[Samba] getent not showing domain users and groups with winbind but works with sssd
Rowland Penny
rpenny at samba.org
Wed Oct 3 13:38:08 UTC 2018
On Wed, 3 Oct 2018 15:16:50 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
> On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
> > On Wed, 3 Oct 2018 12:45:11 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi folks,
> >>
> >> I have finally nailed down the problem with the non-functional
> >> getent command when using winbind on a samba member server (AD
> >> domain).
> >>
> >> The problem was the entry
> >>
> >> idmap config * : range 3000-9999
> > No, it wasn't
> >
> >> I used the instructions in
> >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> as a template when setting up the server.
> >>
> >> Changing the line idmap config to
> >>
> >> idmap config * : range = 16777216-33554431
> > I have no idea why doing that worked for you, all you have done is
> > moved the range.
> >
> >> A change of the wiki page would be in order ;-)
> > Sorry, but that isn't going to happen ;-)
> >
> >> The smb.conf below works well against my Samba AD DC.
> > and this is mine that works on my Centos 7 VM:
> >
> > [global]
> > workgroup = SAMDOM
> > security = ADS
> > realm = SAMDOM.EXAMPLE.COM
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > server string = Samba 4 Client %h
> >
> > winbind use default domain = yes
> > winbind expand groups = 4
> > winbind refresh tickets = Yes
> > winbind offline logon = yes
> >
> > ## map ids outside of domain to tdb files.
> > idmap config *:backend = tdb
> > idmap config *:range = 3000-9999
> > ## map ids from the domain the ranges may not overlap !
> > idmap config SAMDOM : backend = ad
> > idmap config SAMDOM : schema_mode = rfc2307
> > idmap config SAMDOM : unix_nss_info = yes
> > idmap config SAMDOM : range = 10000-999999
> > template shell = /bin/bash
> > template homedir = /home/%U
> >
> > domain master = no
> > local master = no
> > preferred master = no
> > os level = 20
> > map to guest = bad user
> > host msdfs = no
> >
> > # user Administrator workaround, without it you are unable to
> > set privileges username map = /etc/samba/user.map
> >
> > # For ACL support on domain member
> > vfs objects = acl_xattr full_audit
> > map acl inherit = Yes
> > store dos attributes = Yes
> >
> > # Share Setting Globally
> > unix extensions = no
> > reset on zero vc = yes
> > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> > hide unreadable = yes
> >
> > # disable printing completely
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > # logging
> > #log level = 10
> > log level = 0
> > map untrusted to domain = yes
> >
> > and this is the result:
> >
> > [root at cen1804 ~]# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > [root at cen1804 ~]# getent group Domain\ Users
> > domain users:x:10000:rowland,...... long list of users.
> >
> > All I can think of is, you still have sssd installed, I don't.
> > Or something else isn't set up correctly.
> >
> > What do the following commands return:
> >
> > hostname
> > hostname -s
> > hostname -d
> > hostname -f
> > hostname -i
> >
> > What is in /etc/resolv.conf
> > What is in /etc/hosts
> > What is in /etc/krb5.conf
> >
> > Rowland
> >
> Hi Rowland,
>
> Seems that I forgot to put the IP address of the host in hosts. SSSD
> is not installed. I wiped the previous installation, and installed
> again. I was very careful not to install SSSD. The packages I
> installed were:
>
> samba samba-common samba-client samba-winbind samba-winbind-clients
> krb5-workstation authconfig
>
> When trying to use a Windows computer for administration (Computer
> management) and connecting to the member server, there is a Windows
> message that it was not possible to connect (problems with DCOM).
> However, it's possible to browse the share on the samba member, and
> create files.
>
> Still works, after several restarts ;-)
>
> Best regards,
>
> Peter
>
> hostname: smbtest.samdom.local
>
> hostname -s: smbtest
>
> hostname -d: samdom.local
>
> hostname -f: smbtest
>
> hostname -i: 192.168.6.79
Oh great, the 'hostname' and 'hostname -f' test results are the wrong
way round. Try opening /etc/hostname in an editor and remove the domain
name i.e. I think you will find it is 'smbtest.samdom.local' make it
just 'smbtest'
> hosts
> ====
>
> 127.0.0.1 localhost localhost.localdomain localhost4
> localhost4.localdomain4
> ::1 localhost localhost.localdomain localhost6
> localhost6.localdomain6
> 192.168.6.79 smbtest.samdom.local smbtest
>
Try making /etc/hosts look like this:
127.0.0.1 localhost
::1 localhost
192.168.6.79 smbtest.samdom.local smbtest
Now run the 'hostname' tests again
Rowland
More information about the samba
mailing list