[Samba] Getent doesn't show AD users/groups

Alex Orlov ooo_saturn7 at mail.ru
Tue Dec 15 18:52:00 UTC 2020 

I’ve corrected all my mistakes with names (at least I think so), but ANYWAY getent doesn’t list
users and groups from AD. Below is the new result of the script. Please, help me to fix it.
 
Collected config --- 2020-12-15-21:37 -----------
 
Hostname: server1
DNS Domain: headoffice.example.com
FQDN: server1.headoffice.example.com
ipaddress: 172.16.0.1 x.x.x.x 10.8.0.1
 
-----------
 
Kerberos SRV _kerberos._tcp.headoffice.example.com record verified ok, sample output:
Server: 172.16.0.1
Address: 172.16.0.1#53
 
_kerberos._tcp.headoffice.example.com service = 0 100 88 server1.headoffice.example.com.
Samba is running as an AD DC
 
-----------
Checking file: /etc/os-release
 
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
NAME="Debian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=debian
HOME_URL="http://www.debian.org/"
SUPPORT_URL="http://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
 
-----------
 
 
This computer is running Debian 8.5 x86_64
 
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 0
inet 172.16.0.1/24 brd 172.16.0.255 scope global eth0
inet6
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether
inet x.x.x.x brd x.x.x.x scope global eth1
inet6
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
 
-----------
Checking file: /etc/hosts
 
127.0.0.1 localhost
127.0.1.1 server0
172.16.0.1 server1.headoffice.example.com server1
 
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
 
-----------
 
Checking file: /etc/resolv.conf
 
search headoffice.example.com
nameserver 172.16.0.1
 
-----------
 
Checking file: /etc/krb5.conf
 
[libdefaults]
default_realm = HEADOFFICE.EXAMPLE.COM
 
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_lookup_realm = false
dns_lookup_kdc = true
 
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
 
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
 
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
 
[realms]
HEADOFFICE.EXAMPLE.COM = {
kdc = server1
admin_server = server1
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
 
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
 
[login]
krb4_convert = true
krb4_get_tickets = false
 
-----------
 
Checking file: /etc/nsswitch.conf
 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
 
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
 
hosts: files myhostname dns
networks: files
 
protocols: db files
services: db files
ethers: db files
rpc: db files
 
netgroup: nis
 
-----------
 
Checking file: /etc/samba/smb.conf
 
# Global parameters
[global]
workgroup = HEADOFFICE
realm = HEADOFFICE.EXAMPLE.COM
netbios name = SERVER1
server role = active directory domain controller
dns forwarder = 87.249.16.250
idmap_ldb:use rfc2307 = yes
interfaces = eth0
bind interfaces only = yes
hosts allow = 127.0.0.1 172.16.0.0/24 10.8.0.0/24
hosts deny = 0.0.0.0/0
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
log level = 3 passdb:5 auth:5
# log level = 4
 
 
[netlogon]
path = /var/lib/samba/sysvol/headoffice.example.com/scripts
read only = No
 
[sysvol]
path = /var/lib/samba/sysvol
read only = No
 
 
-----------
 
BIND_DLZ not detected in smb.conf
 
-----------
 
Installed packages:
ii acl 2.2.52-2 amd64 Access control list utilities
ii attr 1:2.4.47-2 amd64 Utilities for manipulating filesystem extended attributes
ii krb5-config 2.3 all Configuration files for Kerberos Version 5
ii krb5-locales 1.12.1+dfsg-19+deb8u2 all Internationalization support for MIT Kerberos
ii krb5-user 1.12.1+dfsg-19+deb8u5 amd64 Basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.52-2 amd64 Access control list shared library
ii libattr1:amd64 1:2.4.47-2 amd64 Extended attribute shared library
ii libgssapi-krb5-2:amd64 1.12.1+dfsg-19+deb8u5 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 1.6~rc2+dfsg-9+deb8u1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.12.1+dfsg-19+deb8u5 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.12.1+dfsg-19+deb8u5 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.2.14+dfsg-0+deb8u13 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.2.14+dfsg-0+deb8u13 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.2.14+dfsg-0+deb8u13 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.2.14+dfsg-0+deb8u13 amd64 Samba winbind client library
ii oracle-java8-jdk 8u101 amd64 Java™ Platform, Standard Edition 8 Development Kit
ii python-samba 2:4.2.14+dfsg-0+deb8u13 amd64 Python bindings for Samba
ii samba 2:4.2.14+dfsg-0+deb8u13 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.2.14+dfsg-0+deb8u13 all common files used by both the Samba server and client
ii samba-common-bin 2:4.2.14+dfsg-0+deb8u13 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.2.14+dfsg-0+deb8u13 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.2.14+dfsg-0+deb8u13 amd64 Samba core libraries
ii samba-vfs-modules 2:4.2.14+dfsg-0+deb8u13 amd64 Samba Virtual FileSystem plugins
ii spice-client-glib-usb-acl-helper 0.25-1+b1 amd64 Spice client glib usb acl helper
ii winbind 2:4.2.14+dfsg-0+deb8u13 amd64 service to resolve user and group information from Windows NT servers
 
-----------
 
 
 
 
--
Best regards, Alex Orlov

More information about the samba mailing list