[Samba] getent not returning users/groups

Gregory Sloop gregs at sloop.net
Sat Feb 26 00:29:49 UTC 2022

> I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem.

Yeah, that's totally what I thought too. (I've spun up DC's on 20.04, no problem, but no member servers, and this is only the second one I've used Louis' packages for...not that I think that's the problem, just that it's new to me.)
<...your steps...>
I've done all that, I think, but I will kill all the local sambs DB's etc, and try again as close to scratch as I can.
(This isn't a VM - it's a bare metal box that's giong to become a file-server, plus I'm using the storage on this box for other things too, so it's semi-production, so that also increases hassle/difficulty. If I break the box, it's going to break other things too...)

Probably something stupid, but like I've said, for the life of me, I can't find/see it.
I might not get this done till Monday, but we'll see.
Thanks again!
> I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem.

> Quick checklist:

>   - If you used Louis's repo, then you've obviously done the apt configuration

>   - /etc/resolv.conf should look like this:

>     samba-dc  xxx.xxx.xxx.xxx
>     search SAMDOM.example.com

>   - acl attr and dnsutils should already be installed on Ubuntu, but check

>   - Samba packages to install:
>   # apt install samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-  winbind libpam-krb5 krb5-config krb5-user

>   - Set the Kerberos Realm to SAMDOM.EXAMPLE.COM

>   - Some additional useful stuff which I don't think is necessary,
>     but if you're having issues, can't hurt:
>   # apt install ldb-tools smbclient cifs-utils

>   - /etc/krb5.conf needs to look like this:

>     [libdefaults]
>     default_realm = SAMDOM.EXAMPLE.COM
>     dns_lookup_realm = false
>     dns_lookup_kdc = true

>   - You don't need to to synchronize time against the DC,
>     and on Ubuntu 20.04 the NTP service should be on by default,
>     but check:

>   # timedatectl

>   it should say "NTP service: active" if not:

>   # timedatectl set-ntp true

>   - but I've noticed Ubuntu will get the time zone wrong sometimes.
>     You can check:
>   # date +"%Z %z"

>   and if it's wrong set it:

>   # timedatectl set-timezone America/Chicago

>   (using your time zone, of course; I'm in CST)

>   - Make sure your /etc/hosts file includes this host if you're using
>     static IPs, and get rid of any lines:

>   -- my-samba-client
>   ++ xxx.xxx.xxx.xxx my-samba-client.samdom.example.com my-samba-client

>   - Turn off and disable nmbd:
>   # systemctl disable --now smbd

>   - Configure /etc/samba/smb.conf as per your requirements

>   - Join the domain:
>   # net ads join -U administrator

>   - After joining the domain, you must restart Samba services:
>   # systemctl restart smbd
>   # systemctl restart winbind

>   - Append the  winbind entry to /etc/nsswitch.conf:
>     passwd: files systemd winbind
>     group:  files systemd winbind

> That's it: getent should now work.

> On 2/25/22 16:31, Gregory Sloop via samba wrote:

>> I sure hate to put anyone out a bunch of trouble if I've borked something up, but for the life of me, I can't see anything I've got wrong.
  >>> ---
>> Can I recap a few things, to make sure I understand things correctly.
  >>> -If KBR was setup wrong or otherwise screwed up, we wouldn't be able to join the domain, right?
>> -Same thing for NTP, right?
  >>> And there's no way to see if/how the nsslib-winbind is talking to winbind itself, right. (I assume the lib talks to winbind and pulls the data. So, if the library is having difficulties, seeing what's going on inside the black box, would be handy.)
  >>> Thanks for the help so far.
  >>> (BTW, when I started down this road, I was on Louis's 4.15.3, and then when checking and double-checking things (when getent wasn't working), I upgraded to 4.15.5, in case it matters.)
  >>>   > -Greg
>>     > >> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote:

>>>>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba wrote:

>>>>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote:

>>>>>>>>> Oh, I see Louis also has those in the repo. Since I'm using

>>>>>>>> his
>>>>>>>> Samba, might as well use his libnss too.
>>>>>>>> You have to use them from the same repo (or to be precise, the
>>>>>>> same
>>>>>>> version).

  >>>>>>>>>>>>>>>> Now to check and see if I did fail to install the library.
>>>>>>>> (But
>>>>>>>> if I
>>>>>>>> were a betting man, that's what I'd bet on.)
>>>>>>> If they are not there, or are the wrong version, getent will
>>>>>>> not
>>>>>>> work.
>>>>>>> Rowland

  >>>>>>>>>>> So, here are the packages I installed as part of the Samba
>>>>>> install

>>>>>>> apt install samba winbind libnss-winbind libpam-winbind ntp krb5-
>>>>>> user
>>>>>> binutils ldb-tools smbclient libpam-krb5
  >>>>>>>>>>> Am I missing anything that would impact this issue?

>>>>> No.
>>>>> You installed the packages.
>>>>> Configured ntp to use the DC's as time servers (time is within 5
>>>>> minutes of the DC)

  >>>>>>> I had them going to the same ntp servers (ntp pool) as the DC's. But
>>>> just to be sure, I've moved them to use the DC's.
>>>> (That's probably better, though both should work ok - since they'll
>>>> all be synced to the same time, or close enough.)
  >>>>> >>>> Checked /etc/krb5.conf to see that it is using the dns domain as

>>>>> the
>>>>> realm (in uppercase)
>>>> Yup.
  >>>>> >>>> Configured /etc/samba/smb.conf
>>>> Yup, I posted it.

>>>>>> Joined the domain (what does 'sudo net ads testjoin' show ?).
>>>> Join OK
  >>>>> >>>> wbinfo works, but getent doesn't
>>>> Yup
  >>>>> >>>> Is all that correct ?
>>>> Pretty much.
  >>>>> >>>> Rowland
>>>> Then I am lost here.
>>>> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and
>>> see what happens.

>>>> Rowland

-- >>>>>>> Gregory Sloop, Principal: Sloop Network & Computer Consulting
>> Voice: 503.251.0452 x121
>> EMail: gregs at sloop.net
>> http://www.sloop.net
>> ---

Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail: gregs at sloop.net

More information about the samba mailing list