getent group is not working in an opensuse 13.1 member server for an active
directory samba 4 domain
wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are working,
these are my configuration files and the output of the commands.
Note: the domain controller has samba installed from source (4.1.11), the member
server has the distro packages installed (4.1.0)
blue25:/home/SIENIC/administrator # wbinfo -u
SIENIC\administrator
SIENIC\dns-server01
SIENIC\krbtgt
SIENIC\guest
blue25:/home/SIENIC/administrator # wbinfo -g
SIENIC\allowed rodc password replication group
SIENIC\enterprise read-only domain controllers
SIENIC\denied rodc password replication group
SIENIC\read-only domain controllers
SIENIC\group policy creator owners
SIENIC\ras and ias servers
SIENIC\domain controllers
SIENIC\enterprise admins
SIENIC\domain computers
SIENIC\cert publishers
SIENIC\dnsupdateproxy
SIENIC\domain admins
SIENIC\domain guests
SIENIC\schema admins
SIENIC\domain users
SIENIC\dnsadmins
blue25:/home/SIENIC/administrator # wbinfo -t
checking the trust secret for domain SIENIC via RPC calls succeeded
blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC
SIENIC\administrator:*:10000:10004:Administrator:/home/SIENIC/administrator:/bin/bash
SIENIC\dns-server01:*:10001:10004:dns-server01:/home/SIENIC/dns-server01:/bin/bash
SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash
SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash
blue25:/home/SIENIC/administrator # getent group | grep SIENIC
blue25:/home/SIENIC/administrator # getent group
/etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# compat Use compatibility setup
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# [NOTFOUND=return] Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# passwd: files nis
# shadow: files nis
# group: files nis
passwd: compat winbind
group: compat winbind
hosts: files mdns_minimal [NOTFOUND=return] dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files nis
publickey: files
bootparams: files
automount: files nis
aliases: files
/etc/krb5
[libdefaults]
default_realm = SIENIC.SITE
clockskew = 300
# default_realm = EXAMPLE.COM
[realms]
SIENIC.SITE = {
kdc = server01.sienic.site
default_domain = sienic.site
admin_server = server01.sienic.site
}
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[domain_realm]
.sienic.site = SIENIC.SITE
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
/etc/samba/smb.conf
[global]
workgroup = SIENIC
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
#idmap gid = 10000-20000
#idmap uid = 10000-20000
kerberos method = secrets and keytab
realm = SIENIC.SITE
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = yes
winbind refresh tickets = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
idmap config *:range = 50000-60000
idmap config SIENIC:backend = ad
idmap config SIENIC:schema_mode = rfc2307
idmap config SIENIC:range = 10000-20000
winbind enum users = yes
winbind enum groups = yes
thanks
On 27/08/14 19:39, Eduardo Sotomayor wrote:> getent group is not working in an opensuse 13.1 member server for an active directory samba 4 domain > wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are working, these are my configuration files and the output of the commands. > > Note: the domain controller has samba installed from source (4.1.11), the member server has the distro packages installed (4.1.0) > > > > blue25:/home/SIENIC/administrator # wbinfo -u > SIENIC\administrator > SIENIC\dns-server01 > SIENIC\krbtgt > SIENIC\guest > > blue25:/home/SIENIC/administrator # wbinfo -g > SIENIC\allowed rodc password replication group > SIENIC\enterprise read-only domain controllers > SIENIC\denied rodc password replication group > SIENIC\read-only domain controllers > SIENIC\group policy creator owners > SIENIC\ras and ias servers > SIENIC\domain controllers > SIENIC\enterprise admins > SIENIC\domain computers > SIENIC\cert publishers > SIENIC\dnsupdateproxy > SIENIC\domain admins > SIENIC\domain guests > SIENIC\schema admins > SIENIC\domain users > SIENIC\dnsadmins > > blue25:/home/SIENIC/administrator # wbinfo -t > checking the trust secret for domain SIENIC via RPC calls succeeded > > blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC > SIENIC\administrator:*:10000:10004:Administrator:/home/SIENIC/administrator:/bin/bash > SIENIC\dns-server01:*:10001:10004:dns-server01:/home/SIENIC/dns-server01:/bin/bash > SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash > SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash > > blue25:/home/SIENIC/administrator # getent group | grep SIENIC > > blue25:/home/SIENIC/administrator # getent group > > > /etc/nsswitch.conf > > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Legal entries are: > # > # compat Use compatibility setup > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # [NOTFOUND=return] Stop searching if not found so far > # > # For more information, please read the nsswitch.conf.5 manual page. > # > > # passwd: files nis > # shadow: files nis > # group: files nis > > passwd: compat winbind > group: compat winbind > > hosts: files mdns_minimal [NOTFOUND=return] dns > networks: files dns > > services: files > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files nis > publickey: files > > bootparams: files > automount: files nis > aliases: files > > > /etc/krb5 > > [libdefaults] > default_realm = SIENIC.SITE > clockskew = 300 > # default_realm = EXAMPLE.COM > > [realms] > SIENIC.SITE = { > kdc = server01.sienic.site > default_domain = sienic.site > admin_server = server01.sienic.site > } > # EXAMPLE.COM = { > # kdc = kerberos.example.com > # admin_server = kerberos.example.com > # } > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > [domain_realm] > .sienic.site = SIENIC.SITE > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > minimum_uid = 1 > } > > > /etc/samba/smb.conf > > > [global] > workgroup = SIENIC > passdb backend = tdbsam > printing = cups > printcap name = cups > printcap cache time = 750 > cups options = raw > map to guest = Bad User > include = /etc/samba/dhcp.conf > logon path = \\%L\profiles\.msprofile > logon home = \\%L\%U\.9xprofile > logon drive = P: > usershare allow guests = No > #idmap gid = 10000-20000 > #idmap uid = 10000-20000 > kerberos method = secrets and keytab > realm = SIENIC.SITE > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > usershare max shares = 100 > winbind offline logon = yes > winbind refresh tickets = yes > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > idmap config *:range = 50000-60000 > idmap config SIENIC:backend = ad > idmap config SIENIC:schema_mode = rfc2307 > idmap config SIENIC:range = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > > thanks > >Hi, does 'getent group Domain\ Users' produce a result ? I think that you will find it does. Welcome to the wonderful world of Samba ;-) 'getent group' will only display the groups if you give all the groups in AD a gidNumber, but 'getent group <groupname>' will display the info for the group if it has a gidNumber. Rowland
On Wed, 2014-08-27 at 18:39 +0000, Eduardo Sotomayor wrote:> getent group is not workingStaff Handbook secondary 2014In your configuration, getent group will only work if your groups have gidNumber in the range 10000 - 20000. Many here make do with: getent group <group> instead or just don't use winbind. HTH, Steve
Hi! I think I'm facing the very same problem... "getent group" does not show AD groups but, I still can, for example, use "chmod :"domain users" /srv/tmp" as usual. No idea about whats going on... Nevertheless, it is on my todo list to replace Winbind for something more robust, maybe `nss-ldap-pam` (http://arthurdejong.org/nss-pam-ldapd/)... Best, Thiago On 27 August 2014 15:39, Eduardo Sotomayor <easgs at hotmail.com> wrote:> getent group is not working in an opensuse 13.1 member server for an > active directory samba 4 domain > wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are > working, these are my configuration files and the output of the commands. > > Note: the domain controller has samba installed from source (4.1.11), the > member server has the distro packages installed (4.1.0) > > > > blue25:/home/SIENIC/administrator # wbinfo -u > SIENIC\administrator > SIENIC\dns-server01 > SIENIC\krbtgt > SIENIC\guest > > blue25:/home/SIENIC/administrator # wbinfo -g > SIENIC\allowed rodc password replication group > SIENIC\enterprise read-only domain controllers > SIENIC\denied rodc password replication group > SIENIC\read-only domain controllers > SIENIC\group policy creator owners > SIENIC\ras and ias servers > SIENIC\domain controllers > SIENIC\enterprise admins > SIENIC\domain computers > SIENIC\cert publishers > SIENIC\dnsupdateproxy > SIENIC\domain admins > SIENIC\domain guests > SIENIC\schema admins > SIENIC\domain users > SIENIC\dnsadmins > > blue25:/home/SIENIC/administrator # wbinfo -t > checking the trust secret for domain SIENIC via RPC calls succeeded > > blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC > > SIENIC\administrator:*:10000:10004:Administrator:/home/SIENIC/administrator:/bin/bash > > SIENIC\dns-server01:*:10001:10004:dns-server01:/home/SIENIC/dns-server01:/bin/bash > SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash > SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash > > blue25:/home/SIENIC/administrator # getent group | grep SIENIC > > blue25:/home/SIENIC/administrator # getent group > > > /etc/nsswitch.conf > > > # > # /etc/nsswitch.conf > # > # An example Name Service Switch config file. This file should be > # sorted with the most-used services at the beginning. > # > # The entry '[NOTFOUND=return]' means that the search for an > # entry should stop if the search in the previous entry turned > # up nothing. Note that if the search failed due to some other reason > # (like no NIS server responding) then the search continues with the > # next entry. > # > # Legal entries are: > # > # compat Use compatibility setup > # nisplus Use NIS+ (NIS version 3) > # nis Use NIS (NIS version 2), also called YP > # dns Use DNS (Domain Name Service) > # files Use the local files > # [NOTFOUND=return] Stop searching if not found so far > # > # For more information, please read the nsswitch.conf.5 manual page. > # > > # passwd: files nis > # shadow: files nis > # group: files nis > > passwd: compat winbind > group: compat winbind > > hosts: files mdns_minimal [NOTFOUND=return] dns > networks: files dns > > services: files > protocols: files > rpc: files > ethers: files > netmasks: files > netgroup: files nis > publickey: files > > bootparams: files > automount: files nis > aliases: files > > > /etc/krb5 > > [libdefaults] > default_realm = SIENIC.SITE > clockskew = 300 > # default_realm = EXAMPLE.COM > > [realms] > SIENIC.SITE = { > kdc = server01.sienic.site > default_domain = sienic.site > admin_server = server01.sienic.site > } > # EXAMPLE.COM = { > # kdc = kerberos.example.com > # admin_server = kerberos.example.com > # } > > [logging] > kdc = FILE:/var/log/krb5/krb5kdc.log > admin_server = FILE:/var/log/krb5/kadmind.log > default = SYSLOG:NOTICE:DAEMON > [domain_realm] > .sienic.site = SIENIC.SITE > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = false > minimum_uid = 1 > } > > > /etc/samba/smb.conf > > > [global] > workgroup = SIENIC > passdb backend = tdbsam > printing = cups > printcap name = cups > printcap cache time = 750 > cups options = raw > map to guest = Bad User > include = /etc/samba/dhcp.conf > logon path = \\%L\profiles\.msprofile > logon home = \\%L\%U\.9xprofile > logon drive = P: > usershare allow guests = No > #idmap gid = 10000-20000 > #idmap uid = 10000-20000 > kerberos method = secrets and keytab > realm = SIENIC.SITE > security = ADS > template homedir = /home/%D/%U > template shell = /bin/bash > usershare max shares = 100 > winbind offline logon = yes > winbind refresh tickets = yes > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > idmap config *:range = 50000-60000 > idmap config SIENIC:backend = ad > idmap config SIENIC:schema_mode = rfc2307 > idmap config SIENIC:range = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > > > thanks > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >