[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Rowland Penny rpenny at samba.org
Sun Jan 15 22:00:20 UTC 2017 

On Sun, 15 Jan 2017 22:52:03 +0200
Richard via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> 100% ! I hadn't set up the libnss_winbind links.
> 
> I have now done this using:
> 
> # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
> # ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
> # ldconfig
> 
> When I test as follows all looks good:
> 
> root at dc1:~ # wbinfo --ping-dc
> checking the NETLOGON for domain[CT] dc connection to
> "dc1.ct.mydomain.com" succeeded
> 
> but for some reason I don’t understand "getent" still doesn't work
> when executed on the DC
> 
> root at dc1:~ # getent passwd richard.h
> root at dc1:~ #
> 
> If I do the same on one of the domain members  it works fine...
> 
> root at office1:~ # getent passwd richard.h
> richard.h:*:10010:10001::/home/ richard.h:/bin/bash
> 
> 
> I'm pretty sure I'm doing the same pam / nsswitch setup on the DC as
> I did on the domain members (not sure whether relevant but the domain
> members are running standard CentOS 7 Samba 4.4.4 packages)
> 
> do you possibly have any idea why getent isn't working on the domain
> controller? 
> 
> thanks!
> 
> 
> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny via samba Sent: 15 January 2017 21:05
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when
> setting up Group Policies
> 
> On Sun, 15 Jan 2017 20:30:25 +0200
> Richard via samba <samba at lists.samba.org> wrote:
> 
> > I remain baffled as to why richard.h cannot access the sysvol
> > share. 
> > 
> > Permissions all seem ok from what I can see and I'm not sure why
> > this should be any different from normal AD share behaviour (our
> > other shares are working fine for domain users)
> > 
> > I would really appreciate it if someone could let me know whether
> > the sysvol has become corrupt in some way and  I am wasting my time
> > even trying to sort this out.
> > 
> > thanks
> > 
> 
> I have thought about this and notice that you gave 'Domain Admins' a
> gidNumber (which you have now removed), but 'getfacl' only showed the
> number not the group name. This makes me wonder if you have set up
> the libnss_winbind links etc. If you haven't, or don't know what I
> mean, see here:
> 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

Check PAM, see here:

https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

Rowland

More information about the samba mailing list