Web lists-archives.com

Re: [Samba] `getent passwd` not working with ad backend




‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, January 24, 2019 9:33 AM, Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Thu, 24 Jan 2019 08:57:21 +0000
> Harpoon via samba samba@xxxxxxxxxxxxxxx wrote:
>
> > Hi all,
> > I've been reading and it seems like ad backend has many features that
> > I'd like to use. However, despite browsing many forums and docs, I am
> > still unable to get domain users list using `getent passwd` while
> > using `ad backend`. If I change backend to tdb, then I can get
> > usernames on the clients. Authentication works fine too when using
> > `tdb backend`. I think the only issue is with the mapping part.
> > Otherwise the domain is working pretty fine.
> > All boxes are running Debian Stretch.
> >
> > ===================================================
> > Server's smb.conf
> >
> > ======================================================================
> >
> > Global parameters
> >
> > ==================
> >
> > [global]
> > netbios name = DC1
> > realm = SAMDOM.EXAMPLE.COM
> > workgroup = SAMDOM
> > dns forwarder = 10.0.5.200
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > template shell = /bin/bash
> > [netlogon]
> > path = /var/lib/samba/sysvol/samdom.example.com/scripts
> > read only = No
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > ===================================================
> > Client's smb.conf
> >
> > ======================================================================
> >
> > [global]
> > netbios name = client1
> > realm = SAMDOM.EXAMPLE.COM
> > workgroup = SAMDOM
> > security = ADS
> > kerberos method = secrets and keytab
> > winbind trusted domains only = no
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > winbind nss info = rfc2307
> >
> > FOR Samba-share `getent` testing
> >
> > =================================
> >
> > password server = dc1.samdom.example.com
> >
> > =========================================
> >
> > client signing = auto
> >
> > ======================
> >
> > server signing = auto
> >
> > ======================
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 10000-20000
> >
> > idmap config SAMDOM : backend = ad
> > idmap config SAMDOM : range = 21000-200000
> >
> > ------------------------------------------------------------------------------
> >
> > With ad backend:
> >
> > 1.  wbinfo -u lists all domain users
> > 2.  `getent passwd` doesn't list domain users
> >
> > WIth tdb backend:
> >
> > 1.  wbinfo -u lists all domain users
> > 2.  `getent passwd` also lists all domain users
> >
> > Just by commenting out the `idmap config SAMDOM` lines in the
> > client's smb.conf, all other things start working such as `getent passwd`, authentication, etc.
> > I tried adding multiple Unix groups and users following instructions
> > on Samba Wiki, but the result it always the same. I've been trying to
> > sort it out for a couple of weeks and its now driving me insane. Any
> > help would be appreciated!
> > Kind regards,
> > Harp
>
> 'wbinfo' goes direct to AD, it bypasses the underlying OS. It also
> totally ignores anything to do with Unix, just because it shows the
> users in AD, doesn't mean anything to Unix.
That was indeed my understanding. Thanks for confirmation!

> With your smb.conf, it looks like something is wrong/missing, probably
> the required uidNumber & gidNumber attributes.
I did add uidNumber and gidNumber during creation of new groups and users.

> Does 'Domain Users' have a gidNumber attribute containing a number
> inside the '21000-200000' range ?
That was part of the problem. The 'Domain Users' group has GID 12000 (set by following https://techblog.devlat.eu/2017/02/04/gid-of-the-domain-users-resetting-to-100-with-a-samba-ad-dc/ guide).

So I modified client's smb.conf as:

[global]
	netbios name = client1
	 realm = SAMDOM.EXAMPLE.COM
	workgroup = SAMDOM
	security = ADS
	kerberos method = secrets and keytab
	winbind trusted domains only = no
    winbind use default domain = yes
	winbind enum users = yes
	winbind enum groups = yes
        winbind use default domain = yes
        winbind nss info = rfc2307

	idmap config * : backend = tdb
	idmap config * : range = 100-200

    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : range = 300-50000

Should it work?

There's still no domain users displayed by `getent passwd` but `getent group` is now showing SOME of the domain groups. With the previous smb.conf, `getent group` too was only listing local groups. With the updated backend changes, some domain groups are now visible but 'Domain Users' group is still not being listed.

> Do the users you want/need to be Unix users have a uidNumber attribute
> containing a unique number inside the '21000-200000' range ?
The user uids were in 10000-20000 range mostly. So I updated the client's smb.conf as mentioned above.

> Do not confuse the '3000000' numbers found on a DC with uidNumbers or gidNumbers
It seems I got some googling to do.

I'm sorry for noobish mistakes but I started working on-and-off with samba a month ago. And most of my knowledge is based on skimming wiki and forum posts.

Thanks for the help!

Kind regards,
Harp

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba