samba - Nov 2015 - winbind problems

I had to move an existing member server to new hardware.  Using getent 
on this Debian Jessie system, I cannot get winbind to retrieve the 
domain users, except for administrator, guest, tsinternetuser, and krbtgt.

Although none of my other working systems have it, I added the 
"dedicated keytab", "kerberos method", and "winbind
refresh tickets"
parameters to match the wiki.

The only problem I have noticed is that installing libnss-winbind no 
longer creates the symbolic link between libnss_winbind.so.2 and 
libnss_winbind.so.  I had to do that manually.  Unlike the WIKI, the 
other directory to link does not exist on this system or the working 
systems.

net ads testjoin is OK.  The domain SID matches the other servers. 
wbinfo works.

I must have missed something, but I'm at a loss as to what it is. Can 
anyone see anything?

Thanks,
Dale

Samba version: 4.1.17+dfsg-2

Output of testparm -s

[global]
	workgroup = DOMAIN
	realm = DOMAIN.COM
	server string = Samba File Server
	#server role = member server
	security = ADS
	allow trusted domains = No
	map to guest = Bad User
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n *password\supdated\ssuccessfully* .
	username map = /etc/samba/users.map
         dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	#map untrusted to domain = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	name resolve order = host, wins, bcast
	deadtime = 15
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	dns proxy = No
	wins server = 192.168.1.xyz
	ldap ssl = no
	panic action = /usr/share/samba/panic-action %d
	template homedir = /data/users/%U
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes
	winbind offline logon = Yes
	recycle:versions = Yes
	recycle:maxsize = 20971520
	recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$* *.~??
	recycle:repository = /var/domain/trash/%U
	idmap config DOMAIN : range = 1000 - 2000
	idmap config DOMAIN : backend = rid
	idmap config * : range = 1000000 - 2000000
	idmap config * : backend = tdb
	admin users = root, DOMAIN\administrator
	hosts allow = 192.168.0.0/16
	ea support = Yes
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j
	veto files = /trash/
	veto oplock files =
/*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
	map archive = No
	map readonly = no
	store dos attributes = Yes
	vfs objects = recycle

#krb5.conf as per wiki
[libdefaults]
	default_realm = DOMAIN.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true

*resolv.conf per wiki

search domain.com
nameserver 192.168.1.abc


*nsswitch.conf

passwd:		compat winbind
group:		compat winbind
shadow:		compat
gshadow:	files

hosts:		fines dns wins
networks:	files dns

protocols:	db files
services:	db files
ethers:		db files
rpc:		db files

On 06/11/15 17:51, Dale Schroeder wrote:
> I had to move an existing member server to new hardware.  Using getent 
> on this Debian Jessie system, I cannot get winbind to retrieve the 
> domain users, except for administrator, guest, tsinternetuser, and 
> krbtgt.
wbinfo -u should show all your users, 'getent passwd domainuser' should 
show the info for just 'domainuser', but getent normally doesn't
show
anything for Administrator, guest or krbtgt on a domain member.
>
> Although none of my other working systems have it, I added the 
> "dedicated keytab", "kerberos method", and
"winbind refresh tickets"
> parameters to match the wiki.
These are required to get kerberos tickets and to enable them being 
refreshed.
>
> The only problem I have noticed is that installing libnss-winbind no 
> longer creates the symbolic link between libnss_winbind.so.2 and 
> libnss_winbind.so.  I had to do that manually.  Unlike the WIKI, the 
> other directory to link does not exist on this system or the working 
> systems.
OK, how have you installed samba and on what?

>
> net ads testjoin is OK.  The domain SID matches the other servers. 
> wbinfo works.
>
> I must have missed something, but I'm at a loss as to what it is. Can 
> anyone see anything?
Any chance of seeing your smb.conf as stored on the samba machine.

