[Samba] getent passwd SAMDOM\\demo01 does not work
K. R. Foley
kr at cybsft.com
Sun Oct 24 23:26:45 UTC 2021
On 10/13/21 9:14 AM, Kees van Vloten via samba wrote:
> On 13-10-2021 15:56, Patrick Goetz via samba wrote:
>>
>>
>> On 10/13/21 08:48, Rowland Penny via samba wrote:
>>> On Wed, 2021-10-13 at 08:23 -0500, K.R. Foley wrote:
>>>> On 2021-10-13 08:19, Rowland Penny via samba wrote:
>>>>> On Wed, 2021-10-13 at 08:08 -0500, K. R. Foley via samba wrote:
>>>>>> On 10/13/21 1:38 AM, Jürgen Echter wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Am Mittwoch, Oktober 13, 2021 05:10 CEST, schrieb "K. R. Foley
>>>>>>> via
>>>>>>> samba" <samba at lists.samba.org>:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Should "getent passwd SAMDOM\\demo01" work from a Linux AD
>>>>>>>> member?
>>>>>>>>
>>>>>>>>
>>>>>>>> AD server running on CentOS Linux 7
>>>>>>>>
>>>>>>>> Samba 4.11.13 built from source
>>>>>>>>
>>>>>>>>
>>>>>>>> Member server running on CentOS Linux 7
>>>>>>>>
>>>>>>>> Samba 4.11.13 built from source
>>>>>>>>
>>>>>>>> Configured following
>>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
>>>>>>>>
>>>>>>>>
>>>>>>>> Joined using "# net ads join -U administrator" without
>>>>>>>> issue.
>>>>>>>>
>>>>>>>> "# wbinfo --ping-dc" works and reports the domain info
>>>>>>>> correctly.
>>>>>>>>
>>>>>>>> "getent passwd <local user>" works fine
>>>>>>>>
>>>>>>>> "getent passwd SAMDOM\\<domain user>" returns nothing.
>>>>>>>>
>>>>>>>> "getent group SAMDOM\\Domain Users" returns nothing.
>>>>>>>>
>>>>>>>>
>>>>>>>> Should this work? Any help troubleshooting this would be
>>>>>>>> appreciated.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> kr
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>> read
>>>>>>>> the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>> maybe you missed something here:
>>>>>>>
>>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch
>>>>>>>
>>>>>>
>>>>>> Thanks for your reply. I have configured nsswitch.conf. See
>>>>>> below:
>>>>>>
>>>>>> #passwd: files sss winbind
>>>>>> passwd: files winbind
>>>>>> shadow: files sss
>>>>>> #group: files sss winbind
>>>>>> group: files winbind
>>>>>>
>>>>>> Thanks,
>>>>>
>>>>> Are you using sssd on the computer as well ?
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> I think it does by default on CentOS. As you can see above I tried
>>>> it
>>>> with/without sss in nsswitch.conf. Could this be causing a problem?
>>>>
>>>>
>>>
>>> Sorry, but as this always leads to a massive discussion (I know very
>>> little about sssd and believe it shouldn't be used with Samba), I
>>> cannot continue to help you whilst you use sssd.
>>>
>>
>> What id mapping are you using in smb.conf? Usually when I have this
>> problem it's because the host has dropped out of the domain due to an
>> expired Kerberos ticket.
>>
>>
>>
>>> Rowland
>>>
>>>
>>>
>>
> I have not come across a use case where you use both sssd and winbind
> in /etc/nsswitch.conf, either of the two should do the job (use the
> same in pam for login if you have that configured). Since you are
> already using winbind (wbinfo), I would drop the sssd entries for now.
>
> Just for the test I would enable enumerations in /etc/samba/smb.conf
> and then just run getent passwd and getent group to see if you get
> domain users/groups at all and in what form (with or without domain
> name prefixed).
>
>
> - Kees
>
idmap_ldb:use rfc2307 = yes
smb encrypt = enabled
#log level = 10
winbind enum groups = yes
winbind enum users = yes
getent passwd - returns only local users
getent group - returns only local groups
More information about the samba
mailing list