[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

Barry D. Adkins Barry at daram.com
Fri Nov 16 02:08:45 UTC 2018 

The problem is that getenv does not return any AD domain users or groups. From much research this seems to be because nsswitch is not setup for Samba.

I would really appreciate some assistance as I think this is my last hurdle for actually being able to use this test file server.

Ubuntu server 18.04 - Samba installed and configured (almost)
Kerberos functioning. wbinfo --ping-dc successfully contacts domain server
Browse server from windows client sees printer share

The Libnss winbind Links Wiki says to do this:

# smbd -b | grep LIBDIR  >>> smdb... doesn't work but samba -b does work
LIBDIR: /usr/local/samba/lib/
# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/
# ln -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
# ldconfig

Although as seen below there doesn't seem to be a LIBDIR entry, it seemed as if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the above ln commands with this in mind. It didn't work. I also appended "files windbind" to the 2 entries in nsswitch.conf.

~$ samba -b
Samba version: 4.7.6-Ubuntu
Build environment:
Paths:

BINDIR: /usr/bin
SBINDIR: /usr/sbin
CONFIGFILE: /etc/samba/smb.conf
NCALRPCDIR: /var/run/samba/ncalrpc
LOGFILEBASE: /var/log/samba
LMHOSTSFILE: /etc/samba/lmhosts
DATADIR: /usr/share
MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
LOCKDIR: /var/run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PIDDIR: /var/run/samba
PRIVATE_DIR: /var/lib/samba/private
CODEPAGEDIR: /usr/share/samba/codepages
SETUPDIR: /usr/share/samba/setup
WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
It doesn't seem there is a LIBDIR. Not sure what to do about that. The folder /usr/local/samba/lib does not exist.

~$ locate libnss_winbind
/lib/x86_64-linux-gnu/libnss_winbind.so.2
Samba config:

[global]
dns forwarder = my.DNS.ip.address
dns proxy = No
log file = /var/log/samba/log.%m
logging = syslog at 1 /var/log/samba/log.%m
map to guest = Bad User
max log size = 1000
panic action = /usr/share/samba/panic-action %d
realm = DOMAIN.COM
security = ADS
server role = member server
server string = %h server (Samba, Ubuntu)
template shell = /bin/bash
usershare allow guests = Yes
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
winbind use default domain = Yes
workgroup = DOMAIN
idmap config DOMAIN : range = 50000-1000000
idmap config DOMAIN : backend = ad
idmap config * : range = 3000-7999
idmap config * : backend = tbd
map acl inherit = Yes
store dos attributes = Yes
vfs objects = acl_xattr

[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$] comment = Printer Drivers path = /var/lib/samba/printers

-Barry

More information about the samba mailing list