[Samba] getent not showing domain users and groups with winbind but works with sssd
Peter Milesson
miles at atmos.eu
Mon Oct 1 09:48:25 UTC 2018
On 10/1/18 10:02 AM, Rowland Penny via samba wrote:
> On Sun, 30 Sep 2018 23:25:48 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used
>> as AD server, with netlogon and sysvol, just like any Windows AD
>> server
>>
>> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
>> repositories, intended for use as a file server, with shares for
>> roaming profiles, home directories, and data shares.
>>
>>
>> I know that the getent problem has been discussed ad nauseam here,
>> but this really beats me. The AD server works, except for dynamic DNS
>> updates, which seems to be a known problem, so I'm not going to
>> mention it here further.
>>
>> Winbind seems to work, displaying groups and users through wbinfo.
>> Kerberos also works. Had a bit of a problem joining the member server
>> to the domain, but it eventually worked. The net rpc join command
>> requires the -S switch, which is omitted almost everywhere in the
>> documentation. But the id, or getent users or getent groups just do
>> not give away anything. Empty.
>>
>> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
>> and starting sssd, everything works nicely.
>>
>> I have followed all the Wikis, and gone through most of what's been
>> written the last 2 years, also on the list, about configuring a Samba
>> member server. I have checked that the lib files exist, and are in
>> the right places, tried different versions of nsswitch.conf, etc. I'm
>> not completely sure if the winbind entries makes any difference when
>> using sssd, as sssd.conf and realmd.conf seem to have got entries
>> that effectively replace the winbind entries in smb.conf.
>>
>> Below is smb.conf, and nsswitch.conf. I've tried a bunch of different
>> settings for passwd and group in nsswitch, but it does not seem to
>> make any difference with winbind (files winbind, files winbind sss,
>> files sss winbind, files pam winbind, files wibind pam, etc., etc.,
>> etc.).
>>
>> What also beats me is, that the logs are very quiet.
>>
>> I am happy that it works with sssd, but I just don't want to leave it
>> without any explanations. At least not after spending a day trying to
>> get it working.
>>
> You have two important lines missing and one that is wrong, try this
> smb.conf:
>
> [global]
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
>
> idmap config * : backend = tdb
> idmap config * : range 3000-9999
> idmap config SAMDOM:backend = rid
> idmap config SAMDOM:range = 10000-99999
>
> local master = no
> domain master = no
> preferred master = no
>
> template homedir = /dev/null
> winbind use default domain = yes
> winbind offline logon = yes
>
> username map = /etc/samba/user.map
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> client signing = mandatory
>
> printing = bsd
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
>
> The join command is 'net ads join -U Administrator' and this should
> find the DC without any other options. If it doesn't, you have a
> misconfiguration in your network set up.
>
> Your nsswitch.conf should look something like this:
>
> passwd: files winbind
> shadow: files
> group: files winbind
> initgroups: files
>
> hosts: files dns
>
> # Example - obey only what nisplus tells us...
> #services: nisplus [NOTFOUND=return] files
> #networks: nisplus [NOTFOUND=return] files
> #protocols: nisplus [NOTFOUND=return] files
> #rpc: nisplus [NOTFOUND=return] files
> #ethers: nisplus [NOTFOUND=return] files
> #netmasks: nisplus [NOTFOUND=return] files
>
> bootparams: nisplus [NOTFOUND=return] files
>
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
>
> netgroup: files
>
> publickey: nisplus
>
> automount: files ldap
> aliases: files nisplus
>
> Rowland
>
>
Hi Rowland,
Thanks for your input. Now I see that the three crucial lines in the top
of the smb.conf file went missing somewhere. I made the suggested
changes in both the smb.conf file, and in the nsswitch.conf file, and
disabled sssd, but now the smbd, and winbindd daemons do not start at
all. Trying kerberos, I get tickets from the server. Also did a restart.
Did not help.
The smb.conf now looks like below. The logged errors from trying to
start smbd and winbindd are also displayed below. I am quite out of
ideas about this. Maybe it's better to wipe it and make a fresh
installation.
Best regards,
Peter
smb.conf
======
[global]
workgroup = KONSTRUKCE
security = ADS
realm = KONSTRUKCE.LOCAL
idmap config * : backend = tdb
idmap config * : range 3000-9999
idmap config KONSTRUKCE:backend = rid
idmap config KONSTRUKCE:range = 10000-99999
local master = no
domain master = no
preferred master = no
# template shell = /bin/false
template homedir = /dev/null
winbind use default domain = true
winbind offline logon = true
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
client signing = mandatory
# client use spnego = yes
winbind enum users = yes
winbind enum groups = yes
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
smbd startup entry
============
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba SMB
Daemon...
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01
11:31:02.373756, 0]
../source3/auth/auth_util.c:1399(make_new_session_info_guest)
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: create_local_token
failed: NT_STATUS_NO_MEMORY
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01
11:31:02.373993, 0] ../source3/smbd/server.c:2011(main)
Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: ERROR: failed to
setup guest info.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service: main
process exited, code=exited, status=255/n/a
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start
Samba SMB Daemon.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service
entered failed state.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service failed.
winbind startup entry
=============
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba
Winbind Daemon...
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01
11:46:03.373358, 0]
../source3/winbindd/winbindd_util.c:891(init_domain_list)
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: Could not
fetch our SID - did we join?
Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01
11:46:03.373640, 0]
../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service:
main process exited, code=exited, status=1/FAILURE
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start
Samba Winbind Daemon.
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit
winbind.service entered failed state.
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service failed.
More information about the samba
mailing list