Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd




On Mon, 1 Oct 2018 11:48:25 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> On 10/1/18 10:02 AM, Rowland Penny via samba wrote:
> > On Sun, 30 Sep 2018 23:25:48 +0200
> > Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hi folks,
> >>
> >> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only
> >> used as AD server, with netlogon and sysvol, just like any Windows
> >> AD server
> >>
> >> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS
> >> repositories, intended for use as a file server, with shares for
> >> roaming profiles, home directories, and data shares.
> >>
> >>
> >> I know that the getent problem has been discussed ad nauseam here,
> >> but this really beats me. The AD server works, except for dynamic
> >> DNS updates, which seems to be a known problem, so I'm not going to
> >> mention it here further.
> >>
> >> Winbind seems to work, displaying groups and users through wbinfo.
> >> Kerberos also works. Had a bit of a problem joining the member
> >> server to the domain, but it eventually worked. The net rpc join
> >> command requires the -S switch, which is omitted almost everywhere
> >> in the documentation. But the id, or getent users or getent groups
> >> just do not give away anything. Empty.
> >>
> >> On a hunch, I tried replacing winbind with sssd. Stopping winbind,
> >> and starting sssd, everything works nicely.
> >>
> >> I have followed all the Wikis, and gone through most of what's been
> >> written the last 2 years, also on the list, about configuring a
> >> Samba member server. I have checked that the lib files exist, and
> >> are in the right places, tried different versions of
> >> nsswitch.conf, etc. I'm not completely sure if the winbind entries
> >> makes any difference when using sssd, as sssd.conf and realmd.conf
> >> seem to have got entries that effectively replace the winbind
> >> entries in smb.conf.
> >>
> >> Below is smb.conf, and nsswitch.conf. I've tried a bunch of
> >> different settings for passwd and group in nsswitch, but it does
> >> not seem to make any difference with winbind (files winbind, files
> >> winbind sss, files sss winbind, files pam winbind, files wibind
> >> pam, etc., etc., etc.).
> >>
> >> What also beats me is, that the logs are very quiet.
> >>
> >> I am happy that it works with sssd, but I just don't want to leave
> >> it without any explanations. At least not after spending a day
> >> trying to get it working.
> >>
> > You have two important lines missing and one that is wrong, try this
> > smb.conf:
> >
> > [global]
> >      workgroup = SAMDOM
> >      security = ADS
> >      realm = SAMDOM.EXAMPLE.COM
> >
> >      idmap config * : backend = tdb
> >      idmap config * : range 3000-9999
> >      idmap config SAMDOM:backend = rid
> >      idmap config SAMDOM:range = 10000-99999
> >
> >      local master = no
> >      domain master = no
> >      preferred master = no
> >
> >      template homedir = /dev/null
> >      winbind use default domain = yes
> >      winbind offline logon = yes
> >
> >      username map = /etc/samba/user.map
> >
> >      dedicated keytab file = /etc/krb5.keytab
> >      kerberos method = secrets and keytab
> >      winbind refresh tickets = Yes
> >      client signing = mandatory
> >
> >      printing = bsd
> >      printcap name = /dev/null
> >      load printers = no
> >      disable spoolss = yes
> >
> >      vfs objects = acl_xattr
> >      map acl inherit = yes
> >
> > The join command is 'net ads join -U Administrator' and this should
> > find the DC without any other options. If it doesn't, you have a
> > misconfiguration in your network set up.
> >
> > Your nsswitch.conf should look something like this:
> >
> > passwd:     files winbind
> > shadow:     files
> > group:      files winbind
> > initgroups: files
> >
> > hosts:      files dns
> >
> > # Example - obey only what nisplus tells us...
> > #services:   nisplus [NOTFOUND=return] files
> > #networks:   nisplus [NOTFOUND=return] files
> > #protocols:  nisplus [NOTFOUND=return] files
> > #rpc:        nisplus [NOTFOUND=return] files
> > #ethers:     nisplus [NOTFOUND=return] files
> > #netmasks:   nisplus [NOTFOUND=return] files
> >
> > bootparams: nisplus [NOTFOUND=return] files
> >
> > ethers:     files
> > netmasks:   files
> > networks:   files
> > protocols:  files
> > rpc:        files
> > services:   files
> >
> > netgroup:   files
> >
> > publickey:  nisplus
> >
> > automount:  files ldap
> > aliases:    files nisplus
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> Thanks for your input. Now I see that the three crucial lines in the
> top of the smb.conf file went missing somewhere. I made the suggested 
> changes in both the smb.conf file, and in the nsswitch.conf file, and 
> disabled sssd, but now the smbd, and winbindd daemons do not start at 
> all. Trying kerberos, I get tickets from the server. Also did a
> restart. Did not help.
> 
> The smb.conf now looks like below. The logged errors from trying to 
> start smbd and winbindd are also displayed below. I am quite out of 
> ideas about this. Maybe it's better to wipe it and make a fresh 
> installation.
> 
> Best regards,
> 
> Peter
> 
> smb.conf
> ======
> 
> [global]
>     workgroup = KONSTRUKCE
>     security = ADS
>     realm = KONSTRUKCE.LOCAL
> 
>     idmap config * : backend = tdb
>     idmap config * : range 3000-9999
>     idmap config KONSTRUKCE:backend = rid
>     idmap config KONSTRUKCE:range = 10000-99999
> 
>     local master = no
>     domain master = no
>     preferred master = no
> 
> #   template shell = /bin/false
>     template homedir = /dev/null
>     winbind use default domain = true
>     winbind offline logon = true
> 
>     username map = /etc/samba/user.map
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     winbind refresh tickets = Yes
>     client signing = mandatory
> #   client use spnego = yes
> 
>     winbind enum users = yes
>     winbind enum groups = yes
> 
>     printing = bsd
>     printcap name = /dev/null
>     load printers = no
>     disable spoolss = yes
> 
>     vfs objects = acl_xattr
>     map acl inherit = yes
>     store dos attributes = yes
> 
> 
> smbd startup entry
> ============
> 
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba
> SMB Daemon...
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 
> 11:31:02.373756,  0] 
> ../source3/auth/auth_util.c:1399(make_new_session_info_guest)
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]:
> create_local_token failed: NT_STATUS_NO_MEMORY
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 
> 11:31:02.373993,  0] ../source3/smbd/server.c:2011(main)
> Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]:   ERROR: failed
> to setup guest info.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service:
> main process exited, code=exited, status=255/n/a
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start 
> Samba SMB Daemon.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service 
> entered failed state.
> Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service
> failed.
> 
> 
> winbind startup entry
> =============
> 
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba 
> Winbind Daemon...
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 
> 11:46:03.373358,  0] 
> ../source3/winbindd/winbindd_util.c:891(init_domain_list)
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]:   Could not 
> fetch our SID - did we join?
> Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 
> 11:46:03.373640,  0] 
> ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers)
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service: 
> main process exited, code=exited, status=1/FAILURE
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start 
> Samba Winbind Daemon.
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit 
> winbind.service entered failed state.
> Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service
> failed.
> 
> 
> 

You are now hitting a bug in 4.9.1 that was discovered last week by
Louis Van Belle. It seems to be an interaction between Samba and
systemd, I say this because it doesn't affect me on Devuan.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba