Web lists-archives.com

Re: [Samba] `getent passwd` not working with ad backend




On Thu, 24 Jan 2019 08:57:21 +0000
Harpoon via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi all,
> I've been reading and it seems like ad backend has many features that
> I'd like to use. However, despite browsing many forums and docs, I am
> still unable to get domain users list using `getent passwd` while
> using `ad backend`. If I change backend to tdb, then I can get
> usernames on the clients. Authentication works fine too when using
> `tdb backend`. I think the only issue is with the mapping part.
> Otherwise the domain is working pretty fine.
> 
> All boxes are running Debian Stretch.
> 
> ===================================================
> Server's smb.conf
> ===================================================
> # Global parameters
> [global]
> netbios name = DC1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 10.0.5.200
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> 
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> ===================================================
> Client's smb.conf
> ===================================================
> [global]
> netbios name = client1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> security = ADS
> kerberos method = secrets and keytab
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
> #   FOR Samba-share `getent` testing
> #    password server = dc1.samdom.example.com
> #    client signing = auto
> #    server signing = auto
> 
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
> 
> idmap config SAMDOM : backend = ad
> idmap config SAMDOM : range = 21000-200000
> -------------------------------------------------------------------------
> 
> **With ad backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` doesn't list domain users
> 
> **WIth tdb backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` also lists all domain users
> 
> Just by commenting out the `idmap config SAMDOM` lines in the
> client's smb.conf, all other things start working such as `getent
> passwd`, authentication, etc.
> 
> I tried adding multiple Unix groups and users following instructions
> on Samba Wiki, but the result it always the same. I've been trying to
> sort it out for a couple of weeks and its now driving me insane. Any
> help would be appreciated!
> 
> Kind regards,
> Harp

'wbinfo' goes direct to AD, it bypasses the underlying OS. It also
totally ignores anything to do with Unix, just because it shows the
users in AD, doesn't mean anything to Unix.

With your smb.conf, it looks like something is wrong/missing, probably
the required uidNumber & gidNumber attributes.

Does 'Domain Users' have a gidNumber attribute containing a number
inside the '21000-200000' range ?

Do the users you want/need to be Unix users have a uidNumber attribute
containing a unique number inside the '21000-200000' range ?

Do not confuse the '3000000' numbers found on a DC with uidNumbers or gidNumbers

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba