[Samba] Second DC doesn't recognize users/groups on getent

Rowland Penny rowlandpenny241155 at gmail.com
Tue Oct 13 13:45:52 UTC 2015


On 13/10/15 14:19, Guilherme Boing wrote:
> Hello,
>
> I just realized that my second DC does not recognize the users from the AD.
> wbinfo -u/-g are working just fine.
>
> [root at dc1 ~]# id bruno.castro
> uid=10004(POL\bruno.castro) gid=100(users)
> grupos=100(users),10001(POL\ti),3000009(BUILTIN\users)
>
> [root at dc2 ~]# id bruno.castro
> id: bruno.castro: no such user
>
> [root at dc1 ~]# wbinfo -i bruno.castro
> POL\bruno.castro:*:10004:100:Bruno de
> Castro:/home/POL/bruno.castro:/bin/bash
>
> [root at dc2 ~]# wbinfo -i bruno.castro
> POL\bruno.castro:*:10004:100:Bruno de
> Castro:/home/POL/bruno.castro:/bin/bash
>
> nsswitch.conf is fine, both dcs are like this:
> passwd:     files sss winbind
> shadow:     files sss winbind
> group:      files sss winbind
>
>
> smb.conf is the same on both DCs (except for the netbios name, where DC1 is
> DC1 and DC2 is DC2)
> # Global parameters
> [global]
>          workgroup = POL
>          realm = POLE.ONLINE
>          netbios name = DC1
>          server role = active directory domain controller
>          dns forwarder = 192.168.22.180
>          log level = 3
>          template shell = /bin/bash
>          idmap_ldb:use rfc2307 = yes
>          allow dns updates = nonsecure
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/pole.online/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> drs showrepl also does not prompt any error on both sides.
>
> What am I missing ?
> Not sure if it matters, but DC1 has 4 winbindd proccess running while DC2
> has only 3.
> Also noticed from log.winbindd on DC1 that whenever I do 'id brunocastro',
> the system is properly asking winbindd for the user, while on DC2 it does
> not happen.
>
> Both DCs are running CentOS 7 and Samba 4.3.0.

Hi, does running this:

ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=pole,dc=online" -s 
sub "(&(objectClass=user)(sAMAccountName=bruno.castro))"

on both DCs, produce the same output?
It should,

Also, unless you are using sssd for sudo or autofs etc you do not need 
it in /etc/nsswitch.conf if you are also using winbind. As it is setup, 
sssd will respond before winbind, so this may not be a winbind problem, 
it could be an sssd problem.

Rowland






More information about the samba mailing list