Rowland
>
> Thanks,
> Dale
>
> Samba version: 4.1.17+dfsg-2
>
> Output of testparm -s
>
> [global]
>     workgroup = DOMAIN
>     realm = DOMAIN.COM
>     server string = Samba File Server
>     #server role = member server
>     security = ADS
>     allow trusted domains = No
>     map to guest = Bad User
>     passwd program = /usr/bin/passwd %u
>     passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
>     username map = /etc/samba/users.map
>         dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     #map untrusted to domain = Yes
>     syslog = 0
>     log file = /var/log/samba/log.%m
>     name resolve order = host, wins, bcast
>     deadtime = 15
>     load printers = No
>     printcap name = /dev/null
>     disable spoolss = Yes
>     dns proxy = No
>     wins server = 192.168.1.xyz
>     ldap ssl = no
>     panic action = /usr/share/samba/panic-action %d
>     template homedir = /data/users/%U
>     template shell = /bin/bash
>     winbind enum users = Yes
>     winbind enum groups = Yes
>     winbind use default domain = Yes
>     winbind refresh tickets = Yes
>     winbind offline logon = Yes
>     recycle:versions = Yes
>     recycle:maxsize = 20971520
>     recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj 
> ~$* *.~??
>     recycle:repository = /var/domain/trash/%U
>     idmap config DOMAIN : range = 1000 - 2000
>     idmap config DOMAIN : backend = rid
>     idmap config * : range = 1000000 - 2000000
>     idmap config * : backend = tdb
>     admin users = root, DOMAIN\administrator
>     hosts allow = 192.168.0.0/16
>     ea support = Yes
>     printing = bsd
>     print command = lpr -r -P'%p' %s
>     lpq command = lpq -P'%p'
>     lprm command = lprm -P'%p' %j
>     veto files = /trash/
>     veto oplock files = 
> /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
>     map archive = No
>     map readonly = no
>     store dos attributes = Yes
>     vfs objects = recycle
>
> #krb5.conf as per wiki
> [libdefaults]
>     default_realm = DOMAIN.COM
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
>
> *resolv.conf per wiki
>
> search domain.com
> nameserver 192.168.1.abc
>
>
> *nsswitch.conf
>
> passwd:        compat winbind
> group:        compat winbind
> shadow:        compat
> gshadow:    files
>
> hosts:        fines dns wins
> networks:    files dns
>
> protocols:    db files
> services:    db files
> ethers:        db files
> rpc:        db files
>
>
>
>
>
>
>

Forgot to copy list.

On 11/06/2015 1:44 PM, Rowland Penny wrote:
> On 06/11/15 17:51, Dale Schroeder wrote:
>> I had to move an existing member server to new hardware.  Using 
>> getent on this Debian Jessie system, I cannot get winbind to retrieve 
>> the domain users, except for administrator, guest, tsinternetuser, 
>> and krbtgt.
>
> wbinfo -u should show all your users, 'getent passwd domainuser' 
> should show the info for just 'domainuser', but getent normally 
> doesn't show anything for Administrator, guest or krbtgt on a domain 
> member.
wbinfo works, getent in any form or shape does not.
>
>>
>> Although none of my other working systems have it, I added the 
>> "dedicated keytab", "kerberos method", and
"winbind refresh tickets"
>> parameters to match the wiki.
>
> These are required to get kerberos tickets and to enable them being 
> refreshed.
I don't doubt you at all, but that makes it impossible for me to explain 
the 4 others that don't have those parameters and are happily humming 
along.  The difference is that they have been upgraded in place from 
previous versions to 4.1.17.  The problem child is a "from scratch" 
upgrade install on new hardware.
>
>>
>> The only problem I have noticed is that installing libnss-winbind no 
>> longer creates the symbolic link between libnss_winbind.so.2 and 
>> libnss_winbind.so.  I had to do that manually.  Unlike the WIKI, the 
>> other directory to link does not exist on this system or the working 
>> systems.
>
> OK, how have you installed samba and on what?
I have used the Debian Jessie repositories on a new x64
system.
>
>
>>
>> net ads testjoin is OK.  The domain SID matches the other servers. 
>> wbinfo works.
>>
>> I must have missed something, but I'm at a loss as to what it is.
Can
>> anyone see anything?
>
> Any chance of seeing your smb.conf as stored on the samba machine.
I replaced the testparm output with the actual conf file
below.
>
>
> Rowland
>
>>
>> Thanks,
>> Dale
OK, the following is as it exists on the server.
The contents of the users.map file is one line:
root = @"DOMAIN\Domain Admins"

