[Samba] getent not showing domain users and groups with winbind but works with sssd
Peter Milesson
miles at atmos.eu
Sun Sep 30 21:25:48 UTC 2018
Hi folks,
AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used as
AD server, with netlogon and sysvol, just like any Windows AD server
AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
repositories, intended for use as a file server, with shares for roaming
profiles, home directories, and data shares.
I know that the getent problem has been discussed ad nauseam here, but
this really beats me. The AD server works, except for dynamic DNS
updates, which seems to be a known problem, so I'm not going to mention
it here further.
Winbind seems to work, displaying groups and users through wbinfo.
Kerberos also works. Had a bit of a problem joining the member server to
the domain, but it eventually worked. The net rpc join command requires
the -S switch, which is omitted almost everywhere in the documentation.
But the id, or getent users or getent groups just do not give away
anything. Empty.
On a hunch, I tried replacing winbind with sssd. Stopping winbind, and
starting sssd, everything works nicely.
I have followed all the Wikis, and gone through most of what's been
written the last 2 years, also on the list, about configuring a Samba
member server. I have checked that the lib files exist, and are in the
right places, tried different versions of nsswitch.conf, etc. I'm not
completely sure if the winbind entries makes any difference when using
sssd, as sssd.conf and realmd.conf seem to have got entries that
effectively replace the winbind entries in smb.conf.
Below is smb.conf, and nsswitch.conf. I've tried a bunch of different
settings for passwd and group in nsswitch, but it does not seem to make
any difference with winbind (files winbind, files winbind sss, files sss
winbind, files pam winbind, files wibind pam, etc., etc., etc.).
What also beats me is, that the logs are very quiet.
I am happy that it works with sssd, but I just don't want to leave it
without any explanations. At least not after spending a day trying to
get it working.
Best regards,
Peter
smb.conf (no shares yet)
====================
[global]
security = user
idmap config * : backend = tdb
idmap config * : range 3000-9999
idmap config SAMDOM:backend = rid
idmap config SAMDOM:range = 10000-99999
local master = no
domain master = no
preferred master = no
template shell = /bin/false
template homedir = /dev/null
winbind use default domain = true
winbind offline logon = true
username map = /etc/samba/user.map
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
client signing = yes
client use spnego = yes
winbind enum users = yes
winbind enum groups = yes
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
nsswitch.conf
===========
passwd: files sss
shadow: files sss
group: files sss
#passwd: files winbind
#shadow: files sss
#group: files winbind
#initgroups: files sss
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss
aliases: files nisplus
More information about the samba
mailing list