Peter Milesson
2018-Oct-01 09:48 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On 10/1/18 10:02 AM, Rowland Penny via samba wrote:> On Sun, 30 Sep 2018 23:25:48 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> Hi folks, >> >> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only used >> as AD server, with netlogon and sysvol, just like any Windows AD >> server >> >> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS >> repositories, intended for use as a file server, with shares for >> roaming profiles, home directories, and data shares. >> >> >> I know that the getent problem has been discussed ad nauseam here, >> but this really beats me. The AD server works, except for dynamic DNS >> updates, which seems to be a known problem, so I'm not going to >> mention it here further. >> >> Winbind seems to work, displaying groups and users through wbinfo. >> Kerberos also works. Had a bit of a problem joining the member server >> to the domain, but it eventually worked. The net rpc join command >> requires the -S switch, which is omitted almost everywhere in the >> documentation. But the id, or getent users or getent groups just do >> not give away anything. Empty. >> >> On a hunch, I tried replacing winbind with sssd. Stopping winbind, >> and starting sssd, everything works nicely. >> >> I have followed all the Wikis, and gone through most of what's been >> written the last 2 years, also on the list, about configuring a Samba >> member server. I have checked that the lib files exist, and are in >> the right places, tried different versions of nsswitch.conf, etc. I'm >> not completely sure if the winbind entries makes any difference when >> using sssd, as sssd.conf and realmd.conf seem to have got entries >> that effectively replace the winbind entries in smb.conf. >> >> Below is smb.conf, and nsswitch.conf. I've tried a bunch of different >> settings for passwd and group in nsswitch, but it does not seem to >> make any difference with winbind (files winbind, files winbind sss, >> files sss winbind, files pam winbind, files wibind pam, etc., etc., >> etc.). >> >> What also beats me is, that the logs are very quiet. >> >> I am happy that it works with sssd, but I just don't want to leave it >> without any explanations. At least not after spending a day trying to >> get it working. >> > You have two important lines missing and one that is wrong, try this > smb.conf: > > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > > idmap config * : backend = tdb > idmap config * : range 3000-9999 > idmap config SAMDOM:backend = rid > idmap config SAMDOM:range = 10000-99999 > > local master = no > domain master = no > preferred master = no > > template homedir = /dev/null > winbind use default domain = yes > winbind offline logon = yes > > username map = /etc/samba/user.map > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > client signing = mandatory > > printing = bsd > printcap name = /dev/null > load printers = no > disable spoolss = yes > > vfs objects = acl_xattr > map acl inherit = yes > > The join command is 'net ads join -U Administrator' and this should > find the DC without any other options. If it doesn't, you have a > misconfiguration in your network set up. > > Your nsswitch.conf should look something like this: > > passwd: files winbind > shadow: files > group: files winbind > initgroups: files > > hosts: files dns > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files > > publickey: nisplus > > automount: files ldap > aliases: files nisplus > > Rowland > >Hi Rowland, Thanks for your input. Now I see that the three crucial lines in the top of the smb.conf file went missing somewhere. I made the suggested changes in both the smb.conf file, and in the nsswitch.conf file, and disabled sssd, but now the smbd, and winbindd daemons do not start at all. Trying kerberos, I get tickets from the server. Also did a restart. Did not help. The smb.conf now looks like below. The logged errors from trying to start smbd and winbindd are also displayed below. I am quite out of ideas about this. Maybe it's better to wipe it and make a fresh installation. Best regards, Peter smb.conf ===== [global] workgroup = KONSTRUKCE security = ADS realm = KONSTRUKCE.LOCAL idmap config * : backend = tdb idmap config * : range 3000-9999 idmap config KONSTRUKCE:backend = rid idmap config KONSTRUKCE:range = 10000-99999 local master = no domain master = no preferred master = no # template shell = /bin/false template homedir = /dev/null winbind use default domain = true winbind offline logon = true username map = /etc/samba/user.map dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes client signing = mandatory # client use spnego = yes winbind enum users = yes winbind enum groups = yes printing = bsd printcap name = /dev/null load printers = no disable spoolss = yes vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes smbd startup entry =========== Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba SMB Daemon... Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 11:31:02.373756, 0] ../source3/auth/auth_util.c:1399(make_new_session_info_guest) Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: create_local_token failed: NT_STATUS_NO_MEMORY Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 11:31:02.373993, 0] ../source3/smbd/server.c:2011(main) Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: ERROR: failed to setup guest info. Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service: main process exited, code=exited, status=255/n/a Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start Samba SMB Daemon. Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service entered failed state. Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service failed. winbind startup entry ============ Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba Winbind Daemon... Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 11:46:03.373358, 0] ../source3/winbindd/winbindd_util.c:891(init_domain_list) Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: Could not fetch our SID - did we join? Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 11:46:03.373640, 0] ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers) Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service: main process exited, code=exited, status=1/FAILURE Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start Samba Winbind Daemon. Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit winbind.service entered failed state. Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service failed.
Rowland Penny
2018-Oct-01 10:10 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Mon, 1 Oct 2018 11:48:25 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > On 10/1/18 10:02 AM, Rowland Penny via samba wrote: > > On Sun, 30 Sep 2018 23:25:48 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> AD server CentOS 7-1804, Samba 4.9.1 compiled from source, only > >> used as AD server, with netlogon and sysvol, just like any Windows > >> AD server > >> > >> AD member server CentOS 7-1804, Samba 4.7.1 installed from CentOS > >> repositories, intended for use as a file server, with shares for > >> roaming profiles, home directories, and data shares. > >> > >> > >> I know that the getent problem has been discussed ad nauseam here, > >> but this really beats me. The AD server works, except for dynamic > >> DNS updates, which seems to be a known problem, so I'm not going to > >> mention it here further. > >> > >> Winbind seems to work, displaying groups and users through wbinfo. > >> Kerberos also works. Had a bit of a problem joining the member > >> server to the domain, but it eventually worked. The net rpc join > >> command requires the -S switch, which is omitted almost everywhere > >> in the documentation. But the id, or getent users or getent groups > >> just do not give away anything. Empty. > >> > >> On a hunch, I tried replacing winbind with sssd. Stopping winbind, > >> and starting sssd, everything works nicely. > >> > >> I have followed all the Wikis, and gone through most of what's been > >> written the last 2 years, also on the list, about configuring a > >> Samba member server. I have checked that the lib files exist, and > >> are in the right places, tried different versions of > >> nsswitch.conf, etc. I'm not completely sure if the winbind entries > >> makes any difference when using sssd, as sssd.conf and realmd.conf > >> seem to have got entries that effectively replace the winbind > >> entries in smb.conf. > >> > >> Below is smb.conf, and nsswitch.conf. I've tried a bunch of > >> different settings for passwd and group in nsswitch, but it does > >> not seem to make any difference with winbind (files winbind, files > >> winbind sss, files sss winbind, files pam winbind, files wibind > >> pam, etc., etc., etc.). > >> > >> What also beats me is, that the logs are very quiet. > >> > >> I am happy that it works with sssd, but I just don't want to leave > >> it without any explanations. At least not after spending a day > >> trying to get it working. > >> > > You have two important lines missing and one that is wrong, try this > > smb.conf: > > > > [global] > > workgroup = SAMDOM > > security = ADS > > realm = SAMDOM.EXAMPLE.COM > > > > idmap config * : backend = tdb > > idmap config * : range 3000-9999 > > idmap config SAMDOM:backend = rid > > idmap config SAMDOM:range = 10000-99999 > > > > local master = no > > domain master = no > > preferred master = no > > > > template homedir = /dev/null > > winbind use default domain = yes > > winbind offline logon = yes > > > > username map = /etc/samba/user.map > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > winbind refresh tickets = Yes > > client signing = mandatory > > > > printing = bsd > > printcap name = /dev/null > > load printers = no > > disable spoolss = yes > > > > vfs objects = acl_xattr > > map acl inherit = yes > > > > The join command is 'net ads join -U Administrator' and this should > > find the DC without any other options. If it doesn't, you have a > > misconfiguration in your network set up. > > > > Your nsswitch.conf should look something like this: > > > > passwd: files winbind > > shadow: files > > group: files winbind > > initgroups: files > > > > hosts: files dns > > > > # Example - obey only what nisplus tells us... > > #services: nisplus [NOTFOUND=return] files > > #networks: nisplus [NOTFOUND=return] files > > #protocols: nisplus [NOTFOUND=return] files > > #rpc: nisplus [NOTFOUND=return] files > > #ethers: nisplus [NOTFOUND=return] files > > #netmasks: nisplus [NOTFOUND=return] files > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc: files > > services: files > > > > netgroup: files > > > > publickey: nisplus > > > > automount: files ldap > > aliases: files nisplus > > > > Rowland > > > > > Hi Rowland, > > Thanks for your input. Now I see that the three crucial lines in the > top of the smb.conf file went missing somewhere. I made the suggested > changes in both the smb.conf file, and in the nsswitch.conf file, and > disabled sssd, but now the smbd, and winbindd daemons do not start at > all. Trying kerberos, I get tickets from the server. Also did a > restart. Did not help. > > The smb.conf