[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Richard p1 at originsystems.co.za
Sun Jan 15 20:52:03 UTC 2017 

Hi Rowland,

100% ! I hadn't set up the libnss_winbind links.

I have now done this using:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ldconfig

When I test as follows all looks good:

root at dc1:~ # wbinfo --ping-dc
checking the NETLOGON for domain[CT] dc connection to "dc1.ct.mydomain.com" succeeded

but for some reason I don’t understand "getent" still doesn't work when executed on the DC

root at dc1:~ # getent passwd richard.h
root at dc1:~ #

If I do the same on one of the domain members  it works fine...

root at office1:~ # getent passwd richard.h
richard.h:*:10010:10001::/home/ richard.h:/bin/bash


I'm pretty sure I'm doing the same pam / nsswitch setup on the DC as I did on the domain members (not sure whether relevant but the domain members are running standard CentOS 7 Samba 4.4.4 packages)

do you possibly have any idea why getent isn't working on the domain controller? 

thanks!


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: 15 January 2017 21:05
To: samba at lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

On Sun, 15 Jan 2017 20:30:25 +0200
Richard via samba <samba at lists.samba.org> wrote:

> I remain baffled as to why richard.h cannot access the sysvol share. 
> 
> Permissions all seem ok from what I can see and I'm not sure why this 
> should be any different from normal AD share behaviour (our other 
> shares are working fine for domain users)
> 
> I would really appreciate it if someone could let me know whether the 
> sysvol has become corrupt in some way and  I am wasting my time even 
> trying to sort this out.
> 
> thanks
> 

I have thought about this and notice that you gave 'Domain Admins' a gidNumber (which you have now removed), but 'getfacl' only showed the number not the group name. This makes me wonder if you have set up the libnss_winbind links etc. If you haven't, or don't know what I mean, see here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list