[Samba] getent shows only local entries.

Rowland penny rpenny at samba.org
Sun Jan 26 10:25:36 UTC 2020 

On 26/01/2020 09:37, Daniel Lang via samba wrote:
> Hello,
>
> i installed a fresh Version as AD DC Domain under Debian Bullseye with
> Version 4.11.3, this works perfectly. Windows Machines can be sign into the
> Domain. Now i create a Fileserver as Domainmember for Service e.g. Profil
> and Shares. The Domainjoin succeeded. wbinfo -u shows the AD User, also
> wbinfo -g but, i can't retrieve User and Groups with ad Backend. getent
> shows only local entries. Both Machines run into an unprivileged LXC
> Container. The timing coordinates by Host and are right.
>
> Here are my both configuration files:
>
> krb5.conf
> [libdefaults]
>          default_realm = INTERN.EXAMPLE.DE
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
>
> smb.conf
> # Global parameters
> [global]
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          realm = INTERN.EXAMPLE.DE
>          security = ADS
>          server min protocol = SMB2
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind refresh tickets = Yes
>          workgroup = INTERN
>          idmap config intern:range = 10000-999999
>          idmap config intern:schema_mode = rfc2307
>          idmap config intern:backend = ad
>          idmap config *:range = 3000-7999
>          idmap config * : backend = tdb
>          map acl inherit = Yes
>          vfs objects = acl_xattr
>
>
> The winbindd service started correctly.
>
>   winbindd version 4.11.3-Debian started.
>    Copyright Andrew Tridgell and the Samba Team 1992-2019
> [2020/01/26 08:46:50.212310,  0]
> ../../source3/winbindd/winbindd_cache.c:3164(initialize_winbindd_cache)
>    initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> [2020/01/26 08:46:50.213156,  0]
> ../../lib/util/become_daemon.c:135(daemon_ready)
>    daemon_ready: daemon 'winbindd' finished starting up and ready to serve
> connections
>
>
> I am grateful for any suggestion.
>
> Best regards
> Daniel

Whilst wbinfo is showing your users and groups, this does not mean that 
Unix knows who they are.

Do you have libnss-winbind, libpam-winbind and libpam-krb5 installed ?

Have you set 'winbind' in the 'passwd' & 'group' lines in 
/etc/nsswitch.conf ?

Have you added uidNumber attributes to your users and a gidNumber to 
'Domain Users' ?

They are not added automatically, you need to add them manually.

Rowland

More information about the samba mailing list