[Samba] Getent doesn't show AD users/groups

L.P.H. van Belle belle at bazuin.nl
Wed Dec 16 15:46:57 UTC 2020

> That is absolutely impossible, because there are a lot of things running
> on this server
> and I don’t want to spend weeks trying to make them work in new distro.
> Look, here
> I have a problem with one program that none can solve and there I have 
> dozens of programs.

Now, this is always a problem, if you did keep everything up2date, 
you would not been in this situation now. 
And i know this problem i have 1 of these servers also.

It "should" work fine also as of wheezy. I know my DC's are running and upgraded from wheezy.. from 4.1.x all the way up to 4.13.x (buster now) 

i had an other good look at the post of yesterday with the debug info. 

/etc/hosts server0 server1.headoffice.example.com server1

you can remove the line thats only if you installed with DHCP. 
and, make sure the old name is not used anywhere else in the system before you remove it. 

        default_realm = HEADOFFICE.EXAMPLE.COM
        dns_lookup_kdc = yes
        dns_lookup_realm = no
        ticket_lifetime = 24h

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

; for Windows 2008 with AES
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

Thats it. ( you can/should remove the 2 des entries there, but test it with and without. 


winbind enum users = yes
winbind enum groups = yes 
Set these to now, just not needed to have yes. 
For testing fine, production set no. 

interfaces = eth0
bind interfaces only = yes

thats wrong. 

interfaces = lo eth0
bind interfaces only = yes

We need lo(calhost) 

rerun : apt-get install libnss-winbind libpam-winbind winbind

now run : pam-auth-update


test again

The upgrade path. 
Now if want you can upgrade samba upto 4.8.latest of my repo. 
Then, when your there. You can upgrade the full server to Stretch. 
>From there stay on 4.8.. 

because now you have a choice..  

If you want to run "vanilla" Debian Buster, just upgrade to Buster
and you end up with samba 4.9.5 

Then you can deside use again my packages, or stay at debian's..



More information about the samba mailing list