Guilherme Boing
2015-Oct-13 13:19 UTC
[Samba] Second DC doesn't recognize users/groups on getent
Hello, I just realized that my second DC does not recognize the users from the AD. wbinfo -u/-g are working just fine. [root at dc1 ~]# id bruno.castro uid=10004(POL\bruno.castro) gid=100(users) grupos=100(users),10001(POL\ti),3000009(BUILTIN\users) [root at dc2 ~]# id bruno.castro id: bruno.castro: no such user [root at dc1 ~]# wbinfo -i bruno.castro POL\bruno.castro:*:10004:100:Bruno de Castro:/home/POL/bruno.castro:/bin/bash [root at dc2 ~]# wbinfo -i bruno.castro POL\bruno.castro:*:10004:100:Bruno de Castro:/home/POL/bruno.castro:/bin/bash nsswitch.conf is fine, both dcs are like this: passwd: files sss winbind shadow: files sss winbind group: files sss winbind smb.conf is the same on both DCs (except for the netbios name, where DC1 is DC1 and DC2 is DC2) # Global parameters [global] workgroup = POL realm = POLE.ONLINE netbios name = DC1 server role = active directory domain controller dns forwarder = 192.168.22.180 log level = 3 template shell = /bin/bash idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure [netlogon] path = /usr/local/samba/var/locks/sysvol/pole.online/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No drs showrepl also does not prompt any error on both sides. What am I missing ? Not sure if it matters, but DC1 has 4 winbindd proccess running while DC2 has only 3. Also noticed from log.winbindd on DC1 that whenever I do 'id brunocastro', the system is properly asking winbindd for the user, while on DC2 it does not happen. Both DCs are running CentOS 7 and Samba 4.3.0.
Rowland Penny
2015-Oct-13 13:45 UTC
[Samba] Second DC doesn't recognize users/groups on getent
On 13/10/15 14:19, Guilherme Boing wrote:> Hello, > > I just realized that my second DC does not recognize the users from the AD. > wbinfo -u/-g are working just fine. > > [root at dc1 ~]# id bruno.castro > uid=10004(POL\bruno.castro) gid=100(users) > grupos=100(users),10001(POL\ti),3000009(BUILTIN\users) > > [root at dc2 ~]# id bruno.castro > id: bruno.castro: no such user > > [root at dc1 ~]# wbinfo -i bruno.castro > POL\bruno.castro:*:10004:100:Bruno de > Castro:/home/POL/bruno.castro:/bin/bash > > [root at dc2 ~]# wbinfo -i bruno.castro > POL\bruno.castro:*:10004:100:Bruno de > Castro:/home/POL/bruno.castro:/bin/bash > > nsswitch.conf is fine, both dcs are like this: > passwd: files sss winbind > shadow: files sss winbind > group: files sss winbind > > > smb.conf is the same on both DCs (except for the netbios name, where DC1 is > DC1 and DC2 is DC2) > # Global parameters > [global] > workgroup = POL > realm = POLE.ONLINE > netbios name = DC1 > server role = active directory domain controller > dns forwarder = 192.168.22.180 > log level = 3 > template shell = /bin/bash > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/pole.online/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > drs showrepl also does not prompt any error on both sides. > > What am I missing ? > Not sure if it matters, but DC1 has 4 winbindd proccess running while DC2 > has only 3. > Also noticed from log.winbindd on DC1 that whenever I do 'id brunocastro', > the system is properly asking winbindd for the user, while on DC2 it does > not happen. > > Both DCs are running CentOS 7 and Samba 4.3.0.Hi, does running this: ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=pole,dc=online" -s sub "(&(objectClass=user)(sAMAccountName=bruno.castro))" on both DCs, produce the same output? It should, Also, unless you are using sssd for sudo or autofs etc you do not need it in /etc/nsswitch.conf if you are also using winbind. As it is setup, sssd will respond before winbind, so this may not be a winbind problem, it could be an sssd problem. Rowland
Guilherme Boing
2015-Oct-13 14:00 UTC
[Samba] Second DC doesn't recognize users/groups on getent
Hello Rowland, I should also mention that Samba 4.3.0 was installed from tarball, I compiled it myself. DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did not return any result on DC1. However, using /usr/local/samba/private/sam.ldb, both DCs returned the same thing: # returned 4 records # 1 entries # 3 referrals I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2 does not. Regarding the sssd issue, I am not really using sssd. sssd is not even running, I believe when I first installed Samba through yum, it installed itself there. Still, I have removed sss from nsswitch on both DCs. On Tue, Oct 13, 2015 at 10:45 AM, Rowland Penny < rowlandpenny241155 at gmail.com> wrote:> On 13/10/15 14:19, Guilherme Boing wrote: > >> Hello, >> >> I just realized that my second DC does not recognize the users from the >> AD. >> wbinfo -u/-g are working just fine. >> >> [root at dc1 ~]# id bruno.castro >> uid=10004(POL\bruno.castro) gid=100(users) >> grupos=100(users),10001(POL\ti),3000009(BUILTIN\users) >> >> [root at dc2 ~]# id bruno.castro >> id: bruno.castro: no such user >> >> [root at dc1 ~]# wbinfo -i bruno.castro >> POL\bruno.castro:*:10004:100:Bruno de >> Castro:/home/POL/bruno.castro:/bin/bash >> >> [root at dc2 ~]# wbinfo -i bruno.castro >> POL\bruno.castro:*:10004:100:Bruno de >> Castro:/home/POL/bruno.castro:/bin/bash >> >> nsswitch.conf is fine, both dcs are like this: >> passwd: files sss winbind >> shadow: files sss winbind >> group: files sss winbind >> >> >> smb.conf is the same on both DCs (except for the netbios name, where DC1 >> is >> DC1 and DC2 is DC2) >> # Global parameters >> [global] >> workgroup = POL >> realm = POLE.ONLINE >> netbios name = DC1 >> server role = active directory domain controller >> dns forwarder = 192.168.22.180 >> log level = 3 >> template shell = /bin/bash >> idmap_ldb:use rfc2307 = yes >> allow dns updates = nonsecure >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/pole.online/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> drs showrepl also does not prompt any error on both sides. >> >> What am I missing ? >> Not sure if it matters, but DC1 has 4 winbindd proccess running while DC2 >> has only 3. >> Also noticed from log.winbindd on DC1 that whenever I do 'id brunocastro', >> the system is properly asking winbindd for the user, while on DC2 it does >> not happen. >> >> Both DCs are running CentOS 7 and Samba 4.3.0. >> > > Hi, does running this: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=pole,dc=online" -s sub > "(&(objectClass=user)(sAMAccountName=bruno.castro))" > > on both DCs, produce the same output? > It should, > > Also, unless you are using sssd for sudo or autofs etc you do not need it > in /etc/nsswitch.conf if you are also using winbind. As it is setup, sssd > will respond before winbind, so this may not be a winbind problem, it could > be an sssd problem. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Apparently Analagous Threads
- Second DC doesn't recognize users/groups on getent
- Second DC doesn't recognize users/groups on getent
- Second DC doesn't recognize users/groups on getent
- DC2 denies access when saving through the Group Policy Management Console
- getent does not show domain user/groups