[Samba] getent not showing domain users and groups with winbind but works with sssd

Peter Milesson miles at atmos.eu
Mon Oct 1 09:48:25 UTC 2018 

On 10/1/18 10:02 AM, Rowland Penny via samba wrote:
> On Sun, 30 Sep 2018 23:25:48 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used
>> as AD server, with netlogon and sysvol, just like any Windows AD
>> server
>>
>> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
>> repositories, intended for use as a file server, with shares for
>> roaming profiles, home directories, and data shares.
>>
>>
>> I know that the getent problem has been discussed ad nauseam here,
>> but this really beats me. The AD server works, except for dynamic DNS
>> updates, which seems to be a known problem, so I'm not going to
>> mention it here further.
>>
>> Winbind seems to work, displaying groups and users through wbinfo.
>> Kerberos also works. Had a bit of a problem joining the member server
>> to the domain, but it eventually worked. The net rpc join command
>> requires the -S switch, which is omitted almost everywhere in the
>> documentation. But the id, or getent users or getent groups just do
>> not give away anything. Empty.
>>
>> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
>> and starting sssd, everything works nicely.
>>
>> I have followed all the Wikis, and gone through most of what's been
>> written the last 2 years, also on the list, about configuring a Samba
>> member server. I have checked that the lib files exist, and are in
>> the right places, tried different versions of nsswitch.conf, etc. I'm
>> not completely sure if the winbind entries makes any difference when
>> using sssd, as sssd.conf and realmd.conf seem to have got entries
>> that effectively replace the winbind entries in smb.conf.
>>
>> Below is smb.conf, and nsswitch.conf. I've tried a bunch of different
>> settings for passwd and group in nsswitch, but it does not seem to
>> make any difference with winbind (files winbind, files winbind sss,
>> files sss winbind, files pam winbind, files wibind pam, etc., etc.,
>> etc.).
>>
>> What also beats me is, that the logs are very quiet.
>>
>> I am happy that it works with sssd, but I just don't want to leave it
>> without any explanations. At least not after spending a day trying to
>> get it working.
>>
> You have two important lines missing and one that is wrong, try this
> smb.conf:
>
> [global]
>      workgroup = SAMDOM
>      security = ADS
>      realm = SAMDOM.EXAMPLE.COM
>
>      idmap config * : backend = tdb
>      idmap config * : range 3000-9999
>      idmap config SAMDOM:backend = rid
>      idmap config SAMDOM:range = 10000-99999
>
>      local master = no
>      domain master = no
>      preferred master = no
>
>      template homedir = /dev/null
>      winbind use default domain = yes
>      winbind offline logon = yes
>
>      username map = /etc/samba/user.map
>
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>      winbind refresh tickets = Yes
>      client signing = mandatory
>
>      printing = bsd
>      printcap name = /dev/null
>      load printers = no
>      disable spoolss = yes
>
>      vfs objects = acl_xattr
>      map acl inherit = yes
>
> The join command is 'net ads join -U Administrator' and this should
> find the DC without any other options. If it doesn't, you have a
> misconfiguration in your network set up.
>
> Your nsswitch.conf should look something like this:
>
> passwd:     files winbind
> shadow:     files
> group:      files winbind
> initgroups: files
>
> hosts:      files dns
>
> # Example - obey only what nisplus tells us...
> #services:   nisplus [NOTFOUND=return] files
> #networks:   nisplus [NOTFOUND=return] files
> #protocols:  nisplus [NOTFOUND=return] files
> #rpc:        nisplus [NOTFOUND=return] files
> #ethers:     nisplus [NOTFOUND=return] files
> #netmasks:   nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
>
> netgroup:   files
>
> publickey:  nisplus
>
> automount:  files ldap
> aliases:    files nisplus
>
> Rowland
>
>
Hi Rowland,

Thanks for your input. Now I see that the three crucial lines in the top 
of the smb.conf file went missing somewhere. I made the suggested 
changes in both the smb.conf file, and in the nsswitch.conf file, and 
disabled sssd, but now the smbd, and winbindd daemons do not start at 
all. Trying kerberos, I get tickets from the server. Also did a restart. 
Did not help.

The smb.conf now looks like below. The logged errors from trying to 
start smbd and winbindd are also displayed below. I am quite out of 
ideas about this. Maybe it's better to wipe it and make a fresh 
installation.

Best regards,

Peter

smb.conf
======

[global]
    workgroup = KONSTRUKCE
    security = ADS
    realm = KONSTRUKCE.LOCAL

    idmap config * : backend = tdb
    idmap config * : range 3000-9999
    idmap config KONSTRUKCE:backend = rid
    idmap config KONSTRUKCE:range = 10000-99999

    local master = no
    domain master = no
    preferred master = no

#   template shell = /bin/false
    template homedir = /dev/null
    winbind use default domain = true
    winbind offline logon = true

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = mandatory
#   client use spnego = yes

    winbind enum users = yes
    winbind enum groups = yes

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes


smbd startup entry
============

Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba SMB 
Daemon...
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 
11:31:02.373756,  0] 
../source3/auth/auth_util.c:1399(make_new_session_info_guest)
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: create_local_token 
failed: NT_STATUS_NO_MEMORY
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 
11:31:02.373993,  0] ../source3/smbd/server.c:2011(main)
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]:   ERROR: failed to 
setup guest info.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service: main 
process exited, code=exited, status=255/n/a
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start 
Samba SMB Daemon.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service 
entered failed state.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service failed.


winbind startup entry
=============

Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba 
Winbind Daemon...
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 
11:46:03.373358,  0] 
../source3/winbindd/winbindd_util.c:891(init_domain_list)
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]:   Could not 
fetch our SID - did we join?
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 
11:46:03.373640,  0] 
../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service: 
main process exited, code=exited, status=1/FAILURE
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start 
Samba Winbind Daemon.
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit 
winbind.service entered failed state.
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service failed.

More information about the samba mailing list