Web lists-archives.com

Re: [Samba] getenv does not return any AD DOMAIN users or groups - ?nsswitch is not setup for Samba?

On Fri, 16 Nov 2018 02:08:45 +0000
"Barry D. Adkins via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> The problem is that getenv does not return any AD domain users or
> groups. From much research this seems to be because nsswitch is not
> setup for Samba.

I take it you mean 'getent'

> I would really appreciate some assistance as I think this is my last
> hurdle for actually being able to use this test file server.
> Ubuntu server 18.04 - Samba installed and configured (almost)
> Kerberos functioning. wbinfo --ping-dc successfully contacts domain
> server Browse server from windows client sees printer share
> The Libnss winbind Links Wiki says to do this:
> # smbd -b | grep LIBDIR  >>> smdb... doesn't work 

On Ubuntu it wouldn't, but this should:

sudo smbd -b | grep LIBDIR
   LIBDIR: /usr/lib/x86_64-linux-gnu

> but samba -b does
> work LIBDIR: /usr/local/samba/lib/
> # ln
> -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/x86_64-linux-gnu/ #
> ln
> -s /lib/x86_64-linux-gnu/libnss_winbind.so.2 /lib/x86_64-linux-gnu/libnss_winbind.so
> # ldconfig
> Although as seen below there doesn't seem to be a LIBDIR entry, it
> seemed as if it might be /usr/lib/x86_64-linux-gnu/samba so I ran the
> above ln commands with this in mind. It didn't work. I also appended
> "files windbind" to the 2 entries in nsswitch.conf.
> ~$ samba -b
> Samba version: 4.7.6-Ubuntu
> Build environment:
> Paths:
> BINDIR: /usr/bin
> SBINDIR: /usr/sbin
> CONFIGFILE: /etc/samba/smb.conf
> NCALRPCDIR: /var/run/samba/ncalrpc
> LOGFILEBASE: /var/log/samba
> LMHOSTSFILE: /etc/samba/lmhosts
> DATADIR: /usr/share
> MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
> LOCKDIR: /var/run/samba
> STATEDIR: /var/lib/samba
> CACHEDIR: /var/cache/samba
> PIDDIR: /var/run/samba
> PRIVATE_DIR: /var/lib/samba/private
> CODEPAGEDIR: /usr/share/samba/codepages
> SETUPDIR: /usr/share/samba/setup
> WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> It doesn't seem there is a LIBDIR. Not sure what to do about that.
> The folder /usr/local/samba/lib does not exist.

Now this is interesting, in your 'samba -b | grep LIBDIR' above, the
location is /usr/local/samba, yet it then changes to /var/lib/samba.

The Samba wiki is written from the point of view of a self compiled
Samba, where the default location for everything is /usr/local/samba,
the default location for most of Samba using the Ubuntu packages
is /var/lib/samba, so what are you using, a self compiled Samba, or
the Ubuntu packages ?
> ~$ locate libnss_winbind
> /lib/x86_64-linux-gnu/libnss_winbind.so.2

Hmm, looks like Ubuntu packages.

Check if these three packages are installed: libpam-winbind libpam-krb5

> Samba config:
> [global]
> dns forwarder = my.DNS.ip.address

Why have you got a line that should only be in a DC smb.conf ?

> dns proxy = No
> log file = /var/log/samba/log.%m
> logging = syslog@1 /var/log/samba/log.%m
> map to guest = Bad User
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> realm = DOMAIN.COM
> security = ADS
> server role = member server
> server string = %h server (Samba, Ubuntu)
> template shell = /bin/bash
> usershare allow guests = Yes
> winbind enum groups = Yes
> winbind enum users = Yes

You should only have the 'winbind enum' lines for testing purposes.

> winbind nss info = rfc2307

Replace the above line with:

idmap config DOMAIN : unix_nss_info = yes

> winbind use default domain = Yes
> workgroup = DOMAIN
> idmap config DOMAIN : range = 50000-1000000

Does the 'Domain Users' group have a gidNumber attribute containing a
number inside the range above ?
Do your users have a uidNumber attribute containing a unique number
inside the same range ?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba