[Samba] wbinfo -u returns no domain users
Gregory Cushing
ioudas at gmail.com
Tue Jun 3 14:19:14 MDT 2014
Carla, no worries we all have to start some where.
Here is my .02 from samba.
So imagine you are a windows domain controller. You have users represented
in a SID fashion IE S-1234
What winbind does is query the domain controller. Then handle the
translation from the SID into the PAM linux authentication module. The pam
module handles user logins for ssh/console etc. Winbind hooks into this
system to provide unix ID translation from SID id's on the domain
controller.
You will need to conf nsswitch, pam and smb.conf to do this. make sure
modules are defined and working and installed in the nsswitch confs and pam
module confs. Then you will have to verify id map settings
Here is a link with different id mapping:
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
Below is stuff done on debian. But the process is the same on AIX or debian
or Cent OS. I also kinit to confirm kerberos status.
Here is an example from a spare box i have:
conf:
gregc2 at NRFVUTIL1:~$ cat /etc/samba/smb.conf
[global]
workgroup = NRFDIST
security = ads
realm = nrfdist.local
password server = nrfdc1.nrfdist.local
domain logons = no
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
winbind refresh tickets = yes
domain master = no
local master = no
prefered master = no
os level = 0
idmap config *:backend = tdb
idmap config *:range = 11000-20000 (here you can use a RID backend or any
you choose)
printing = bsd
printcap name = /dev/null
[ADShare]
path = /shares/ADShareTest
create mask = 0775
read only = no
valid users = NRFDIST\gregc3, "@Domain Admins""
writeable = yes
directory mask = 775
[ddreports]
path = /shares/ddreports
create mask = 0775
read only = no
valid users = NRFDIST\nrfst, "@Domain Admins""
writeable = yes
directory mask = 775
[cadec]
path = /shares/cadec
create mask = 0775
read only = no
valid users = NRFDIST\nrfcadecservice, "@Domain Admins""
writeable = yes
directory mask = 775
gregc2 at NRFVUTIL1:~$ getent passwd
lists all users in the domain you have configured.
getent group lists group info found
wbinfo -a tests authentication
wbinfo -g lists winbinds cache of group info
wbinfo -u lists user info in cache
gregc2 at NRFVUTIL1:~$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
example of pam conf module change (this should be done by your distro, but
ive seen cent os not do this multiple times.
gregc2 at NRFVUTIL1:~$ cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth
krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
there are several other files.... that need to be confed correctly. I can
provide those files to you if needed.
If you have specific questions feel free to come chat on irc.freenode.net
#samba on an irc client. I am there as ioudas and can walk you through as
well.
-Greg
On Tue, Jun 3, 2014 at 3:48 PM, Carla Nurse <packethelp at gmail.com> wrote:
> Gregory,
>
> I should have mentioned that I am a novice when it comes to Samba. This is
> literally my first interaction. I'm not sure what winbind idmapping is. I
> will attach a copy of my smb.conf file though.
>
> smb.conf
> [global]
> workgroup = CAVEHILL
> server string = %h
> security = ads
> passdb backend = tdbsam
> realm = CAVEHILL.UWI.EDU
> encrypt passwords = yes
> winbind use default domain = yes
> client NTLMv2 auth = yes
> preferred master = no
> domain master = no
> local master = no
> load printers = no
> log level = 1 winbind:5 auth:3
> winbind max clients = 750
> winbind max domain connections = 15
>
> I really am not sure what any of the other stuff is. Would you mind
> breaking it down for me?
>
>
> Carla
>
More information about the samba
mailing list