samba - Nov 2017 - Not able to list domain in new samba DC

Thanks Rowland!

My current configs are:

DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Domain member/file server:

[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.TESTING.COM

        log file = /var/log/samba/%m.log
        log level = 1
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
        map to guest = Bad User

[Anonymous]
        path = /anonymous
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mode = 0777
        directory mode = 0777

[Demo]
        path = /srv/samba/Demo/
        read only = no

I was trying to walk through the creating shares bit and I noticed
that getent passwd and getent group dont work
Am I missing something else?


On Thu, Nov 9, 2017 at 1:13 PM, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Thu, 9 Nov 2017 12:56:35 +0100
> Sina Owolabi <notify.sina at gmail.com> wrote:
>
>> Thanks a lot :-)
>> Does this mean my current configuration is correct?
>>
>
> Yes, as far as it goes, as long as you have added uidNumber attributes
> to the users in AD, containing a unique number inside the range
> '10000-999999', they also have a gidNumber that points to a group
that
> has a gidNumber attribute containing the same number and this number is
> also inside the '10000-999999' range.
> NOTE: these uidNumber & gidNumber attributes are not added
> automatically.
>
> I would also add:
>
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 9 Nov 2017 15:17:22 +0100
Sina Owolabi <notify.sina at gmail.com> wrote:
> Thanks Rowland!
> 
> My current configs are:
> 
> DC:
> 
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = TESTBOX
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/%m.log
>         log level = 3
>         tls enabled = yes
>         template shell = /bin/bash
>         template homedir = /share/%U
See notes below:
>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         winbind enum groups = Yes
>         winbind enum users = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config SAMDOM:backend = ad
>         idmap config SAMDOM:schema_mode = rfc2307
>         idmap config  SAMDOM : range = 10000-999999
>         idmap config  SAMDOM : unix_nss_info = yes
>         idmap config SAMDOM:unix_primary_group = yes
>         username map = /usr/local/samba/etc/user.map
I think you may have misunderstood me, the 13 lines above should NEVER
be added to the smb.conf on a DC, they belong in a Unix domain
member smb.conf (except for the 'winbind enum' lines and they should
only be used for testing purposes)
> 
> Domain member/file server:
>         idmap_ldb:use rfc2307 = yes
This line should only be in a DC smb.conf
> I was trying to walk through the creating shares bit and I noticed
> that getent passwd and getent group dont work
> Am I missing something else?
> 
Have you set up libnss_winbind ?

Rowland

Yes I did setup libnss_winbind.
wbinfo -u and -g on the domain member both work:

[root at testfsrv ~]# wbinfo -u
SAMDOM\testakin
SAMDOM\testsina
SAMDOM\testigein
SAMDOM\administrator
SAMDOM\krbtgt
SAMDOM\guest
[root at testfsrv ~]# wbinfo -g
SAMDOM\allowed rodc password replication group
SAMDOM\enterprise read-only domain controllers
SAMDOM\denied rodc password replication group
SAMDOM\read-only domain controllers
SAMDOM\group policy creator owners
SAMDOM\ras and ias servers
SAMDOM\domain controllers
SAMDOM\enterprise admins
SAMDOM\domain computers
SAMDOM\cert publishers
SAMDOM\dnsupdateproxy
SAMDOM\domain admins
SAMDOM\domain guests
SAMDOM\schema admins
SAMDOM\domain users
SAMDOM\dnsadmins

On Thu, Nov 9, 2017 at 3:35 PM, Rowland Penny <rpenny at samba.org>
wrote:
> On Thu, 9 Nov 2017 15:17:22 +0100
> Sina Owolabi <notify.sina at gmail.com> wrote:
>
>> Thanks Rowland!
>>
>> My current configs are:
>>
>> DC:
>>
>> # Global parameters
>> [global]
>>         dns forwarder = 8.8.8.8
>>         netbios name = TESTBOX
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>>         idmap_ldb:use rfc2307 = yes
>>         log file = /var/log/samba/%m.log
>>         log level = 3
>>         tls enabled = yes
>>         template shell = /bin/bash
>>         template homedir = /share/%U
>
> See notes below:
>
>>         vfs objects = acl_xattr
>>         map acl inherit = yes
>>         store dos attributes = yes
>>         winbind enum groups = Yes
>>         winbind enum users = Yes
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
>>         idmap config SAMDOM:backend = ad
>>         idmap config SAMDOM:schema_mode = rfc2307
>>         idmap config  SAMDOM : range = 10000-999999
>>         idmap config  SAMDOM : unix_nss_info = yes
>>         idmap config SAMDOM:unix_primary_group = yes
>>         username map = /usr/local/samba/etc/user.map
>
> I think you may have misunderstood me, the 13 lines above should NEVER
> be added to the smb.conf on a DC, they belong in a Unix domain
> member smb.conf (except for the 'winbind enum' lines and they
should
> only be used for testing purposes)
>
>>
>> Domain member/file server:
>
>>         idmap_ldb:use rfc2307 = yes
>
> This line should only be in a DC smb.conf
>
>> I was trying to walk through the creating shares bit and I noticed
>> that getent passwd and getent group dont work
>> Am I missing something else?
>>
>
> Have you set up libnss_winbind ?
>
> Rowland