[Samba] getent passwd blank response
Bob Wooden
bob at donelsontrophy.com
Mon Aug 17 11:44:55 UTC 2020
On 8/17/20 6:29 AM, L.P.H. van Belle via samba wrote:
> And run this one again for me:
> https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
>
root at mbr04:~# ./samba-collect-debug-info.sh
Please wait, collecting debug info.
Password for Administrator at subdom.example.com:
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
The debug info about your system can be found in this file:
/tmp/samba-debug-info.txt
Please check this and if required, sanitise it.
Then copy & paste it into an email to the samba list
Do not attach it to the email, the Samba mailing list strips attachments.
root at mbr04:~# cat /tmp/samba-debug-info.txt
Collected config --- 2020-08-17-06:34 -----------
Hostname: mbr04
DNS Domain: subdom.example.com
FQDN: mbr04.subdom.example.com
ipaddress: 192.168.0.54
-----------
Kerberos SRV _kerberos._tcp.subdom.example.com record verified ok,
sample output:
Server: 192.168.0.41
Address: 192.168.0.41#53
_kerberos._tcp.subdom.example.com service = 0 100 88
dc1.subdom.example.com.
_kerberos._tcp.subdom.example.com service = 0 100 88
dc2.subdom.example.com.
Samba is running as a Unix domain member
-----------
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 10.5 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: enp1s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether 00:25:90:0d:d2:02 brd ff:ff:ff:ff:ff:ff
3: enp1s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether 00:25:90:0d:d2:03 brd ff:ff:ff:ff:ff:ff
4: enp3s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether 00:25:90:39:1e:e4 brd ff:ff:ff:ff:ff:ff
5: enp3s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group
default qlen 1000
link/ether 00:25:90:39:1e:e5 brd ff:ff:ff:ff:ff:ff
6: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
link/ether 00:02:c9:54:2a:e2 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.54/24 brd 192.168.0.255 scope global enp4s0
inet6 fe80::202:c9ff:fe54:2ae2/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.0.54 mbr04.subdom.example.com mbr04
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
fe80::202:c9ff:fe54:2ae2 mbr04.subdom.example.com mbr04
-----------
Checking file: /etc/resolv.conf
search subdom.example.com
nameserver 192.168.0.41
nameserver 192.168.0.42
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SUBDOM.EXAMPLE.COM
dns_lookup_kdc = true
dns_lookup_realm = false
; forwardable = true
; proxiable = true
; ticket_lifetime = 24h
; renew_lifetime = 7d
; ccache_type = 4
;
; Enable this one if you have a tight setup where only the user can
enter the user home dir.
; You might need it with cifs mounts, nfs mounts
; ignore_k5login = true
; A note: This is not used for nfs4 but cifs uses it.
; for Windows 2003
; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
#
log level = 4
log file = /var/log/samba/%m.log
max log size = 1000
# netbios name = By default this is "hostname -s" but in caps.
realm = subdom.example.com
workgroup = DOM
security = ADS
# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man
smb.conf )
# ! There can only be ONE master browser.
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 3000-7000
## map ids from the domain the range may not overlap !
idmap config DOM : backend = ad
idmap config DOM : schema_mode = rfc2307
idmap config DOM : range = 10000-999999
idmap config DOM : unix_nss_info = yes
idmap config DOM : unix_primary_group = yes ##added per L email
2020-08-13
# Renew the kerberos tickets
winbind refresh tickets = yes
# Enable offline logins
winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
##winbind trusted domains only = no
# Keep no in production, set yes when debugging, this slows down your samba.
winbind enum users = yes
winbind enum groups = yes
# Check depth of nested groups, ! slows down you samba, if to much
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4
# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# Included per Louis' member sacript
include = /etc/samba/smb-shares.conf
######## SHARE DEFINITIONS ################
##moved to /etc/samba/smb-shares.conf
-----------
Running as Unix domain member and user.map detected.
Contents of /etc/samba/samba_usermapping
!root = DOM\Administrator DOM\administrator
Server Role is set to : auto
-----------
Installed packages:
ii acl 2.2.53-4 amd64 access control
list - utilities
ii attr 1:2.4.48-4 amd64 utilities for
manipulating filesystem extended attributes
ii krb5-config 2.6 all Configuration files
for Kerberos Version 5
ii krb5-locales 1.17-3 all
internationalization support for MIT Kerberos
ii krb5-user 1.17-3 amd64 basic programs to
authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-4 amd64 access control
list - shared library
ii libattr1:amd64 1:2.4.48-4 amd64 extended
attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries
ii libkrb5support0:amd64 1.17-3 amd64 MIT Kerberos
runtime libraries - Support library
ii libnss-winbind:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2+deb10u1 amd64 PAM module
for MIT Kerberos
ii libpam-winbind:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.12.5+dfsg-2.1buster1 amd64
shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Samba winbind client library
ii python3-samba 2:4.12.5+dfsg-2.1buster1 amd64
Python 3 bindings for Samba
ii samba 2:4.12.5+dfsg-2.1buster1 amd64
SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.12.5+dfsg-2.1buster1 all
common files used by both the Samba server and client
ii samba-common-bin 2:4.12.5+dfsg-2.1buster1 amd64
Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Samba Directory Services Database
ii samba-libs:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Samba core libraries
ii samba-vfs-modules:amd64 2:4.12.5+dfsg-2.1buster1 amd64
Samba Virtual FileSystem plugins
ii smbclient 2:4.12.5+dfsg-2.1buster1 amd64
command-line SMB/CIFS clients for Unix
ii winbind 2:4.12.5+dfsg-2.1buster1 amd64
service to resolve user and group information from Windows NT servers
-----------
--
(Sent from home location.)
Bob Wooden
More information about the samba
mailing list