[Samba] getent not showing domain users and groups with winbind but works with sssd

Peter Milesson miles at atmos.eu
Sun Sep 30 21:25:48 UTC 2018

Hi folks,

AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used as 
AD server, with netlogon and sysvol, just like any Windows AD server

AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS 
repositories, intended for use as a file server, with shares for roaming 
profiles, home directories, and data shares.

I know that the getent problem has been discussed ad nauseam here, but 
this really beats me. The AD server works, except for dynamic DNS 
updates, which seems to be a known problem, so I'm not going to mention 
it here further.

Winbind seems to work, displaying groups and users through wbinfo. 
Kerberos also works. Had a bit of a problem joining the member server to 
the domain, but it eventually worked. The net rpc join command requires 
the -S switch, which is omitted almost everywhere in the documentation. 
But the id, or getent users or getent groups just do not give away 
anything. Empty.

On a hunch, I tried replacing winbind with sssd. Stopping winbind, and 
starting sssd, everything works nicely.

I have followed all the Wikis, and gone through most of what's been 
written the last 2 years, also on the list, about configuring a Samba 
member server. I have checked that the lib files exist, and are in the 
right places, tried different versions of nsswitch.conf, etc. I'm not 
completely sure if the winbind entries makes any difference when using 
sssd, as sssd.conf and realmd.conf seem to have got entries that 
effectively replace the winbind entries in smb.conf.

Below is smb.conf, and nsswitch.conf. I've tried a bunch of different 
settings for passwd and group in nsswitch, but it does not seem to make 
any difference with winbind (files winbind, files winbind sss, files sss 
winbind, files pam winbind, files wibind pam, etc., etc., etc.).

What also beats me is, that the logs are very quiet.

I am happy that it works with sssd, but I just don't want to leave it 
without any explanations. At least not after spending a day trying to 
get it working.

Best regards,


smb.conf (no shares yet)

    security = user
    idmap config * : backend = tdb
    idmap config * : range 3000-9999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999

    local master = no
    domain master = no
    preferred master = no

    template shell = /bin/false
    template homedir = /dev/null
    winbind use default domain = true
    winbind offline logon = true

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = yes
    client use spnego = yes

    winbind enum users = yes
    winbind enum groups = yes

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

passwd:     files sss
shadow:     files sss
group:      files sss
#passwd:     files winbind
#shadow:     files sss
#group:      files winbind
#initgroups: files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus

More information about the samba mailing list