Guilherme Boing
2015-Oct-13 14:00 UTC
[Samba] Second DC doesn't recognize users/groups on getent
Hello Rowland, I should also mention that Samba 4.3.0 was installed from tarball, I compiled it myself. DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did not return any result on DC1. However, using /usr/local/samba/private/sam.ldb, both DCs returned the same thing: # returned 4 records # 1 entries # 3 referrals I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2 does not. Regarding the sssd issue, I am not really using sssd. sssd is not even running, I believe when I first installed Samba through yum, it installed itself there. Still, I have removed sss from nsswitch on both DCs. On Tue, Oct 13, 2015 at 10:45 AM, Rowland Penny < rowlandpenny241155 at gmail.com> wrote:> On 13/10/15 14:19, Guilherme Boing wrote: > >> Hello, >> >> I just realized that my second DC does not recognize the users from the >> AD. >> wbinfo -u/-g are working just fine. >> >> [root at dc1 ~]# id bruno.castro >> uid=10004(POL\bruno.castro) gid=100(users) >> grupos=100(users),10001(POL\ti),3000009(BUILTIN\users) >> >> [root at dc2 ~]# id bruno.castro >> id: bruno.castro: no such user >> >> [root at dc1 ~]# wbinfo -i bruno.castro >> POL\bruno.castro:*:10004:100:Bruno de >> Castro:/home/POL/bruno.castro:/bin/bash >> >> [root at dc2 ~]# wbinfo -i bruno.castro >> POL\bruno.castro:*:10004:100:Bruno de >> Castro:/home/POL/bruno.castro:/bin/bash >> >> nsswitch.conf is fine, both dcs are like this: >> passwd: files sss winbind >> shadow: files sss winbind >> group: files sss winbind >> >> >> smb.conf is the same on both DCs (except for the netbios name, where DC1 >> is >> DC1 and DC2 is DC2) >> # Global parameters >> [global] >> workgroup = POL >> realm = POLE.ONLINE >> netbios name = DC1 >> server role = active directory domain controller >> dns forwarder = 192.168.22.180 >> log level = 3 >> template shell = /bin/bash >> idmap_ldb:use rfc2307 = yes >> allow dns updates = nonsecure >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/pole.online/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> drs showrepl also does not prompt any error on both sides. >> >> What am I missing ? >> Not sure if it matters, but DC1 has 4 winbindd proccess running while DC2 >> has only 3. >> Also noticed from log.winbindd on DC1 that whenever I do 'id brunocastro', >> the system is properly asking winbindd for the user, while on DC2 it does >> not happen. >> >> Both DCs are running CentOS 7 and Samba 4.3.0. >> > > Hi, does running this: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=pole,dc=online" -s sub > "(&(objectClass=user)(sAMAccountName=bruno.castro))" > > on both DCs, produce the same output? > It should, > > Also, unless you are using sssd for sudo or autofs etc you do not need it > in /etc/nsswitch.conf if you are also using winbind. As it is setup, sssd > will respond before winbind, so this may not be a winbind problem, it could > be an sssd problem. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 13 Oct 2015, Guilherme Boing wrote:> I should also mention that Samba 4.3.0 was installed from tarball, I > compiled it myself. > > DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did not > return any result on DC1. > > I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2 does > not.If you compiled it yourself and didn't change the path, the default path for the private dir is /usr/local/samba/private. Most distributions/packagers use /var/lib/samba/private instead. The only other thing beyond what's already been suggested to check that I can think of is to make sure /etc/hosts and /etc/resolv.conf are set up properly. Make sure your hostname points to your DNS IP and not 127.0.0.1 in /etc/hosts, and make sure /etc/resolv.conf points at your domain controllers' DNS. DC2 should point to DC1 as it's first DNS server (and vice versa, once DC2 is working properly).
