[Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

Tue Nov 20 09:17:58 UTC 2018

On Tue, 20 Nov 2018 05:29:35 +0000
"Barry D. Adkins via samba" <samba at lists.samba.org> wrote:

> While I have all the uid's and gid's entered on every user and group,
> the server can't find or recognize them.  Not in getent, not in
> commands referencing AD users or groups.
> 
> I'm going to go ahead and install another Ubuntu server with Samba
> and create a Samba DC.  I'll keep this stand alone server and see if
> it starts working after I get the Samba DC properly joined to the
> domain.
> 
> The below answers some of your queries and documents how I got the AD
> Schema into the Windows Schema Master.
> 
> I don't need help with HOW to do in Windows, just WHAT to do in
> Windows. 

To be honest, I don't know what to do on Windows (apart from knowing
that you need IDMU) because I don't use Windows. What I do know is, if
the Samba machine is set up correctly it will work with a Samba DC or a
Windows DC (provided the info is available in AD)

> 
> I hope to contribute at least a helping hand with linux, samba, and
> all the other Open systems.
> 
> I greatly appreciate your assistance and patience with our endeour
> with Samba!!
> 
> > >Where did you find this and where have you imported this to and
> > >how.
> >> Here: https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> >That is Samba's version of IDMU, didn't know it worked with a
> >Windows DC, good to know though.
> 
> >> I used the windows tool LDIFDE to import the schema to the Windows
> >> AD Schema.  Otherwise there is no schema for the Unix Attributes.
> 
> This is what I did.  I had also found an internet article for using
> Samba tools to get the ldif to the Windows Schema master.  I didn't
> try it because I wasn't certain of the samba tool and knew the MS
> LDIFDE tool would work.
> 
> DC1 = Schema Master
> 
> Find FSMO's on a Windows DC (schema master is one of them):
> C:\> NetDOM /query FSMO
> 
> # sed -i -e 's/${DOMAINDN}/DC=example,DC=com/g' \
>          -e 's/${NETBIOSNAME}/DC1/g' \
>          -e 's/${NISDOMAIN}/samdom/g' \
>          /tmp/ypServ30.ldif
> 
> Move the ypServ30.ldif file you've created here to the Windows DC
> where you will run ldifde
> 
> C:\utils\> ldifde -i -f ypServ30.ldif -s SchemaMasterDC
> 

So basically you just imported the Samba ldif into AD using the Windows
tools, interesting, I wonder if anybody else has ever done this ?

> >Not sure just what Samba packages you have installed on the Debian
> >computer
> 
> From the wiki:
> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation
> I ran the following: apt-get install samba winbind libnss-winbind
> libpam-winbind One of your comments mentioned:    libpam-krb5 
> So I installed it.
> -->> and as well I had previously installed an configured Kerberos:
> Apt-get install krb5-user krb5-config
> 

You seem to have done everything correctly, but it doesn't work. Do you
want to try something ?

If so, find these lines on your Samba Unix domain member:

        idmap config domain : unix_nss_info = yes
        idmap config domain : range = 50000-1000000
        idmap config domain : backend = ad

NOTE: now I look at them, there is a line missing, try adding:

        idmap config domain : schema_mode = rfc2307

If that doesn't help, change 'backend = ad' to 'backend = rid'

If getent now works, there is a problem with your set up on the Unix
domain member (which I can help you with) or there is something wrong
on your Windows DC and here, I will be lost.
If getent still doesn't work, then it is probably an nsswitch problem.

Rowland