[Samba] wbinfo -u returns no domain users

Carla Nurse packethelp at gmail.com
Tue Jun 3 16:33:07 MDT 2014 

Hi Gregory,

I had checked the krb5.conf earlier. I figure it must be right because when
I made the changes, nothing worked at all. The kinit command wouldn't work.

I will check through the other files you told me to check tonight and give
you an update on what happened.

Thank you for breaking it down.

Carla


On Tue, Jun 3, 2014 at 4:30 PM, Gregory Cushing <ioudas at gmail.com> wrote:

> Carla, as another point. You may not end up wanting an idmap and just a
> local cache (which for me makes no sense) one thing to check I left out is
> your kerberos configuration in /etc/krb5.conf.
>
> This will have to be right for a lookup to occur.
>
> gregc2 at NRFVUTIL1:~$ cat /etc/krb5.conf
> [libdefaults]
>  default_realm = NRFDIST.LOCAL
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 48h
>  renew_lifetime = 7d
>  forwardable = true
> [realms]
>  NRFDIST.LOCAL = {
>   kdc = nrfdc1.nrfdist.local
>   admin_server = nrfdc1.nrfdist.local
>  }
> [domain_realm]
>  .nrfdist.local = NRFDIST.LOCAL
>  nrfdist.local = NRFDIST.LOCAL
>
>
>
> On Tue, Jun 3, 2014 at 4:19 PM, Gregory Cushing <ioudas at gmail.com> wrote:
>
>> Carla, no worries we all have to start some where.
>>
>> Here is my .02 from samba.
>>
>> So imagine you are a windows domain controller. You have users
>> represented in a SID fashion IE S-1234
>>
>> What winbind does is query the domain controller. Then handle the
>> translation from the SID into the PAM linux authentication module. The pam
>> module handles user logins for ssh/console etc. Winbind hooks into this
>> system to provide unix ID translation from SID id's on the domain
>> controller.
>>
>> You will need to conf nsswitch, pam and smb.conf to do this. make sure
>> modules are defined and working and installed in the nsswitch confs and pam
>> module confs. Then you will have to verify id map settings
>>
>> Here is a link with different id mapping:
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
>>
>> Below is stuff done on debian. But the process is the same on AIX or
>> debian or Cent OS.  I also kinit to confirm kerberos status.
>>
>>
>> Here is an example from a spare box i have:
>>
>> conf:
>>
>> gregc2 at NRFVUTIL1:~$ cat /etc/samba/smb.conf
>> [global]
>> workgroup = NRFDIST
>> security = ads
>> realm = nrfdist.local
>> password server = nrfdc1.nrfdist.local
>> domain logons = no
>> template homedir = /home/%U
>> template shell = /bin/bash
>> winbind enum groups = yes
>> winbind enum users = yes
>> winbind use default domain = yes
>>  winbind refresh tickets = yes
>> domain master = no
>> local master = no
>> prefered master = no
>> os level = 0
>> idmap config *:backend = tdb
>> idmap config *:range = 11000-20000 (here you can use a RID backend or any
>> you choose)
>> printing = bsd
>> printcap name = /dev/null
>> [ADShare]
>>     path = /shares/ADShareTest
>>     create mask = 0775
>>     read only = no
>>     valid users = NRFDIST\gregc3, "@Domain Admins""
>>     writeable = yes
>>     directory mask = 775
>> [ddreports]
>>     path = /shares/ddreports
>>     create mask = 0775
>>     read only = no
>>     valid users = NRFDIST\nrfst, "@Domain Admins""
>>     writeable = yes
>>     directory mask = 775
>> [cadec]
>>     path = /shares/cadec
>>     create mask = 0775
>>     read only = no
>>     valid users = NRFDIST\nrfcadecservice, "@Domain Admins""
>>     writeable = yes
>>     directory mask = 775
>>
>>
>>
>> gregc2 at NRFVUTIL1:~$ getent passwd
>>
>> lists all users in the domain you have configured.
>>
>> getent group lists group info found
>>
>> wbinfo -a tests authentication
>> wbinfo -g lists winbinds cache of group info
>> wbinfo -u lists user info in cache
>>
>>
>> gregc2 at NRFVUTIL1:~$ cat /etc/nsswitch.conf
>> # /etc/nsswitch.conf
>> #
>> # Example configuration of GNU Name Service Switch functionality.
>> # If you have the `glibc-doc-reference' and `info' packages installed,
>> try:
>> # `info libc "Name Service Switch"' for information about this file.
>>
>> passwd:         compat winbind
>> group:          compat winbind
>> shadow:         compat
>>
>> hosts:          files dns
>> networks:       files
>>
>> protocols:      db files
>> services:       db files
>> ethers:         db files
>> rpc:            db files
>>
>> netgroup:       nis
>>
>>
>> example of pam conf module change (this should be done by your distro,
>> but ive seen cent os not do this multiple times.
>>
>>  gregc2 at NRFVUTIL1:~$ cat /etc/pam.d/common-auth
>> #
>> # /etc/pam.d/common-auth - authentication settings common to all services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authentication modules that define
>> # the central authentication scheme for use on the system
>> # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
>> # traditional Unix authentication mechanisms.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules.  See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> auth    [success=3 default=ignore]      pam_krb5.so minimum_uid=1000
>> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
>> try_first_pass
>> auth    [success=1 default=ignore]      pam_winbind.so krb5_auth
>> krb5_ccache_type=FILE cached_login try_first_pass
>> # here's the fallback if no module succeeds
>> auth    requisite                       pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success
>> code
>> # since the modules above will each just jump around
>> auth    required                        pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> # end of pam-auth-update config
>>
>>
>>
>> there are several other files.... that need to be confed correctly. I can
>> provide those files to you if needed.
>>
>>
>> If you have specific questions feel free to come chat on irc.freenode.net
>> #samba on an irc client. I am there as ioudas and can walk you through as
>> well.
>>
>> -Greg
>>
>>
>>
>>
>>
>>
>>
>

More information about the samba mailing list