mathias dufresne
2015-Oct-13 14:15 UTC
[Samba] Second DC doesn't recognize users/groups on getent
No /var/lib/samba/private/sam.ldb -> you should have forgotten to perform the samba-tool domain join command. No? 2015-10-13 16:00 GMT+02:00 Guilherme Boing <kolt+samba at frag.com.br>:> Hello Rowland, > > I should also mention that Samba 4.3.0 was installed from tarball, I > compiled it myself. > > DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did not > return any result on DC1. > However, using /usr/local/samba/private/sam.ldb, both DCs returned the same > thing: > > # returned 4 records > # 1 entries > # 3 referrals > > I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2 does > not. > > Regarding the sssd issue, I am not really using sssd. sssd is not even > running, I believe when I first installed Samba through yum, it installed > itself there. Still, I have removed sss from nsswitch on both DCs. > > > On Tue, Oct 13, 2015 at 10:45 AM, Rowland Penny < > rowlandpenny241155 at gmail.com> wrote: > > > On 13/10/15 14:19, Guilherme Boing wrote: > > > >> Hello, > >> > >> I just realized that my second DC does not recognize the users from the > >> AD. > >> wbinfo -u/-g are working just fine. > >> > >> [root at dc1 ~]# id bruno.castro > >> uid=10004(POL\bruno.castro) gid=100(users) > >> grupos=100(users),10001(POL\ti),3000009(BUILTIN\users) > >> > >> [root at dc2 ~]# id bruno.castro > >> id: bruno.castro: no such user > >> > >> [root at dc1 ~]# wbinfo -i bruno.castro > >> POL\bruno.castro:*:10004:100:Bruno de > >> Castro:/home/POL/bruno.castro:/bin/bash > >> > >> [root at dc2 ~]# wbinfo -i bruno.castro > >> POL\bruno.castro:*:10004:100:Bruno de > >> Castro:/home/POL/bruno.castro:/bin/bash > >> > >> nsswitch.conf is fine, both dcs are like this: > >> passwd: files sss winbind > >> shadow: files sss winbind > >> group: files sss winbind > >> > >> > >> smb.conf is the same on both DCs (except for the netbios name, where DC1 > >> is > >> DC1 and DC2 is DC2) > >> # Global parameters > >> [global] > >> workgroup = POL > >> realm = POLE.ONLINE > >> netbios name = DC1 > >> server role = active directory domain controller > >> dns forwarder = 192.168.22.180 > >> log level = 3 > >> template shell = /bin/bash > >> idmap_ldb:use rfc2307 = yes > >> allow dns updates = nonsecure > >> > >> [netlogon] > >> path = /usr/local/samba/var/locks/sysvol/pole.online/scripts > >> read only = No > >> > >> [sysvol] > >> path = /usr/local/samba/var/locks/sysvol > >> read only = No > >> > >> drs showrepl also does not prompt any error on both sides. > >> > >> What am I missing ? > >> Not sure if it matters, but DC1 has 4 winbindd proccess running while > DC2 > >> has only 3. > >> Also noticed from log.winbindd on DC1 that whenever I do 'id > brunocastro', > >> the system is properly asking winbindd for the user, while on DC2 it > does > >> not happen. > >> > >> Both DCs are running CentOS 7 and Samba 4.3.0. > >> > > > > Hi, does running this: > > > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=pole,dc=online" -s sub > > "(&(objectClass=user)(sAMAccountName=bruno.castro))" > > > > on both DCs, produce the same output? > > It should, > > > > Also, unless you are using sssd for sudo or autofs etc you do not need it > > in /etc/nsswitch.conf if you are also using winbind. As it is setup, sssd > > will respond before winbind, so this may not be a winbind problem, it > could > > be an sssd problem. > > > > Rowland > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Guilherme Boing
2015-Oct-13 14:27 UTC
[Samba] Second DC doesn't recognize users/groups on getent
Yup, compiled it myself and did not change the path. The query to the ldb returned the same thing on both DC1 and DC2. DNS and /etc/hosts are also fine, DC1 dns points to DC2 and DC2 to DC1. Everything seems to be completely fine... I was looking into this issue because I was doing the sysvol replication and noticed that the sysvol path had a '300000' as the group owner on DC2, where on DC1 30000 translates to 'BUILTIN\administrators'. DC1: drwxrwx---+ 3 root BUILTIN\administrators 31 Ago 24 08:01 sysvol DC2: drwxrwx---+ 3 root 3000000 31 Aug 24 08:02 sysvol (SELinux is disabled btw) Not sure if this is going to break anything or not. @mathias, I didn't forgot to join, otherwise the DC wouldn't work. The DC2 *seems* to be working just fine. showrepl doesn't popup any error and is listed as a Domain Controller on ADUC. On Tue, Oct 13, 2015 at 11:10 AM, Sketch <smblist at rednsx.org> wrote:> On Tue, 13 Oct 2015, Guilherme Boing wrote: > > I should also mention that Samba 4.3.0 was installed from tarball, I >> compiled it myself. >> >> DC2 does not have the /var/lib/samba/private/sam.ldb file. Also it did not >> return any result on DC1. >> >> I wonder why DC1 has the /var/lib/samba/private/sam.ldb file and DC2 does >> not. >> > > If you compiled it yourself and didn't change the path, the default path > for the private dir is /usr/local/samba/private. Most > distributions/packagers use /var/lib/samba/private instead. > > The only other thing beyond what's already been suggested to check that I > can think of is to make sure /etc/hosts and /etc/resolv.conf are set up > properly. Make sure your hostname points to your DNS IP and not 127.0.0.1 > in /etc/hosts, and make sure /etc/resolv.conf points at your domain > controllers' DNS. DC2 should point to DC1 as it's first DNS server (and > vice versa, once DC2 is working properly). >