Web lists-archives.com

[Samba] getent not showing domain users and groups with winbind but works with sssd




Hi folks,

AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used as AD server, with netlogon and sysvol, just like any Windows AD server

AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS repositories, intended for use as a file server, with shares for roaming profiles, home directories, and data shares.


I know that the getent problem has been discussed ad nauseam here, but this really beats me. The AD server works, except for dynamic DNS updates, which seems to be a known problem, so I'm not going to mention it here further.

Winbind seems to work, displaying groups and users through wbinfo. Kerberos also works. Had a bit of a problem joining the member server to the domain, but it eventually worked. The net rpc join command requires the -S switch, which is omitted almost everywhere in the documentation. But the id, or getent users or getent groups just do not give away anything. Empty.

On a hunch, I tried replacing winbind with sssd. Stopping winbind, and starting sssd, everything works nicely.

I have followed all the Wikis, and gone through most of what's been written the last 2 years, also on the list, about configuring a Samba member server. I have checked that the lib files exist, and are in the right places, tried different versions of nsswitch.conf, etc. I'm not completely sure if the winbind entries makes any difference when using sssd, as sssd.conf and realmd.conf seem to have got entries that effectively replace the winbind entries in smb.conf.

Below is smb.conf, and nsswitch.conf. I've tried a bunch of different settings for passwd and group in nsswitch, but it does not seem to make any difference with winbind (files winbind, files winbind sss, files sss winbind, files pam winbind, files wibind pam, etc., etc., etc.).

What also beats me is, that the logs are very quiet.

I am happy that it works with sssd, but I just don't want to leave it without any explanations. At least not after spending a day trying to get it working.

Best regards,

Peter


smb.conf (no shares yet)
====================

[global]
   security = user
   idmap config * : backend = tdb
   idmap config * : range 3000-9999
   idmap config SAMDOM:backend = rid
   idmap config SAMDOM:range = 10000-99999

   local master = no
   domain master = no
   preferred master = no

   template shell = /bin/false
   template homedir = /dev/null
   winbind use default domain = true
   winbind offline logon = true

   username map = /etc/samba/user.map

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes
   client signing = yes
   client use spnego = yes

   winbind enum users = yes
   winbind enum groups = yes

   printing = bsd
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes


nsswitch.conf
===========
passwd:     files sss
shadow:     files sss
group:      files sss
#passwd:     files winbind
#shadow:     files sss
#group:      files winbind
#initgroups: files sss

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files sss

netgroup:   files sss

publickey:  nisplus

automount:  files sss
aliases:    files nisplus


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba