Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd




On Sun, 30 Sep 2018 23:25:48 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi folks,
> 
> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used
> as AD server, with netlogon and sysvol, just like any Windows AD
> server
> 
> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS 
> repositories, intended for use as a file server, with shares for
> roaming profiles, home directories, and data shares.
> 
> 
> I know that the getent problem has been discussed ad nauseam here,
> but this really beats me. The AD server works, except for dynamic DNS 
> updates, which seems to be a known problem, so I'm not going to
> mention it here further.
> 
> Winbind seems to work, displaying groups and users through wbinfo. 
> Kerberos also works. Had a bit of a problem joining the member server
> to the domain, but it eventually worked. The net rpc join command
> requires the -S switch, which is omitted almost everywhere in the
> documentation. But the id, or getent users or getent groups just do
> not give away anything. Empty.
> 
> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
> and starting sssd, everything works nicely.
> 
> I have followed all the Wikis, and gone through most of what's been 
> written the last 2 years, also on the list, about configuring a Samba 
> member server. I have checked that the lib files exist, and are in
> the right places, tried different versions of nsswitch.conf, etc. I'm
> not completely sure if the winbind entries makes any difference when
> using sssd, as sssd.conf and realmd.conf seem to have got entries
> that effectively replace the winbind entries in smb.conf.
> 
> Below is smb.conf, and nsswitch.conf. I've tried a bunch of different 
> settings for passwd and group in nsswitch, but it does not seem to
> make any difference with winbind (files winbind, files winbind sss,
> files sss winbind, files pam winbind, files wibind pam, etc., etc.,
> etc.).
> 
> What also beats me is, that the logs are very quiet.
> 
> I am happy that it works with sssd, but I just don't want to leave it 
> without any explanations. At least not after spending a day trying to 
> get it working.
> 

You have two important lines missing and one that is wrong, try this
smb.conf:

[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.EXAMPLE.COM

    idmap config * : backend = tdb
    idmap config * : range 3000-9999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999

    local master = no
    domain master = no
    preferred master = no

    template homedir = /dev/null
    winbind use default domain = yes
    winbind offline logon = yes

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = mandatory

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes

The join command is 'net ads join -U Administrator' and this should
find the DC without any other options. If it doesn't, you have a
misconfiguration in your network set up.

Your nsswitch.conf should look something like this:

passwd:     files winbind
shadow:     files
group:      files winbind
initgroups: files

hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba