC\domain guests
> SIENIC\schema admins
> SIENIC\domain users
> SIENIC\dnsadmins
>
> blue25:/home/SIENIC/administrator # wbinfo -t
> checking the trust secret for domain SIENIC via RPC calls succeeded
>
> blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC
>
> SIENIC\administrator:*:10000:10004:Administrator:/home/SIENIC/administrator:/bin/bash
>
> SIENIC\dns-server01:*:10001:10004:dns-server01:/home/SIENIC/dns-server01:/bin/bash
> SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash
> SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash
>
> blue25:/home/SIENIC/administrator # getent group | grep SIENIC
>
> blue25:/home/SIENIC/administrator # getent group
>
>
> /etc/nsswitch.conf
>
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
> #
>
> # passwd: files nis
> # shadow: files nis
> # group:  files nis
>
> passwd:    compat winbind
> group:    compat winbind
>
> hosts:    files mdns_minimal [NOTFOUND=return] dns
> networks:    files dns
>
> services:    files
> protocols:    files
> rpc:    files
> ethers:    files
> netmasks:    files
> netgroup:    files nis
> publickey:    files
>
> bootparams:    files
> automount:    files nis
> aliases:    files
>
>
> /etc/krb5
>
> [libdefaults]
>     default_realm = SIENIC.SITE
>     clockskew = 300
> #    default_realm = EXAMPLE.COM
>
> [realms]
> SIENIC.SITE = {
>     kdc = server01.sienic.site
>     default_domain = sienic.site
>     admin_server = server01.sienic.site
> }
> #    EXAMPLE.COM = {
> #                kdc = kerberos.example.com
> #        admin_server = kerberos.example.com
> #    }
>
> [logging]
>     kdc = FILE:/var/log/krb5/krb5kdc.log
>     admin_server = FILE:/var/log/krb5/kadmind.log
>     default = SYSLOG:NOTICE:DAEMON
> [domain_realm]
>     .sienic.site = SIENIC.SITE
> [appdefaults]
> pam = {
>     ticket_lifetime = 1d
>     renew_lifetime = 1d
>     forwardable = true
>     proxiable = false
>     minimum_uid = 1
> }
>
>
> /etc/samba/smb.conf
>
>
> [global]
>     workgroup = SIENIC
>     passdb backend = tdbsam
>     printing = cups
>     printcap name = cups
>     printcap cache time = 750
>     cups options = raw
>     map to guest = Bad User
>     include = /etc/samba/dhcp.conf
>     logon path = \\%L\profiles\.msprofile
>     logon home = \\%L\%U\.9xprofile
>     logon drive = P:
>     usershare allow guests = No
>     #idmap gid = 10000-20000
>     #idmap uid = 10000-20000
>     kerberos method = secrets and keytab
>     realm = SIENIC.SITE
>     security = ADS
>     template homedir = /home/%D/%U
>     template shell = /bin/bash
>     usershare max shares = 100
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
>     idmap config *:range = 50000-60000
>     idmap config SIENIC:backend = ad
>     idmap config SIENIC:schema_mode = rfc2307
>     idmap config SIENIC:range = 10000-20000
>     winbind enum users = yes
>     winbind enum groups = yes
>
>
> thanks
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>