[Samba] getent not showing domain users and groups with winbind but works with sssd
Rowland Penny
rpenny at samba.org
Mon Oct 1 08:02:06 UTC 2018
On Sun, 30 Sep 2018 23:25:48 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
>
> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used
> as AD server, with netlogon and sysvol, just like any Windows AD
> server
>
> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
> repositories, intended for use as a file server, with shares for
> roaming profiles, home directories, and data shares.
>
>
> I know that the getent problem has been discussed ad nauseam here,
> but this really beats me. The AD server works, except for dynamic DNS
> updates, which seems to be a known problem, so I'm not going to
> mention it here further.
>
> Winbind seems to work, displaying groups and users through wbinfo.
> Kerberos also works. Had a bit of a problem joining the member server
> to the domain, but it eventually worked. The net rpc join command
> requires the -S switch, which is omitted almost everywhere in the
> documentation. But the id, or getent users or getent groups just do
> not give away anything. Empty.
>
> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
> and starting sssd, everything works nicely.
>
> I have followed all the Wikis, and gone through most of what's been
> written the last 2 years, also on the list, about configuring a Samba
> member server. I have checked that the lib files exist, and are in
> the right places, tried different versions of nsswitch.conf, etc. I'm
> not completely sure if the winbind entries makes any difference when
> using sssd, as sssd.conf and realmd.conf seem to have got entries
> that effectively replace the winbind entries in smb.conf.
>
> Below is smb.conf, and nsswitch.conf. I've tried a bunch of different
> settings for passwd and group in nsswitch, but it does not seem to
> make any difference with winbind (files winbind, files winbind sss,
> files sss winbind, files pam winbind, files wibind pam, etc., etc.,
> etc.).
>
> What also beats me is, that the logs are very quiet.
>
> I am happy that it works with sssd, but I just don't want to leave it
> without any explanations. At least not after spending a day trying to
> get it working.
>
You have two important lines missing and one that is wrong, try this
smb.conf:
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
idmap config * : backend = tdb
idmap config * : range 3000-9999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
local master = no
domain master = no
preferred master = no
template homedir = /dev/null
winbind use default domain = yes
winbind offline logon = yes
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
client signing = mandatory
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
The join command is 'net ads join -U Administrator' and this should
find the DC without any other options. If it doesn't, you have a
misconfiguration in your network set up.
Your nsswitch.conf should look something like this:
passwd: files winbind
shadow: files
group: files winbind
initgroups: files
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files ldap
aliases: files nisplus
Rowland
More information about the samba
mailing list