[Samba] `getent passwd` not working with ad backend
L. van Belle
belle at samba.org
Thu Jan 24 09:10:22 UTC 2019
Did you assing uid/gid's to the user/groups?
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU
C
And test with
getent passwd username
You can change these settings to no, for testing its ok,
but it only slows down you server.
# For member and DC, set to no.
> winbind enum users = yes
> winbind enum groups = yes
# member only
If you use :
> kerberos method = secrets and keytab
Then also set :
dedicated keytab file = /etc/krb5.keytab
# renew the kerberos ticket
winbind refresh tickets = yes
Besides that the configs look ok.
Can you show /etc/nsswitch.conf
I expect it to be good, just to be sure.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Harpoon via samba
> Verzonden: donderdag 24 januari 2019 9:57
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] `getent passwd` not working with ad backend
>
> Hi all,
> I've been reading and it seems like ad backend has many
> features that I'd like to use. However, despite browsing many
> forums and docs, I am still unable to get domain users list
> using `getent passwd` while using `ad backend`. If I change
> backend to tdb, then I can get usernames on the clients.
> Authentication works fine too when using `tdb backend`. I
> think the only issue is with the mapping part. Otherwise the
> domain is working pretty fine.
>
> All boxes are running Debian Stretch.
>
> ===================================================
> Server's smb.conf
> ===================================================
> # Global parameters
> [global]
> netbios name = DC1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 10.0.5.200
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> ===================================================
> Client's smb.conf
> ===================================================
> [global]
> netbios name = client1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> security = ADS
> kerberos method = secrets and keytab
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
> # FOR Samba-share `getent` testing
> # password server = dc1.samdom.example.com
> # client signing = auto
> # server signing = auto
>
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
>
> idmap config SAMDOM : backend = ad
> idmap config SAMDOM : range = 21000-200000
> --------------------------------------------------------------
> -----------
>
> **With ad backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` doesn't list domain users
>
> **WIth tdb backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` also lists all domain users
>
> Just by commenting out the `idmap config SAMDOM` lines in the
> client's smb.conf, all other things start working such as
> `getent passwd`, authentication, etc.
>
> I tried adding multiple Unix groups and users following
> instructions on Samba Wiki, but the result it always the
> same. I've been trying to sort it out for a couple of weeks
> and its now driving me insane.
> Any help would be appreciated!
>
> Kind regards,
> Harp
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list