Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd





On 10/2/18 1:07 PM, Rowland Penny via samba wrote:
On Tue, 2 Oct 2018 12:40:19 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

On 10/1/18 8:40 PM, Rowland Penny via samba wrote:
On Mon, 1 Oct 2018 19:28:29 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi Louis and Rowland,

I'm just reporting back on this, in case it may help somebody else.

Getting a working getent (or id) under the current version of
CentOS with winbind just doesn't seems possible. I haven't got a
clue where the problem is. I have tried the suggestions, I did a
clean installation, and built Samba myself from source, but no way.
Installing sssd, a few lines of configuration, disabling winbind,
and it just works. I just want to stress, that the problems I have
had getting the Samba domain member to work, are most probably
CentOS-related.

Unfortunately, I must leave it at this point, as I have spent way
too much time already. At least I'm glad that I didn't upgrade the
production server directly, and instead spent time trying to get
things to work in the test environment. Otherwise there would have
been tar and feathers at noon today.

A sincere thank you for your time and suggestions.

OK, it is your decision (and I don't blame you for your choice) to
use sssd, but I feel I should point out that using wimbind does
work on Centos 7.1.

I had Centos 7 in a VM, so I started it, updated it and installed
the centos Samba packages (by the way, who thought that it was a
good idea to call 'winbind' 'samba-winbind' ?). Installed a copy of
a known working smb.conf from a Devuan machine. I should mention
that the Centos VM was previously running a compiled version Samba,
so most of the set up was already done (This set up was based on
what I do for Devuan).

And........

[root@cen1804 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

[root@cen1804 ~]# getent group domain\ users
domain users:x:10000:......long list of users

There is undoubtedly something different between your setup and
mine.

Rowland
Hi Rowland,

Now I'm bothering you with getent and winbind again.

I got winbind working. Sort of. It turned out to be that the
libwbclient.so library wasn't registered with ld.so.conf.
Just check you are using the correct libwbclient.so, sssd uses some of
the Samba code.

What happens now is, that some users and groups are listed when I run
getent. I guess that it may be due to some cache files still
containing residue. Any suggestions?

Try running 'net cache flush'

Rowland

Hi folks,

I have finally nailed down the problem with the non-functional getent command when using winbind on a samba member server (AD domain).

The problem was the entry

   idmap config * : range 3000-9999

in smb.conf

I used the instructions in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member as a template when setting up the server.

Changing the line idmap config to

   idmap config * : range = 16777216-33554431

made all the difference.

I got that range by using the authconfig tool, and then commenting out some lines, most notably "password server"

A change of the wiki page would be in order ;-)

The smb.conf below works well against my Samba AD DC. There are no shares defined (yet), which depends on the local needs.

Best regards,

Peter


[global]
    workgroup = SAMDOM
#   password server = samadc.samdom.local
   realm = SAMDOM.LOCAL
   security = ads
   template homedir = /dev/null
   template shell = /sbin/nologin
#   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = true

   idmap config * : backend = tdb
   idmap config * : range = 16777216-33554431

#   idmap config * : range 3000-9999
   idmap config SAMDOM:backend = rid
   idmap config SAMDOM:range = 10000-99999

   local master = no
;   domain master = no
   preferred master = no

   username map = /etc/samba/user.map

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   winbind refresh tickets = Yes
   client signing = mandatory

   winbind enum users = yes
   winbind enum groups = yes

   printing = bsd
   printcap name = /dev/null
   load printers = no
   disable spoolss = yes

   vfs objects = acl_xattr
   map acl inherit = yes
   store dos attributes = yes



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba