Web lists-archives.com

[Samba] getent/Winbind issues

Hi all,
having a bit of a nuisance here. Hope you can help. Let's see.

A) I have a Dell Poweredge running a (mostly) vanilla Debian Jessie and
Samba 4.5.0 as a AD-DC using internall DNS. All works as expected including
winbind, wbinfo and getent. Against samba team recommendations the DC is
also a fileserver.

B) On a similar machine (that's where the problem lies), I installed Debian
Stretch and Samba 4.5.0. Copied the database from the first machine and
upgraded to samba 4.6.5. Followed (as much as I can tell) the samba wiki on
all steps (samba install, database backup and recovery and samba upgrade
and also sysvol replication). The process went rather seamlessly. The basic
idea is to get an upgraded version of the original machine
1) As far as I can tell the domain works correctly; I can add users and
machines, login and logout, and access shares
2) wbinfo works correctly
3) getent does not. getent passwd correctly returns local users plus a
message stating "error writing passwd entry: Invalid argument" instead of
each domain user's name. getent group gives similar results
4) Can't find anything relevant in the logs (up to level 4) but I probably
overlooked something
5) testparm complains about idmap range not being specified which I believe
is a benign error message
6) Passed all tests on samba wiki's basic troobleshooting. samba and
winbind are running
7) Thinking it might be a permissions error on the database restore, I did
a samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix which didn't
fix anything
8) removing the winbind links or the entries form nsswitch returns getent
to it's normal behaviour of only returning local users
9) smb.conf is mosty vanilla (omitted the shares part):
        netbios name = EHSERVER
        realm = EUROHIDRA.LOCAL
        workgroup = EUROHIDRA
        netbios name = EHSERVER
        interfaces = lo br0
        bind interfaces only = Yes
        dns forwarder =
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 4
        log file = /var/log/samba/samba.log

        passwd program = /usr/bin/passwd %u
        time server =yes
        unix password sync = yes
        name resolve order =  bcast host lmhosts wins
        winbind refresh tickets = Yes
        winbind separator = :
        winbind enum users = yes
        winbind enum groups = yes

It seems a winbind permissions problem. I checked database file permissions
against the original machine and look the same.
 Any clues? I'm kindda stuck here. I could reinstall everything again but
that's silly... Even hints of what to troubleshoot are highly appreciated.
Best regards
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba