[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4

Rowland penny rpenny at samba.org
Fri Feb 28 10:46:10 UTC 2020 

On 28/02/2020 10:15, Goto, Ryoichi wrote:
> Hi, Rowland.
> Thank you for your answer.
>
>> I removed these:
>>
>> sssd sssd * realmd
> Did this:
> [root @ ms2 ~] # rpm -qa | grep realmd
> [root @ ms2 ~] # rpm -qa | grep sss
> libsss_certmap-2.2.0-19.el8.x86_64
> sssd-common-2.2.0-19.el8.x86_64
> libsss_sudo-2.2.0-19.el8.x86_64
> sssd-client-2.2.0-19.el8.x86_64
> sssd-nfs-idmap-2.2.0-19.el8.x86_64
> sssd-kcm-2.2.0-19.el8.x86_64
> libsss_idmap-2.2.0-19.el8.x86_64
> libsss_nss_idmap-2.2.0-19.el8.x86_64
> libsss_autofs-2.2.0-19.el8.x86_64
> [root @ ms2 ~] # dnf remove sssd-common-2.2.0-19.el8.x86_64 sssd-client-2.2.0-19.el8.x86_64 sssd-nfs-idmap-2.2.0-19.el8.x86_64
> sssd-kcm-2.2.0-19.el8.x86_64
>
>> Your / etc / hostname is wrong, it should contain only your computers short
>> hostname: ms2
> It has changed.
>   
>> / etc / hosts should look like this (if using dhcp):
>>
>> 127.0.0.1 localhost
>> :: 1 localhost
> Added the following:
> 172.16.0.72 ms2.testdom.local ms2
>
>> Run this: rm -f /etc/krb5.conf.d/crypto-policies
> I ran it.
>
>> Change /etc/nsswitch.conf to this:
> I ran it.
>
>> Try this /etc/samba/smb.conf
> I did that.
>
> Deleted the contents of / var / log / samba / log * and restarted nmd, winbind and smbd.
>
>
>
> As a result, you cannot get the user information correctly.
> [root @ ms2 ~] # wbinfo -i oec0814e
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user oec0814e
> [root @ ms2 ~] # wbinfo -i oec_faculty01
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user oec_faculty01
> [root @ ms2 ~] # id oec_faculty01
> id: `oec_faculty01 ': no ??such user
> [root @ ms2 ~] #
>
>
> For me, "idmap backend ad not found" in /var/log/samba/log.winbindd-idmap
> [2020/02/28 04: 40: 06.613958, 4] ../../source3/winbindd/winbindd_dual.c:1597(child_handler)
>    child daemon request 56
> [2020/02/28 04: 40: 06.614260, 3] ../../source3/winbindd/idmap.c:397(idmap_init_domain)
>    idmap backend ad not found
> [2020/02/28 04: 40: 06.620853, 3] ../../lib/util/modules.c:167(load_module_absolute_path)
>    load_module_absolute_path: Module '/usr/lib64/samba/idmap/ad.so' loaded

Yes, but it then goes on to load the module.

Try running this:

authconfig --enablewinbind --enablewinbindauth --enablemkhomedir --update

Run: net ads info

It should produce something like this:

LDAP server: 192.168.0.8
LDAP server name: dc8.samdom.example.com
Realm: SAMDOM.EXAMPLE.COM
Bind Path: dc=SAMDOM,dc=EXAMPLE,dc=COM
LDAP port: 389
Server time: Fri, 07 Feb 2020 14:24:49 GMT
KDC server: 192.168.0.8
Server time offset: 1
Last machine account password change: Fri, 07 Feb 2020 14:20:09 GMT

Does 'wbinfo -u' display your AD users ?

Do your users have a uidNumber attribute inside '10000-999999' and 
Domain Users a gidNumber inside the same range ?

If not, change this:

         idmap config TESTDOM : backend = ad
         idmap config TESTDOM : range = 10000-999999
         idmap config TESTDOM : schema_mode = rfc2307
         idmap config TESTDOM : unix_nss_info = yes

To this:

         idmap config TESTDOM : backend = rid
         idmap config TESTDOM : range = 10000-999999

Rowland

More information about the samba mailing list