Dale
>>
>> [global]
>> 	netbios name = DEBFSRV
>> 	workgroup = DOMAIN
>> 	realm = DOMAIN.COM
>> 	#server role = member server
>> 	server string = Samba File Server
>> 	security = ADS
>> 	#map untrusted to domain = Yes
>> 	allow trusted domains = No
>> 	map to guest = Bad User
>> 	#obey pam restrictions = Yes
>> 	password server = *
>> 	passdb backend = tdbsam
>> 	passwd program = /usr/bin/passwd %u
>> 	passwd chat =*Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:*
>> %n\n *password\supdated\ssuccessfully*  .
>> 	username map = /etc/samba/users.map
>> 	syslog = 0
>> 	log level = 1 winbind:3 idmap:3
>> 	log file = /var/log/samba/log.%m
>> 	#max log size = 1000 # default=5000
>> 	name resolve order = host wins bcast
>> 	deadtime = 15
>> 	load printers = No
>> 	printing = bsd
>> 	#printcap cache time = 300
>> 	printcap name = /dev/null
>> 	disable spoolss = Yes
>> 	dns proxy = No
>> 	wins server = 192.168.1.223
>> 	ldap ssl = no
>> 	panic action = /usr/share/samba/panic-action %d
>> 	#idmap backend = rid:DOMAIN=1000-20000000
>> 	#idmap uid = 1000-20000000
>> 	#idmap gid = 1000-20000000
>> 	idmap config * : backend		= tdb
>> 	idmap config * : range			= 1000000 - 2000000
>> 	#idmap config DOMAIN : default	= Yes
>> 	idmap config DOMAIN : backend	= rid
>> 	idmap config DOMAIN : range		= 1000 - 2000
>> 	template homedir =/data/users/%U
>> 	template shell = /bin/bash
>> 	winbind cache time = 300
>> 	winbind enum users = Yes
>> 	winbind enum groups = Yes
>> 	winbind use default domain = Yes
>> 	winbind offline logon = Yes
>> 	dedicated keytab file = /etc/krb5.keytab
>> 	kerberos method = secrets and keytab
>> 	winbind refresh tickets = Yes
>> 	#recycle:repository =/var/domain/trash/%U
>> 	#recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$*
*.~??
>> 	#recycle:maxsize = 20971520
>> 	#recycle:versions = Yes
>> 	admin users = root, DOMAIN\administrator
>> 	hosts allow = 192.168.0.0/16
>> 	veto files =/trash/
>> 	veto oplock files =
/*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
>> 	kernel oplocks = No
>> 	map archive = No
>> 	map readonly = No
>> 	ea support = Yes
>> 	store dos attributes = Yes
>> 	#vfs objects = recycle
>>
>>
>> #krb5.conf as per wiki
>> [libdefaults]
>>     default_realm = DOMAIN.COM
>>     dns_lookup_realm = false
>>     dns_lookup_kdc = true
>>
>> *resolv.conf per wiki
>>
>> search domain.com
>> nameserver 192.168.1.abc
>>
>>
>> *nsswitch.conf
>>
>> passwd:        compat winbind
>> group:        compat winbind
>> shadow:        compat
>> gshadow:    files
>>
>> hosts:        fines dns wins
>> networks:    files dns
>>
>> protocols:    db files
>> services:    db files
>> ethers:        db files
>> rpc:        db files
>>
>>
>>
>>
>>
>>
>>
>
>