now looks like below. The logged errors from trying to > start smbd and winbindd are also displayed below. I am quite out of > ideas about this. Maybe it's better to wipe it and make a fresh > installation. > > Best regards, > > Peter > > smb.conf > =====> > [global] > workgroup = KONSTRUKCE > security = ADS > realm = KONSTRUKCE.LOCAL > > idmap config * : backend = tdb > idmap config * : range 3000-9999 > idmap config KONSTRUKCE:backend = rid > idmap config KONSTRUKCE:range = 10000-99999 > > local master = no > domain master = no > preferred master = no > > # template shell = /bin/false > template homedir = /dev/null > winbind use default domain = true > winbind offline logon = true > > username map = /etc/samba/user.map > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = Yes > client signing = mandatory > # client use spnego = yes > > winbind enum users = yes > winbind enum groups = yes > > printing = bsd > printcap name = /dev/null > load printers = no > disable spoolss = yes > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > > smbd startup entry > ===========> > Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Starting Samba > SMB Daemon... > Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 > 11:31:02.373756, 0] > ../source3/auth/auth_util.c:1399(make_new_session_info_guest) > Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: > create_local_token failed: NT_STATUS_NO_MEMORY > Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: [2018/10/01 > 11:31:02.373993, 0] ../source3/smbd/server.c:2011(main) > Oct 01 11:31:02 smbtest.konstrukce.local smbd[1741]: ERROR: failed > to setup guest info. > Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service: > main process exited, code=exited, status=255/n/a > Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Failed to start > Samba SMB Daemon. > Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: Unit smb.service > entered failed state. > Oct 01 11:31:02 smbtest.konstrukce.local systemd[1]: smb.service > failed. > > > winbind startup entry > ============> > Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Starting Samba > Winbind Daemon... > Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 > 11:46:03.373358, 0] > ../source3/winbindd/winbindd_util.c:891(init_domain_list) > Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: Could not > fetch our SID - did we join? > Oct 01 11:46:03 smbtest.konstrukce.local winbindd[1938]: [2018/10/01 > 11:46:03.373640, 0] > ../source3/winbindd/winbindd.c:1404(winbindd_register_handlers) > Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service: > main process exited, code=exited, status=1/FAILURE > Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Failed to start > Samba Winbind Daemon. > Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: Unit > winbind.service entered failed state. > Oct 01 11:46:03 smbtest.konstrukce.local systemd[1]: winbind.service > failed. > > >You are now hitting a bug in 4.9.1 that was discovered last week by Louis Van Belle. It seems to be an interaction between Samba and systemd, I say this because it doesn't affect me on Devuan. Rowland
Rowland Penny
2018-Oct-01 11:10 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Mon, 1 Oct 2018 12:13:58 +0200 Peter Milesson <miles at atmos.eu> wrote:> > You are now hitting a bug in 4.9.1 that was discovered last week by > > Louis Van Belle. It seems to be an interaction between Samba and > > systemd, I say this because it doesn't affect me on Devuan. > > > > Rowland > > Hi Rowland, > > I'm using the standard CentOS Samba packages. The current Samba > version is 4.7.1. The server is 4.9.1, however. >Hmm, I wonder if this has been going on for sometime ? As I said, I don't get this error and the Samba daemons are started in this order: smbd nmbd winbind From the debian bug report by Louis, there is this in /lib/systemd/system/smbd.service: After=network.target network-online.target nmbd.service winbind.service Which from my (limited) knowledge of systemd, means 'smbd' will only be started after 'nmbd' & 'winbind'. This, in my opinion, is totally wrong. If your version of the file is the same, try removing 'winbind.service' and see if this helps. Rowland
Peter Milesson
