[Samba] getent not showing domain users and groups with winbind but works with sssd
Peter Milesson
miles at atmos.eu
Wed Oct 3 10:45:11 UTC 2018
On 10/2/18 1:07 PM, Rowland Penny via samba wrote:
> On Tue, 2 Oct 2018 12:40:19 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> On 10/1/18 8:40 PM, Rowland Penny via samba wrote:
>>> On Mon, 1 Oct 2018 19:28:29 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Louis and Rowland,
>>>>
>>>> I'm just reporting back on this, in case it may help somebody else.
>>>>
>>>> Getting a working getent (or id) under the current version of
>>>> CentOS with winbind just doesn't seems possible. I haven't got a
>>>> clue where the problem is. I have tried the suggestions, I did a
>>>> clean installation, and built Samba myself from source, but no way.
>>>> Installing sssd, a few lines of configuration, disabling winbind,
>>>> and it just works. I just want to stress, that the problems I have
>>>> had getting the Samba domain member to work, are most probably
>>>> CentOS-related.
>>>>
>>>> Unfortunately, I must leave it at this point, as I have spent way
>>>> too much time already. At least I'm glad that I didn't upgrade the
>>>> production server directly, and instead spent time trying to get
>>>> things to work in the test environment. Otherwise there would have
>>>> been tar and feathers at noon today.
>>>>
>>>> A sincere thank you for your time and suggestions.
>>>>
>>> OK, it is your decision (and I don't blame you for your choice) to
>>> use sssd, but I feel I should point out that using wimbind does
>>> work on Centos 7.1.
>>>
>>> I had Centos 7 in a VM, so I started it, updated it and installed
>>> the centos Samba packages (by the way, who thought that it was a
>>> good idea to call 'winbind' 'samba-winbind' ?). Installed a copy of
>>> a known working smb.conf from a Devuan machine. I should mention
>>> that the Centos VM was previously running a compiled version Samba,
>>> so most of the set up was already done (This set up was based on
>>> what I do for Devuan).
>>>
>>> And........
>>>
>>> [root at cen1804 ~]# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> [root at cen1804 ~]# getent group domain\ users
>>> domain users:x:10000:......long list of users
>>>
>>> There is undoubtedly something different between your setup and
>>> mine.
>>>
>>> Rowland
>> Hi Rowland,
>>
>> Now I'm bothering you with getent and winbind again.
>>
>> I got winbind working. Sort of. It turned out to be that the
>> libwbclient.so library wasn't registered with ld.so.conf.
> Just check you are using the correct libwbclient.so, sssd uses some of
> the Samba code.
>
>> What happens now is, that some users and groups are listed when I run
>> getent. I guess that it may be due to some cache files still
>> containing residue. Any suggestions?
>>
> Try running 'net cache flush'
>
> Rowland
>
>
>
Hi folks,
I have finally nailed down the problem with the non-functional getent
command when using winbind on a samba member server (AD domain).
The problem was the entry
idmap config * : range 3000-9999
in smb.conf
I used the instructions in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member as
a template when setting up the server.
Changing the line idmap config to
idmap config * : range = 16777216-33554431
made all the difference.
I got that range by using the authconfig tool, and then commenting out
some lines, most notably "password server"
A change of the wiki page would be in order ;-)
The smb.conf below works well against my Samba AD DC. There are no
shares defined (yet), which depends on the local needs.
Best regards,
Peter
[global]
workgroup = SAMDOM
# password server = samadc.samdom.local
realm = SAMDOM.LOCAL
security = ads
template homedir = /dev/null
template shell = /sbin/nologin
# kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true
idmap config * : backend = tdb
idmap config * : range = 16777216-33554431
# idmap config * : range 3000-9999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
local master = no
; domain master = no
preferred master = no
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
client signing = mandatory
winbind enum users = yes
winbind enum groups = yes
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
More information about the samba
mailing list