[Samba] getent not showing domain users and groups with winbind but works with sssd
Rowland Penny
rpenny at samba.org
Mon Oct 1 10:10:12 UTC 2018
On Mon, 1 Oct 2018 11:48:25 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
> On 10/1/18 10:02 AM, Rowland Penny via samba wrote:
> > On Sun, 30 Sep 2018 23:25:48 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi folks,
> >>
> >> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only
> >> used as AD server, with netlogon and sysvol, just like any Windows
> >> AD server
> >>
> >> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
> >> repositories, intended for use as a file server, with shares for
> >> roaming profiles, home directories, and data shares.
> >>
> >>
> >> I know that the getent problem has been discussed ad nauseam here,
> >> but this really beats me. The AD server works, except for dynamic
> >> DNS updates, which seems to be a known problem, so I'm not going to
> >> mention it here further.
> >>
> >> Winbind seems to work, displaying groups and users through wbinfo.
> >> Kerberos also works. Had a bit of a problem joining the member
> >> server to the domain, but it eventually worked. The net rpc join
> >> command requires the -S switch, which is omitted almost everywhere
> >> in the documentation. But the id, or getent users or getent groups
> >> just do not give away anything. Empty.
> >>
> >> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
> >> and starting sssd, everything works nicely.
> >>
> >> I have followed all the Wikis, and gone through most of what's been
> >> written the last 2 years, also on the list, about configuring a
> >> Samba member server. I have checked that the lib files exist, and
> >> are in the right places, tried different versions of
> >> nsswitch.conf, etc. I'm not completely sure if the winbind entries
> >> makes any difference when using sssd, as sssd.conf and realmd.conf
> >> seem to have got entries that effectively replace the winbind
> >> entries in smb.conf.
> >>
> >> Below is smb.conf, and nsswitch.conf. I've tried a bunch of
> >> different settings for passwd and group in nsswitch, but it does
> >> not seem to make any difference with winbind (files winbind, files
> >> winbind sss, files sss winbind, files pam winbind, files wibind
> >> pam, etc., etc., etc.).
> >>
> >> What also beats me is, that the logs are very quiet.
> >>
> >> I am happy that it works with sssd, but I just don't want to leave
> >> it without any explanations. At least not after spending a day
> >> trying to get it working.
> >>
> > You have two important lines missing and one that is wrong, try this
> > smb.conf:
> >
> > [global]
> > workgroup = SAMDOM
> > security = ADS
> > realm = SAMDOM.EXAMPLE.COM
> >
> > idmap config * : backend = tdb
> > idmap config * : range 3000-9999
> > idmap config SAMDOM:backend = rid
> > idmap config SAMDOM:range = 10000-99999
> >
> > local master = no
> > domain master = no
> > preferred master = no
> >
> > template homedir = /dev/null
> > winbind use default domain = yes
> > winbind offline logon = yes
> >
> > username map = /etc/samba/user.map
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = Yes
> > client signing = mandatory
> >
> > printing = bsd
> > printcap name = /dev/null
> > load printers = no
> > disable spoolss = yes
> >
> > vfs objects = acl_xattr
> > map acl inherit = yes
> >
> > The join command is 'net ads join -U Administrator' and this should
> > find the DC without any other options. If it doesn't, you have a
> > misconfiguration in your network set up.
> >
> > Your nsswitch.conf should look something like this:
> >
> > passwd: files winbind
> > shadow: files
> > group: files winbind
> > initgroups: files
> >
> > hosts: files dns
> >
> > # Example - obey only what nisplus tells us...
> > #services: nisplus [NOTFOUND=return] files
> > #networks: nisplus [NOTFOUND=return] files
> > #protocols: nisplus [NOTFOUND=return] files
> > #rpc: nisplus [NOTFOUND=return] files
> > #ethers: nisplus [NOTFOUND=return] files
> > #netmasks: nisplus [NOTFOUND=return] files
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers: files
> > netmasks: files
> > networks: files
> > protocols: files
> > rpc: files
> > services: files
> >
> > netgroup: files
> >
> > publickey: nisplus
> >
> > automount: files ldap
> > aliases: files nisplus
> >
> > Rowland
> >
> >
> Hi Rowland,
>
> Thanks for your input. Now I see that the three crucial lines in the
> top of the smb.conf file went missing somewhere. I made the suggested
> changes in both the smb.conf file, and in the nsswitch.conf file, and
> disabled sssd, but now the smbd, and winbindd daemons do not start at
> all. Trying kerberos, I get tickets from the server. Also did a
> restart. Did not help.
>
> The smb.conf now looks like below. The logged errors from trying to
> start smbd and winbindd are also displayed below. I am quite out of
> ideas about this. Maybe it's better to wipe it and make a fresh
> installation.
>
> Best regards,
>
> Peter
>
> smb.conf
> ======
>
> [global]
> workgroup = KONSTRUKCE
> security = ADS
> realm = KONSTRUKCE.LOCAL
>
> idmap config * : backend = tdb
> idmap config * : range 3000-9999
> idmap config KONSTRUKCE:backend = rid
> idmap config KONSTRUKCE:range = 10000-99999
>
> local master = no
> domain master = no
> preferred master = no
>
> # template shell = /bin/false
> template homedir = /dev/null
> winbind use default domain = true
> winbind offline logon = true
>
> username map = /etc/samba/user.map
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = Yes
> client signing = mandatory
> # client use spnego = yes
>
> winbind enum users = yes
> winbind enum groups = yes
>
> printing = bsd
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
>
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
>
>
> smbd startup entry
> ============
>
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba
> SMB Daemon...
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01
> 11:31:02.373756, 0]
> ../source3/auth/auth_util.c:1399(make_new_session_info_guest)
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]:
> create_local_token failed: NT_STATUS_NO_MEMORY
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01
> 11:31:02.373993, 0] ../source3/smbd/server.c:2011(main)
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: ERROR: failed
> to setup guest info.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service:
> main process exited, code=exited, status=255/n/a
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start
> Samba SMB Daemon.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service
> entered failed state.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service
> failed.
>
>
> winbind startup entry
> =============
>
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba
> Winbind Daemon...
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01
> 11:46:03.373358, 0]
> ../source3/winbindd/winbindd_util.c:891(init_domain_list)
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: Could not
> fetch our SID - did we join?
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01
> 11:46:03.373640, 0]
> ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service:
> main process exited, code=exited, status=1/FAILURE
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start
> Samba Winbind Daemon.
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit
> winbind.service entered failed state.
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service
> failed.
>
>
>
You are now hitting a bug in 4.9.1 that was discovered last week by
Louis Van Belle. It seems to be an interaction between Samba and
systemd, I say this because it doesn't affect me on Devuan.
Rowland
More information about the samba
mailing list