2018-Oct-01 11:28 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On 10/1/18 1:10 PM, Rowland Penny via samba wrote:> On Mon, 1 Oct 2018 12:13:58 +0200 > Peter Milesson <miles at atmos.eu> wrote: > >>> You are now hitting a bug in 4.9.1 that was discovered last week by >>> Louis Van Belle. It seems to be an interaction between Samba and >>> systemd, I say this because it doesn't affect me on Devuan. >>> >>> Rowland >> Hi Rowland, >> >> I'm using the standard CentOS Samba packages. The current Samba >> version is 4.7.1. The server is 4.9.1, however. >> > Hmm, I wonder if this has been going on for sometime ? > > As I said, I don't get this error and the Samba daemons are started in > this order: > smbd > nmbd > winbind > > From the debian bug report by Louis, there is this > in /lib/systemd/system/smbd.service: > > After=network.target network-online.target nmbd.service winbind.service > > Which from my (limited) knowledge of systemd, means 'smbd' will only be > started after 'nmbd' & 'winbind'. This, in my opinion, is totally wrong. > > If your version of the file is the same, try removing 'winbind.service' > and see if this helps. > > Rowland >Hi Rowland, Order does not seem to be important. I have tried to start the daemons manually in different order. Does not help. As the self compiled AD DC works beautifully, I'll wipe the installation and compile Samba myself from the 4.9.1 sources. Being lazy and installing what's thrown at you evidently didn't pay off in this case. Thanks for your help anyway. I wish you a nice day, Peter
L.P.H. van Belle
2018-Oct-01 11:40 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
Hai, If you read the post on the debian bug list. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465 You wil seen the workaround also, thats tested and works. And I also suggest you adjest the startup order and to adjust your systemd settings is shown here. Use : systemct edit name_of_service.service This creates and override file in /etc/systemd/system/servicename.d/override.conf If you want a full copy of the service file and edit that. Use : systemct edit --full name_of_service.service That wil be placed in /etc/systemd/system/ Editing this way, you wont get messages/questions when upgrading and your settins are in /etc/systemd The system systems are in /lib/systemd Currently im testing the following settings. # /etc/systemd/system/smbd.service.d/override.conf Wants=network.target After=network.target nmbd.service # /etc/systemd/system/winbind.service.d/override.conf Wants=network-online.target After=network.target network-online.target smbd.service And Nmbd does not need adjustments. But dont forget to install conform these steps. A few workarounds to make it work. install a stand-alone server. apt-get install samba Next, to avoid the problem run : net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin or define the idmap in smb.conf idmap config * : backend = tdb idmap config * : range = 3000-7999 Now you can install winbind also, if you dont need winbind, then the bug does not show. As of this point you can configure everything as usual. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Peter Milesson via samba > Verzonden: maandag 1 oktober 2018 13:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] getent not showing domain users and > groups with winbind but works with sssd > > > On 10/1/18 1:10 PM, Rowland Penny via samba wrote: > > On Mon, 1 Oct 2018 12:13:58 +0200 > > Peter Milesson <miles at atmos.eu> wrote: > > > >>> You are now hitting a bug in 4.9.1 that was discovered > last week by > >>> Louis Van Belle. It seems to be an interaction between Samba and > >>> systemd, I say this because it doesn't affect me on Devuan. > >>> > >>> Rowland > >> Hi Rowland, > >> > >> I'm using the standard CentOS Samba packages. The current Samba > >> version is 4.7.1. The server is 4.9.1, however. > >> > > Hmm, I wonder if this has been going on for sometime ? > > > > As I said, I don't get this error and the Samba daemons are > started in > > this order: > > smbd > > nmbd > > winbind > > > > From the debian bug report by Louis, there is this > > in /lib/systemd/system/smbd.service: > > > > After=network.target network-online.target nmbd.service > winbind.service > > > > Which from my (limited) knowledge of systemd, means 'smbd' > will only be > > started after 'nmbd' & 'winbind'. This, in my opinion, is > totally wrong. > > > > If your version of the file is the same, try removing > 'winbind.service' > > and see if this helps. > > > > Rowland > > > Hi Rowland, > > Order does not seem to be important. I have tried to start > the daemons > manually in different order. Does not help. > > As the self compiled AD DC works beautifully, I'll wipe the > installation > and compile Samba myself from the 4.9.1 sources. Being lazy and > installing what's thrown at you evidently didn't pay off in this case. > > Thanks for your help anyway. > > I wish you a nice day, > > Peter > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Possibly Parallel Threads
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd