[Samba] getent shows only local entries.

Roy Eastwood spindles7 at gmail.com
Sun Jan 26 11:06:18 UTC 2020 

In addition to Rowland's comments see inline comment below:

On 26 January 2020 10:26 Rowland penny wrote:
> On 26/01/2020 09:37, Daniel Lang via samba wrote:
> > Hello,
> >
> > i installed a fresh Version as AD DC Domain under Debian Bullseye with
> > Version 4.11.3, this works perfectly. Windows Machines can be sign
> > into the Domain. Now i create a Fileserver as Domainmember for Service
> > e.g. Profil and Shares. The Domainjoin succeeded. wbinfo -u shows the
> > AD User, also wbinfo -g but, i can't retrieve User and Groups with ad
> > Backend. getent shows only local entries. Both Machines run into an
> > unprivileged LXC Container. The timing coordinates by Host and are right.

Not specifically relevant to the problem you cite but you will need to use Privileged LXD/LXC containers for both the DC and the
member server as the container needs to set the underlying filing system ACLs for samba to work correctly.

> >
> > Here are my both configuration files:
> >
> > krb5.conf
> > [libdefaults]
> >          default_realm = INTERN.EXAMPLE.DE
> >          dns_lookup_realm = false
> >          dns_lookup_kdc = true
> >
> > smb.conf
> > # Global parameters
> > [global]
> >          dedicated keytab file = /etc/krb5.keytab
> >          kerberos method = secrets and keytab
> >          realm = INTERN.EXAMPLE.DE
> >          security = ADS
> >          server min protocol = SMB2
> >          winbind enum groups = Yes
> >          winbind enum users = Yes
> >          winbind refresh tickets = Yes
> >          workgroup = INTERN
> >          idmap config intern:range = 10000-999999
> >          idmap config intern:schema_mode = rfc2307
> >          idmap config intern:backend = ad
> >          idmap config *:range = 3000-7999
> >          idmap config * : backend = tdb
> >          map acl inherit = Yes
> >          vfs objects = acl_xattr
> >
> >
> > The winbindd service started correctly.
> >
> >   winbindd version 4.11.3-Debian started.
> >    Copyright Andrew Tridgell and the Samba Team 1992-2019
> > [2020/01/26 08:46:50.212310,  0]
> > ../../source3/winbindd/winbindd_cache.c:3164(initialize_winbindd_cache)
> >    initialize_winbindd_cache: clearing cache and re-creating with
> > version number 2
> > [2020/01/26 08:46:50.213156,  0]
> > ../../lib/util/become_daemon.c:135(daemon_ready)
> >    daemon_ready: daemon 'winbindd' finished starting up and ready to
> > serve connections
> >
> >
> > I am grateful for any suggestion.
> >
> > Best regards
> > Daniel
> 
> Whilst wbinfo is showing your users and groups, this does not mean that Unix knows who they are.
> 
> Do you have libnss-winbind, libpam-winbind and libpam-krb5 installed ?
> 
> Have you set 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf ?
> 
> Have you added uidNumber attributes to your users and a gidNumber to 'Domain Users' ?
> 
> They are not added automatically, you need to add them manually.
> 
> Rowland

HTH

Roy

More information about the samba mailing list