Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd





On 10/1/18 10:02 AM, Rowland Penny via samba wrote:
On Sun, 30 Sep 2018 23:25:48 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi folks,

AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used
as AD server, with netlogon and sysvol, just like any Windows AD
server

AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
repositories, intended for use as a file server, with shares for
roaming profiles, home directories, and data shares.


I know that the getent problem has been discussed ad nauseam here,
but this really beats me. The AD server works, except for dynamic DNS
updates, which seems to be a known problem, so I'm not going to
mention it here further.

Winbind seems to work, displaying groups and users through wbinfo.
Kerberos also works. Had a bit of a problem joining the member server
to the domain, but it eventually worked. The net rpc join command
requires the -S switch, which is omitted almost everywhere in the
documentation. But the id, or getent users or getent groups just do
not give away anything. Empty.

On a hunch, I tried replacing winbind with sssd. Stopping winbind,
and starting sssd, everything works nicely.

I have followed all the Wikis, and gone through most of what's been
written the last 2 years, also on the list, about configuring a Samba
member server. I have checked that the lib files exist, and are in
the right places, tried different versions of nsswitch.conf, etc. I'm
not completely sure if the winbind entries makes any difference when
using sssd, as sssd.conf and realmd.conf seem to have got entries
that effectively replace the winbind entries in smb.conf.

Below is smb.conf, and nsswitch.conf. I've tried a bunch of different
settings for passwd and group in nsswitch, but it does not seem to
make any difference with winbind (files winbind, files winbind sss,
files sss winbind, files pam winbind, files wibind pam, etc., etc.,
etc.).

What also beats me is, that the logs are very quiet.

I am happy that it works with sssd, but I just don't want to leave it
without any explanations. At least not after spending a day trying to
get it working.

You have two important lines missing and one that is wrong, try this
smb.conf:

[global]
     workgroup = SAMDOM
     security = ADS
     realm = SAMDOM.EXAMPLE.COM

     idmap config * : backend = tdb
     idmap config * : range 3000-9999
     idmap config SAMDOM:backend = rid
     idmap config SAMDOM:range = 10000-99999

     local master = no
     domain master = no
     preferred master = no

     template homedir = /dev/null
     winbind use default domain = yes
     winbind offline logon = yes

     username map = /etc/samba/user.map

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     winbind refresh tickets = Yes
     client signing = mandatory

     printing = bsd
     printcap name = /dev/null
     load printers = no
     disable spoolss = yes

     vfs objects = acl_xattr
     map acl inherit = yes

The join command is 'net ads join -U Administrator' and this should
find the DC without any other options. If it doesn't, you have a
misconfiguration in your network set up.

Your nsswitch.conf should look something like this:

passwd:     files winbind
shadow:     files
group:      files winbind
initgroups: files

hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

Rowland


Hi Rowland,

Thanks for your input. Now I see that the three crucial lines in the top of the smb.conf file went missing somewhere. I made the suggested changes in both the smb.conf file, and in the nsswitch.conf file, and disabled sssd, but now the smbd, and winbindd daemons do not start at all. Trying kerberos, I get tickets from the server. Also did a restart. Did not help.

The smb.conf now looks like below. The logged errors from trying to start smbd and winbindd are also displayed below. I am quite out of ideas about this. Maybe it's better to wipe it and make a fresh installation.

Best regards,

Peter

smb.conf
======

[global]
   workgroup = KONSTRUKCE
   security = ADS
   realm = KONSTRUKCE.LOCAL

   idmap config * : backend = tdb
   idmap config * : range 3000-9999
   idmap config KONSTRUKCE:backend = rid
   idmap config KONSTRUKCE:range = 10000-99999

   local master = no
   domain master = no
   preferred master = no

#   template shell = /bin/false
   template homedir = /dev/null
   winbind use default domain = true
   winbind offline logon = true

   username map = /etc/samba/user.map

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes
   client signing = mandatory
#   client use spnego = yes

   winbind enum users = yes
   winbind enum groups = yes

   printing = bsd
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes


smbd startup entry
============

Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba SMB Daemon... Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 11:31:02.373756,  0] ../source3/auth/auth_util.c:1399(make_new_session_info_guest) Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: create_local_token failed: NT_STATUS_NO_MEMORY Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 11:31:02.373993,  0] ../source3/smbd/server.c:2011(main) Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]:   ERROR: failed to setup guest info. Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service: main process exited, code=exited, status=255/n/a Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start Samba SMB Daemon. Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service entered failed state.
Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service failed.


winbind startup entry
=============

Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba Winbind Daemon... Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 11:46:03.373358,  0] ../source3/winbindd/winbindd_util.c:891(init_domain_list) Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]:   Could not fetch our SID - did we join? Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 11:46:03.373640,  0] ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers) Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service: main process exited, code=exited, status=1/FAILURE Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start Samba Winbind Daemon. Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit winbind.service entered failed state.
Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service failed.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba