[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

Barry D. Adkins Barry at daram.com
Sun Nov 18 01:27:15 UTC 2018 

> The problem is that getenv does not return any AD domain users or
> groups. From much research this seems to be because nsswitch is not
> setup for Samba.

>>I take it you mean 'getent'
YES

> The Libnss winbind Links Wiki says to do this:
>
> # smbd -b | grep LIBDIR  >>> smdb... doesn't work

>>On Ubuntu it wouldn't, but this should:

>>sudo smbd -b | grep LIBDIR
>>   LIBDIR: /usr/lib/x86_64-linux-gnu

Glad I'm not a betting man, because I thought I did that and it didn't work. Anyway it does now, probably me, working through all the setup, things don't go exactly like the wiki's and other internet helpful articles.

This is what reports LIBDIR: /usr/lib/x86_64-linux-gnu

> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> ln
> -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
> # ldconfig

I AM THINKING THESE ln COMMANDS ARE NOT NEEDED GIVEN THE LIBDIR IS /usr/lib/x86_64linux-gnu   ???

>
> Although as seen below there doesn't seem to be a LIBDIR entry, it
> seemed as if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the
> above ln commands with this in mind. It didn't work. I also appended
> "files windbind" to the 2 entries in nsswitch.conf.
>
> ~$ samba -b
> Samba version: 4.7.6-Ubuntu
> Build environment:
> Paths:
>
> BINDIR: /usr/bin
> SBINDIR: /usr/sbin
> CONFIGFILE: /etc/samba/smb.conf
> NCALRPCDIR: /var/run/samba/ncalrpc
> LOGFILEBASE: /var/log/samba
> LMHOSTSFILE: /etc/samba/lmhosts
> DATADIR: /usr/share
> MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
> LOCKDIR: /var/run/samba
> STATEDIR: /var/lib/samba
> CACHEDIR: /var/cache/samba
> PIDDIR: /var/run/samba
> PRIVATE_DIR: /var/lib/samba/private
> CODEPAGEDIR: /usr/share/samba/codepages
> SETUPDIR: /usr/share/samba/setup
> WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd

>>Now this is interesting, in your 'samba -b | grep LIBDIR' above, the
>>location is /usr/local/samba, yet it then changes to /var/lib/samba.

The "above" you were looking at in my post was just me quoting what the wiki mentioned.

>>The Samba wiki is written from the point of view of a self compiled
>>Samba, where the default location for everything is /usr/local/samba,
>>the default location for most of Samba using the Ubuntu packages
>>is /var/lib/samba, so what are you using, a self compiled Samba, or
>>the Ubuntu packages ?

I installed Ubuntu packages ineed.

>>Check if these three packages are installed: libpam-winbind libpam-krb5
>>libnss-winbind

Yes they are installed

> Samba config:
>
> [global]
> dns forwarder = my.DNS.ip.address

>>Why have you got a line that should only be in a DC smb.conf ?

I was following instructions from some web article.  I removed it based on your comment.

> dns proxy = No
> log file = /var/log/samba/log.%m
> logging = syslog at 1 /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = DOMAIN.COM
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> template shell = /bin/bash
> usershare allow guests = Yes
> winbind enum groups = Yes
> winbind enum users = Yes

>>You should only have the 'winbind enum' lines for testing purposes.

Noted

> winbind nss info = rfc2307

>>Replace the above line with:
>>idmap config DOMAIN : unix_nss_info = yes

Done

> winbind use default domain = Yes
> workgroup = DOMAIN
> idmap config DOMAIN : range = 50000-1000000

>>Does the 'Domain Users' group have a gidNumber attribute containing a
>>number inside the range above ?
>>Do your users have a uidNumber attribute containing a unique number
>>inside the same range ?

Well, I'm not certain.  I used Windows System tools to examine SIDs on the Domain Controller, but I have not found how or for sure if a SID can be converted to a UID.
To be clear, getent passwd reports many entries, but NONE from Active Directory, same for groups.

This whole "exercise" was begun because of the failure of this command:
chown root:"Domain Admins" /srv/samba/filestore/
chown: invalid group: 'root:Domain Admins'

I created /srv/samba/filestore/ to share, and in fact it is shared, but I have not been able to set permissions per this WIKI:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

It's still not working, but I will continue to research the SID/UID/GID world.

Barry

More information about the samba mailing list