Hi all, a PC was correctly joined to a domain but offline logon wasn't working so then I have tried to get authentication and nss using SSSD but I fail to correctly configure the logon. Then I read a message on this list that says SSSD doesn't works on samba >= 4.8. Samba installed is the 4.12 so I have followed this guide[?] to reconfigure again the PC using winbind instead of SSSD. All seems to works until 8,2 Using Domain Accounts and Groups in Operating System. In other words winbind can find users and groups but getent doesn't shows user or group information. For example getent group "DOMINIOCSA\\Domain Users" show nothing. This is the smb.conf:> [global] > dedicated keytab file = /etc/krb5.keytab > disable spoolss = Yes > kerberos method = secrets and keytab > load printers = No > log file = /var/log/samba/%m.log > printcap name = /dev/null > realm = AD.CSARICERCHE.COM > security = ADS > template shell = /bin/bash > winbind refresh tickets = Yes > workgroup = DOMINIOCSA > idmap config dominiocsa:unix_primary_group = yes > idmap config dominiocsa:unix_nss_info = no > idmap config dominiocsa:range = 10000-999999 > idmap config dominiocsa:schema_mode = rfc2307 > idmap config dominiocsa:backend = ad > idmap config * : range = 3000-7999 > idmap config * : backend = tdb > map acl inherit = Yes > printing = bsd > vfs objects = acl_xattrThis is /etc/nsswitch.conf:> passwd: files winbind > group: files winbind > shadow: files > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nisSomeone can help me to find a way to have getent query correctly AD remote users and groups? I forgot to say that the PC is a debian bullseye. Thank you very much Piviul [?] https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
On 25/11/2020 09:36, Piviul via samba wrote:> Hi all, a PC was correctly joined to a domain but offline logon wasn't > working so then I have tried to get authentication and nss using SSSD > but I fail to correctly configure the logon. Then I read a message on > this list that says SSSD doesn't works on samba >= 4.8. Samba > installed is the 4.12 so I have followed this guide[?] to reconfigure > again the PC using winbind instead of SSSD. All seems to works until > 8,2 Using Domain Accounts and Groups in Operating System. In other > words winbind can find users and groups but getent doesn't shows user > or group information. For example getent group "DOMINIOCSA\\Domain > Users" show nothing. > > Someone can help me to find a way to have getent query correctly AD > remote users and groups? > > I forgot to say that the PC is a debian bullseye.You are using the winbind 'ad' backend, so have you given your users a uidNumber attribute containing a unique number inside the '10000-999999' range AND given them a gidNumber containing a valid group gidNumber ? Failing the latter, does Domain Users have a gidNumber attribute ? Rowland
On Wed, 2020-11-25 at 10:15 +0000, Rowland penny via samba wrote:> On 25/11/2020 09:36, Piviul via samba wrote: > > Hi all, a PC was correctly joined to a domain but offline logon wasn't > > working so then I have tried to get authentication and nss using SSSD > > but I fail to correctly configure the logon. Then I read a message on > > this list that says SSSD doesn't works on samba >= 4.8. Samba > > installed is the 4.12 so I have followed this guide[?] to reconfigure > > again the PC using winbind instead of SSSD. All seems to works until > > 8,2 Using Domain Accounts and Groups in Operating System. In other > > words winbind can find users and groups but getent doesn't shows user > > or group information. For example getent group "DOMINIOCSA\\Domain > > Users" show nothing. > > > > Someone can help me to find a way to have getent query correctly AD > > remote users and groups? > > > > I forgot to say that the PC is a debian bullseye. > > You are using the winbind 'ad' backend, so have you given your users a > uidNumber attribute containing a unique number inside the '10000-999999' > range AND given them a gidNumber containing a valid group gidNumber ? > Failing the latter, does Domain Users have a gidNumber attribute ? > > Rowland >As well as allocating UIDs/GIDs you might investigate the rid backend. Also, you will probably want these setting: [global] winbind enum users = yes winbind enum groups = yes ... and perhaps these or something similar: winbind expand groups = 2 winbind use default domain = yes Cheers Jon