samba - Oct 2018 - getent not showing domain users and groups with winbind but works with sssd

Hai, 

If you read the post on the debian bug list. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465 
You wil seen the workaround also, thats tested and works. 

And I also suggest you adjest the startup order and to adjust your systemd
settings is shown here.

Use : systemct edit name_of_service.service 
This creates and override file in
/etc/systemd/system/servicename.d/override.conf

If you want a full copy of the service file and edit that. 
Use : systemct edit --full name_of_service.service 
That wil be placed in /etc/systemd/system/ 
 
Editing this way, you wont get messages/questions when upgrading and your
settins are in /etc/systemd
The system systems are in /lib/systemd

Currently im testing the following settings. 

# /etc/systemd/system/smbd.service.d/override.conf
Wants=network.target
After=network.target nmbd.service


# /etc/systemd/system/winbind.service.d/override.conf
Wants=network-online.target
After=network.target network-online.target smbd.service

And Nmbd does not need adjustments. 


But dont forget to install conform these steps. A few workarounds to make it
work.
 
install a stand-alone server.
apt-get install samba 
 
Next, to avoid the problem run : 
net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin 
 
or define the idmap in smb.conf

idmap config * : backend = tdb
idmap config * : range = 3000-7999 

Now you can install winbind also, if you dont need winbind, then the bug does
not show.

As of this point you can configure everything as usual. 


Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Peter Milesson via samba
> Verzonden: maandag 1 oktober 2018 13:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] getent not showing domain users and 
> groups with winbind but works with sssd
> 
> 
> On 10/1/18 1:10 PM, Rowland Penny via samba wrote:
> > On Mon, 1 Oct 2018 12:13:58 +0200
> > Peter Milesson <miles at atmos.eu> wrote:
> >
> >>> You are now hitting a bug in 4.9.1 that was discovered 
> last week by
> >>> Louis Van Belle. It seems to be an interaction between Samba
and
> >>> systemd, I say this because it doesn't affect me on
Devuan.
> >>>
> >>> Rowland
> >> Hi Rowland,
> >>
> >> I'm using the standard CentOS Samba packages. The current
Samba
> >> version is 4.7.1. The server is 4.9.1, however.
> >>
> > Hmm, I wonder if this has been going on for sometime ?
> >
> > As I said, I don't get this error and the Samba daemons are 
> started in
> > this order:
> > smbd
> > nmbd
> > winbind
> >
> >  From the debian bug report by Louis, there is this
> > in /lib/systemd/system/smbd.service:
> >
> > After=network.target network-online.target nmbd.service 
> winbind.service
> >
> > Which from my (limited) knowledge of systemd, means 'smbd' 
> will only be
> > started after 'nmbd' & 'winbind'. This, in my
opinion, is
> totally wrong.
> >
> > If your version of the file is the same, try removing 
> 'winbind.service'
> > and see if this helps.
> >
> > Rowland
> >
> Hi Rowland,
> 
> Order does not seem to be important. I have tried to start 
> the daemons 
> manually in different order. Does not help.
> 
> As the self compiled AD DC works beautifully, I'll wipe the 
> installation 
> and compile Samba myself from the 4.9.1 sources. Being lazy and 
> installing what's thrown at you evidently didn't pay off in this
case.
> 
> Thanks for your help anyway.
> 
> I wish you a nice day,
> 
> Peter
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

Hi Louis and Rowland,

I'm just reporting back on this, in case it may help somebody else.

Getting a working getent (or id) under the current version of CentOS 
with winbind just doesn't seems possible. I haven't got a clue where the
problem is. I have tried the suggestions, I did a clean installation, 
and built Samba myself from source, but no way. Installing sssd, a few 
lines of configuration, disabling winbind, and it just works. I just 
want to stress, that the problems I have had getting the Samba domain 
member to work, are most probably CentOS-related.

Unfortunately, I must leave it at this point, as I have spent way too 
much time already. At least I'm glad that I didn't upgrade the 
production server directly, and instead spent time trying to get things 
to work in the test environment. Otherwise there would have been tar and 
feathers at noon today.

A sincere thank you for your time and suggestions.

Peter



On 01.10.2018 13:40, L.P.H. van Belle via samba wrote:
> Hai,
>
> If you read the post on the debian bug list.
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909465
> You wil seen the workaround also, thats tested and works.
>
> And I also suggest you adjest the startup order and to adjust your systemd
settings is shown here.
>
> Use : systemct edit name_of_service.service
> This creates and override file in
/etc/systemd/system/servicename.d/override.conf
>
> If you want a full copy of the service file and edit that.
> Use : systemct edit --full name_of_service.service
> That wil be placed in /etc/systemd/system/
>   
> Editing this way, you wont get messages/questions when upgrading and your
settins are in /etc/systemd
> The system systems are in /lib/systemd
>
> Currently im testing the following settings.
>
> # /etc/systemd/system/smbd.service.d/override.conf
> Wants=network.target
> After=network.target nmbd.service
>
>
> # /etc/systemd/system/winbind.service.d/override.conf
> Wants=network-online.target
> After=network.target network-online.target smbd.service
>
> And Nmbd does not need adjustments.
>
>
> But dont forget to install conform these steps. A few workarounds to make
it work.
>   
> install a stand-alone server.
> apt-get install samba
>   
> Next, to avoid the problem run :
> net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
>   
> or define the idmap in smb.conf
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> Now you can install winbind also, if you dont need winbind, then the bug
does not show.
>
> As of this point you can configure everything as usual.
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Peter Milesson via samba
>> Verzonden: maandag 1 oktober 2018 13:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] getent not showing domain users and
>> groups with winbind but works with sssd
>>
>>
>> On 10/1/18 1:10 PM, Rowland Penny via samba wrote:
>>> On Mon, 1 Oct 2018 12:13:58 +0200
>>> Peter Milesson <miles at atmos.eu> wrote:
>>>
>>>>> You are now hitting a bug in 4.9.1 that was discovered
>> last week by
>>>>> Louis Van Belle. It seems to be an interaction between
Samba and
>>>>> systemd, I say this because it doesn't affect me on
Devuan.
>>>>>
>>>>> Rowland
>>>> Hi Rowland,
>>>>
>>>> I'm using the standard CentOS Samba packages. The current
Samba
>>>> version is 4.7.1. The server is 4.9.1, however.
>>>>
>>> Hmm, I wonder if this has been going on for sometime ?
>>>
>>> As I said, I don't get this error and the Samba daemons are
>> started in
>>> this order:
>>> smbd
>>> nmbd
>>> winbind
>>>
>>>   From the debian bug report by Louis, there is this
>>> in /lib/systemd/system/smbd.service:
>>>
>>> After=network.target network-online.target nmbd.service
>> winbind.service
>>> Which from my (limited) knowledge of systemd, means 'smbd'
>> will only be
>>> started after 'nmbd' & 'winbind'. This, in my
opinion, is
>> totally wrong.
>>> If your version of the file is the same, try removing
>> 'winbind.service'
>>> and see if this helps.
>>>
>>> Rowland
>>>
>> Hi Rowland,
>>
>> Order does not seem to be important. I have tried to start
>> the daemons
>> manually in different order. Does not help.
>>
>> As the self compiled AD DC works beautifully, I'll wipe the
>> installation
>> and compile Samba myself from the 4.9.1 sources. Being lazy and
>> installing what's thrown at you evidently didn't pay off in
this case.
>>
>> Thanks for your help anyway.
>>
>> I wish you a nice day,
>>
>> Peter
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

On Mon, 1 Oct 2018 19:28:29 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi Louis and Rowland,
> 
> I'm just reporting back on this, in case it may help somebody else.
> 
> Getting a working getent (or id) under the current version of CentOS 
> with winbind just doesn't seems possible. I haven't got a clue
where
> the problem is. I have tried the suggestions, I did a clean
> installation, and built Samba myself from source, but no way.
> Installing sssd, a few lines of configuration, disabling winbind, and
> it just works. I just want to stress, that the problems I have had
> getting the Samba domain member to work, are most probably
> CentOS-related.
> 
> Unfortunately, I must leave it at this point, as I have spent way too 
> much time already. At least I'm glad that I didn't upgrade the 
> production server directly, and instead spent time trying to get
> things to work in the test environment. Otherwise there would have
> been tar and feathers at noon today.
> 
> A sincere thank you for your time and suggestions.
> 
OK, it is your decision (and I don't blame you for your choice) to use
sssd, but I feel I should point out that using wimbind does work on
Centos 7.1.

I had Centos 7 in a VM, so I started it, updated it and installed the
centos Samba packages (by the way, who thought that it was a good idea
to call 'winbind' 'samba-winbind' ?). Installed a copy of a
known
working smb.conf from a Devuan machine. I should mention that the
Centos VM was previously running a compiled version Samba, so
most of the set up was already done (This set up was based on what I do
for Devuan).

And........

[root at cen1804 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

[root at cen1804 ~]# getent group domain\ users
domain users:x:10000:......long list of users

There is undoubtedly something different between your setup and mine.

Rowland