[Samba] getent not showing domain users and groups with winbind but works with sssd

Peter Milesson miles at atmos.eu
Wed Oct 3 10:45:11 UTC 2018 

On 10/2/18 1:07 PM, Rowland Penny via samba wrote:
> On Tue, 2 Oct 2018 12:40:19 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> On 10/1/18 8:40 PM, Rowland Penny via samba wrote:
>>> On Mon, 1 Oct 2018 19:28:29 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Louis and Rowland,
>>>>
>>>> I'm just reporting back on this, in case it may help somebody else.
>>>>
>>>> Getting a working getent (or id) under the current version of
>>>> CentOS with winbind just doesn't seems possible. I haven't got a
>>>> clue where the problem is. I have tried the suggestions, I did a
>>>> clean installation, and built Samba myself from source, but no way.
>>>> Installing sssd, a few lines of configuration, disabling winbind,
>>>> and it just works. I just want to stress, that the problems I have
>>>> had getting the Samba domain member to work, are most probably
>>>> CentOS-related.
>>>>
>>>> Unfortunately, I must leave it at this point, as I have spent way
>>>> too much time already. At least I'm glad that I didn't upgrade the
>>>> production server directly, and instead spent time trying to get
>>>> things to work in the test environment. Otherwise there would have
>>>> been tar and feathers at noon today.
>>>>
>>>> A sincere thank you for your time and suggestions.
>>>>
>>> OK, it is your decision (and I don't blame you for your choice) to
>>> use sssd, but I feel I should point out that using wimbind does
>>> work on Centos 7.1.
>>>
>>> I had Centos 7 in a VM, so I started it, updated it and installed
>>> the centos Samba packages (by the way, who thought that it was a
>>> good idea to call 'winbind' 'samba-winbind' ?). Installed a copy of
>>> a known working smb.conf from a Devuan machine. I should mention
>>> that the Centos VM was previously running a compiled version Samba,
>>> so most of the set up was already done (This set up was based on
>>> what I do for Devuan).
>>>
>>> And........
>>>
>>> [root at cen1804 ~]# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> [root at cen1804 ~]# getent group domain\ users
>>> domain users:x:10000:......long list of users
>>>
>>> There is undoubtedly something different between your setup and
>>> mine.
>>>
>>> Rowland
>> Hi Rowland,
>>
>> Now I'm bothering you with getent and winbind again.
>>
>> I got winbind working. Sort of. It turned out to be that the
>> libwbclient.so library wasn't registered with ld.so.conf.
> Just check you are using the correct libwbclient.so, sssd uses some of
> the Samba code.
>
>> What happens now is, that some users and groups are listed when I run
>> getent. I guess that it may be due to some cache files still
>> containing residue. Any suggestions?
>>
> Try running 'net cache flush'
>
> Rowland
>   
>
>
Hi folks,

I have finally nailed down the problem with the non-functional getent 
command when using winbind on a samba member server (AD domain).

The problem was the entry

    idmap config * : range 3000-9999

in smb.conf

I used the instructions in 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member as 
a template when setting up the server.

Changing the line idmap config to

    idmap config * : range = 16777216-33554431

made all the difference.

I got that range by using the authconfig tool, and then commenting out 
some lines, most notably "password server"

A change of the wiki page would be in order ;-)

The smb.conf below works well against my Samba AD DC. There are no 
shares defined (yet), which depends on the local needs.

Best regards,

Peter


[global]
     workgroup = SAMDOM
#   password server = samadc.samdom.local
    realm = SAMDOM.LOCAL
    security = ads
    template homedir = /dev/null
    template shell = /sbin/nologin
#   kerberos method = secrets only
    winbind use default domain = true
    winbind offline logon = true

    idmap config * : backend = tdb
    idmap config * : range = 16777216-33554431

#   idmap config * : range 3000-9999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999

    local master = no
;   domain master = no
    preferred master = no

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = mandatory

    winbind enum users = yes
    winbind enum groups = yes

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

More information about the samba mailing list