Web lists-archives.com

Re: [Samba] getent not showing domain users and groups with winbind but works with sssd





On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
On Wed, 3 Oct 2018 12:45:11 +0200
Peter Milesson via samba <samba@xxxxxxxxxxxxxxx> wrote:

Hi folks,

I have finally nailed down the problem with the non-functional getent
command when using winbind on a samba member server (AD domain).

The problem was the entry

     idmap config * : range 3000-9999
No, it wasn't

I used the instructions in
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
as a template when setting up the server.

Changing the line idmap config to

     idmap config * : range = 16777216-33554431
I have no idea why doing that worked for you, all you have done is
moved the range.

A change of the wiki page would be in order ;-)
Sorry, but that isn't going to happen ;-)

The smb.conf below works well against my Samba AD DC.
and this is mine that works on my Centos 7 VM:

[global]
     workgroup = SAMDOM
     security = ADS
     realm = SAMDOM.EXAMPLE.COM

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     winbind use default domain = yes
     winbind expand groups = 4
     winbind refresh tickets = Yes
     winbind offline logon = yes

     ## map ids outside of domain to tdb files.
     idmap config *:backend = tdb
     idmap config *:range = 3000-9999
     ## map ids from the domain  the ranges may not overlap !
     idmap config SAMDOM : backend = ad
     idmap config SAMDOM : schema_mode = rfc2307
     idmap config SAMDOM : unix_nss_info = yes
     idmap config SAMDOM : range = 10000-999999
     template shell = /bin/bash
     template homedir = /home/%U

     domain master = no
     local master = no
     preferred master = no
     os level = 20
     map to guest = bad user
     host msdfs = no

     # user Administrator workaround, without it you are unable to set privileges
     username map = /etc/samba/user.map

     # For ACL support on domain member
     vfs objects = acl_xattr full_audit
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     # disable printing completely
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

     # logging
     #log level = 10
     log level = 0
     map untrusted to domain = yes

and this is the result:

[root@cen1804 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
[root@cen1804 ~]# getent group Domain\ Users
domain users:x:10000:rowland,...... long list of users.

All I can think of is, you still have sssd installed, I don't.
Or something else isn't set up correctly.

What do the following commands return:

hostname
hostname -s
hostname -d
hostname -f
hostname -i

What is in /etc/resolv.conf
What is in /etc/hosts
What is in /etc/krb5.conf

Rowland

Hi Rowland,

Seems that I forgot to put the IP address of the host in hosts. SSSD is not installed. I wiped the previous installation, and installed again. I was very careful not to install SSSD. The packages I installed were:

samba samba-common samba-client samba-winbind samba-winbind-clients krb5-workstation authconfig

When trying to use a Windows computer for administration (Computer management) and connecting to the member server, there is a Windows message that it was not possible to connect (problems with DCOM). However, it's possible to browse the share on the samba member, and create files.

Still works, after several restarts ;-)

Best regards,

Peter



hostname:    smbtest.samdom.local

hostname -s: smbtest

hostname -d:     samdom.local

hostname -f:    smbtest

hostname -i:    192.168.6.79


resolv.conf
=======

search samdom.local
nameserver 192.168.6.80


hosts
====

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.6.79 smbtest.samdom.local smbtest


krb5.conf
======

[libdefaults]
        default_realm = SAMDOM.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba