[Samba] getent passwd SAMDOM\\demo01 does not work

K. R. Foley kr at cybsft.com
Tue Oct 26 13:12:20 UTC 2021 

On 10/26/21 7:38 AM, Rowland Penny via samba wrote:
> On Tue, 2021-10-26 at 07:31 -0500, K. R. Foley wrote:
>> On 10/26/21 7:09 AM, Rowland Penny via samba wrote:
>>> On Tue, 2021-10-26 at 06:54 -0500, K. R. Foley wrote:
>>>> On 10/26/21 2:28 AM, Rowland Penny via samba wrote:
>>>>> On Mon, 2021-10-25 at 20:19 -0500, K. R. Foley wrote:
>>>>>> On 10/25/21 3:18 AM, Rowland Penny via samba wrote:
>>>>>>> On Sun, 2021-10-24 at 18:21 -0500, K. R. Foley wrote:
>>>>>>>> I am just getting back to troubleshooting this.
>>>>>>>>
>>>>>>>> I do not think that sssd is enabled. In fact I do not
>>>>>>>> think
>>>>>>>> it is
>>>>>>>> even
>>>>>>>> installed on this system.
>>>>>>> OK, I have lost track of this, but it looks like you are
>>>>>>> running
>>>>>>> Samba
>>>>>>> as an AD DC. Have you checked that sssd isn't installed ?
>>>>>> Yes. sssd is not installed.
>>>>>>
>>>>>> "rpm -qa | grep sss" returns nothing.
>>>>>>
>>>>>>> If it is, remove it along with all the 'sss' in
>>>>>>> /etc/nsswitch.conf
>>>>>> Commented all references in nsswitch.conf
>>>>>>
>>>>>>> Have you created the libnss-winbind links ? either manually
>>>>>>> (see
>>>>>>> here:
>>>>>>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>>>>> I followed those instructions.
>>>>>>
>>>>>> [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so.2
>>>>>>
>>>>>> lrwxrwxrwx 1 root root 40 Oct 11 21:21
>>>>>> /lib64/libnss_winbind.so.2
>>>>>> ->
>>>>>> /usr/local/samba/lib/libnss_winbind.so.2
>>>>>> [root at cln-files-prod kr]# ls -lt /lib64/libnss_winbind.so
>>>>>> lrwxrwxrwx 1 root root 26 Oct 11 21:21
>>>>>> /lib64/libnss_winbind.so
>>>>>> ->
>>>>>> /lib64/libnss_winbind.so.2
>>>>> This is on fedora if I remember correctly, so have you
>>>>> installed
>>>>> these
>>>>> packages:
>>>>>
>>>>> samba samba-winbind samba-winbind-clients oddjob-mkhomedir
>>>>>
>>>>> Rowland
>>>>>
>>>> Actually it is
>>>>
>>>> CentOS 7
>>>>
>>>> Samba 4.11.13 built from source  on AD and member server
>>>>
>>>> Does the Samba build on the client include everything needed or
>>>> do I
>>>> still need to add some package?
>>> Yes, If you built Samba by './configure && make && make install'
>>> follow
>>> the wiki, as everything should be in /usr/local/samba.
>> I built it using the commands above following the wiki to build from
>> source.
>>
>> - built from source
>>
>> - AD was migrated from Samba NT4 Domain
>>
>> - DNS is Bind9 external DNS server
>>
>> - everything seems to work on the AD
>>
>> - DNS works from linux Samba member server
>>
>> - linux Samba member setup following wiki here
>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>
>> - joined using "# net ads join -U administrator"
>>
>> - wbinfo seems to work fine
>>
>> [root at cln-files-prod kr]# wbinfo --ping-dc
>> checking the NETLOGON for domain[LOCAL] dc connection to
>> "ss-prod.local.SAMDOM.com" succeeded
>>
>> - wbinfo -g lists the domain groups
>>
>> - wbinfo -u lists the  domain users
>>
>> - getint passwd tech - tech is a domain user that is not a local
>> user.
>> This returns nothing on the domain member. Returns expected result on
>> the AD
>>
>> - getint passwd local\\tech - also does not return anything on the
>> member server, but works fine on the AD
>>
>> kr
> Please post the output of 'testparm -s' run on the Unix domain member
[root at cln-files-prod kr]# testparm -s
Load smb config files from /usr/local/samba/etc/smb.conf
Loaded services file OK.
idmap range not specified for domain '*'
ERROR: Invalid idmap range for domain *!

Server role: ROLE_DOMAIN_MEMBER

# Global parameters
[global]
     dedicated keytab file = /etc/krb5.keytab
     disable spoolss = Yes
     kerberos method = secrets and keytab
     load printers = No
     printcap name = /dev/null
     realm = LOCAL.SAMDOM.COM
     security = ADS
     username map = /usr/local/samba/user.map
     winbind enum groups = Yes
     winbind enum users = Yes
     winbind refresh tickets = Yes
     winbind use default domain = Yes
     workgroup = LOCAL
     idmap config * : backend = tdb
     map acl inherit = Yes
     printing = bsd
     vfs objects = acl_xattr


Is the line above "ERROR: Invalid idmap range for domain *!" a problem?

Also per request from Louis:

[root at ss-prod kr]# getent passwd local\\tech
LOCAL\tech:*:3000020:100::/home/LOCAL/tech:/bin/false

kr

More information about the samba mailing list