Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd




On Wed, 3 Oct 2018 12:45:11 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi folks,
> 
> I have finally nailed down the problem with the non-functional getent 
> command when using winbind on a samba member server (AD domain).
> 
> The problem was the entry
> 
>     idmap config * : range 3000-9999

No, it wasn't

> I used the instructions in 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> as a template when setting up the server.
> 
> Changing the line idmap config to
> 
>     idmap config * : range = 16777216-33554431

I have no idea why doing that worked for you, all you have done is
moved the range.

> A change of the wiki page would be in order ;-)

Sorry, but that isn't going to happen ;-)

> 
> The smb.conf below works well against my Samba AD DC. 

and this is mine that works on my Centos 7 VM:

[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.EXAMPLE.COM

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 3000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : unix_nss_info = yes
    idmap config SAMDOM : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr full_audit
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logging
    #log level = 10
    log level = 0
    map untrusted to domain = yes

and this is the result:

[root@cen1804 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
[root@cen1804 ~]# getent group Domain\ Users
domain users:x:10000:rowland,...... long list of users.

All I can think of is, you still have sssd installed, I don't.
Or something else isn't set up correctly.

What do the following commands return:

hostname
hostname -s
hostname -d
hostname -f
hostname -i

What is in /etc/resolv.conf
What is in /etc/hosts
What is in /etc/krb5.conf

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba