Forgot to copy list. On 11/06/2015 1:44 PM, Rowland Penny wrote:> On 06/11/15 17:51, Dale Schroeder wrote: >> I had to move an existing member server to new hardware. Using >> getent on this Debian Jessie system, I cannot get winbind to retrieve >> the domain users, except for administrator, guest, tsinternetuser, >> and krbtgt. > > wbinfo -u should show all your users, 'getent passwd domainuser' > should show the info for just 'domainuser', but getent normally > doesn't show anything for Administrator, guest or krbtgt on a domain > member.wbinfo works, getent in any form or shape does not.> >> >> Although none of my other working systems have it, I added the >> "dedicated keytab", "kerberos method", and "winbind refresh tickets" >> parameters to match the wiki. > > These are required to get kerberos tickets and to enable them being > refreshed.I don't doubt you at all, but that makes it impossible for me to explain the 4 others that don't have those parameters and are happily humming along. The difference is that they have been upgraded in place from previous versions to 4.1.17. The problem child is a "from scratch" upgrade install on new hardware.> >> >> The only problem I have noticed is that installing libnss-winbind no >> longer creates the symbolic link between libnss_winbind.so.2 and >> libnss_winbind.so. I had to do that manually. Unlike the WIKI, the >> other directory to link does not exist on this system or the working >> systems. > > OK, how have you installed samba and on what?I have used the Debian Jessie repositories on a new x64 system.> > >> >> net ads testjoin is OK. The domain SID matches the other servers. >> wbinfo works. >> >> I must have missed something, but I'm at a loss as to what it is. Can >> anyone see anything? > > Any chance of seeing your smb.conf as stored on the samba machine.I replaced the testparm output with the actual conf file below.> > > Rowland > >> >> Thanks, >> DaleOK, the following is as it exists on the server. The contents of the users.map file is one line: root = @"DOMAIN\Domain Admins" Dale>> >> [global] >> netbios name = DEBFSRV >> workgroup = DOMAIN >> realm = DOMAIN.COM >> #server role = member server >> server string = Samba File Server >> security = ADS >> #map untrusted to domain = Yes >> allow trusted domains = No >> map to guest = Bad User >> #obey pam restrictions = Yes >> password server = * >> passdb backend = tdbsam >> passwd program = /usr/bin/passwd %u >> passwd chat =*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* >> %n\n *password\supdated\ssuccessfully* . >> username map = /etc/samba/users.map >> syslog = 0 >> log level = 1 winbind:3 idmap:3 >> log file = /var/log/samba/log.%m >> #max log size = 1000 # default=5000 >> name resolve order = host wins bcast >> deadtime = 15 >> load printers = No >> printing = bsd >> #printcap cache time = 300 >> printcap name = /dev/null >> disable spoolss = Yes >> dns proxy = No >> wins server = 192.168.1.223 >> ldap ssl = no >> panic action = /usr/share/samba/panic-action %d >> #idmap backend = rid:DOMAIN=1000-20000000 >> #idmap uid = 1000-20000000 >> #idmap gid = 1000-20000000 >> idmap config * : backend = tdb >> idmap config * : range = 1000000 - 2000000 >> #idmap config DOMAIN : default = Yes >> idmap config DOMAIN : backend = rid >> idmap config DOMAIN : range = 1000 - 2000 >> template homedir =/data/users/%U >> template shell = /bin/bash >> winbind cache time = 300 >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind offline logon = Yes >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> winbind refresh tickets = Yes >> #recycle:repository =/var/domain/trash/%U >> #recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$* *.~?? >> #recycle:maxsize = 20971520 >> #recycle:versions = Yes >> admin users = root, DOMAIN\administrator >> hosts allow = 192.168.0.0/16 >> veto files =/trash/ >> veto oplock files = /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/ >> kernel oplocks = No >> map archive = No >> map readonly = No >> ea support = Yes >> store dos attributes = Yes >> #vfs objects = recycle >> >> >> #krb5.conf as per wiki >> [libdefaults] >> default_realm = DOMAIN.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> *resolv.conf per wiki >> >> search domain.com >> nameserver 192.168.1.abc >> >> >> *nsswitch.conf >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> gshadow: files >> >> hosts: fines dns wins >> networks: files dns >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> >> >> >> >> >> > >
On 06/11/15 20:33, Dale Schroeder wrote:> Forgot to copy list. > > On 11/06/2015 1:44 PM, Rowland Penny wrote: >> On 06/11/15 17:51, Dale Schroeder wrote: >>> I had to move an existing member server to new hardware. Using >>> getent on this Debian Jessie system, I cannot get winbind to >>> retrieve the domain users, except for administrator, guest, >>> tsinternetuser, and krbtgt. >> >> wbinfo -u should show all your users, 'getent passwd domainuser' >> should show the info for just 'domainuser', but getent normally >> doesn't show anything for Administrator, guest or krbtgt on a domain >> member. > wbinfo works, getent in any form or shape does not. >> >>> >>> Although none of my other working systems have it, I added the >>> "dedicated keytab", "kerberos method", and "winbind refresh tickets" >>> parameters to match the wiki. >> >> These are required to get kerberos tickets and to enable them being >> refreshed. > I don't doubt you at all, but that makes it impossible for me to > explain the 4 others that don't have those parameters and are happily > humming along. The difference is that they have been upgraded in > place from previous versions to 4.1.17. The problem child is a "from > scratch" upgrade install on new hardware. >> >>> >>> The only problem I have noticed is that installing libnss-winbind no >>> longer creates the symbolic link between libnss_winbind.so.2 and >>> libnss_winbind.so. I had to do that manually. Unlike the WIKI, the >>> other directory to link does not exist on this system or the working >>> systems. >> >> OK, how have you installed samba and on what? > I have used the Debian Jessie repositories on a new x64 system. >> >> >>> >>> net ads testjoin is OK. The domain SID matches the other servers. >>> wbinfo works. >>> >>> I must have missed something, but I'm at a loss as to what it is. >>> Can anyone see anything? >> >> Any chance of seeing your smb.conf as stored on the samba machine. > I replaced the testparm output with the actual conf file below. >> >> >> Rowland >> >>> >>> Thanks, >>> Dale > OK, the following is as it exists on the server. > The contents of the users.map file is one line: > root = @"DOMAIN\Domain Admins" > > Dale > >>> >>> [global] >>> netbios name = DEBFSRV >>> workgroup = DOMAIN >>> realm = DOMAIN.COM >>> #server role = member server >>> server string = Samba File Server >>> security = ADS >>> #map untrusted to domain = Yes >>> allow trusted domains = No >>> map to guest = Bad User >>> #obey pam restrictions = Yes >>> password server = * >>> passdb backend = tdbsam >>> passwd program = /usr/bin/passwd %u >>> passwd chat =*Enter\snew\sUNIX\spassword:* %n\n >>> *Retype\snew\sUNIX\spassword:* %n\n >>> *password\supdated\ssuccessfully* . >>> username map = /etc/samba/users.map >>> syslog = 0 >>> log level = 1 winbind:3 idmap:3 >>> log file = /var/log/samba/log.%m >>> #max log size = 1000 # default=5000 >>> name resolve order = host wins bcast >>> deadtime = 15 >>> load printers = No >>> printing = bsd >>> #printcap cache time = 300 >>> printcap name = /dev/null >>> disable spoolss = Yes >>> dns proxy = No >>> wins server = 192.168.1.223 >>> ldap ssl = no >>> panic action = /usr/share/samba/panic-action %d >>> #idmap backend = rid:DOMAIN=1000-20000000 >>> #idmap uid = 1000-20000000 >>> #idmap gid = 1000-20000000 >>> idmap config * : backend = tdb >>> idmap config * : range = 1000000 - 2000000 >>> #idmap config DOMAIN : default = Yes >>> idmap config DOMAIN : backend = rid >>> idmap config DOMAIN : range = 1000 - 2000 >>> template homedir =/data/users/%U >>> template shell = /bin/bash >>> winbind cache time = 300 >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind use default domain = Yes >>> winbind offline logon = Yes >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> winbind refresh tickets = Yes >>> #recycle:repository =/var/domain/trash/%U >>> #recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o >>> *.obj ~$* *.~?? >>> #recycle:maxsize = 20971520 >>> #recycle:versions = Yes >>> admin users = root, DOMAIN\administrator >>> hosts allow = 192.168.0.0/16 >>> veto files =/trash/ >>> veto oplock files = >>> /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/ >>> kernel oplocks = No >>> map archive = No >>> map readonly = No >>> ea support = Yes >>> store dos attributes = Yes >>> #vfs objects = recycle >>> >>> >>> #krb5.conf as per wiki >>> [libdefaults] >>> default_realm = DOMAIN.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> *resolv.conf per wiki >>> >>> search domain.com >>> nameserver 192.168.1.abc >>> >>> >>> *nsswitch.conf >>> >>> passwd: compat winbind >>> group: compat winbind >>> shadow: compat >>> gshadow: files >>> >>> hosts: fines dns wins >>> networks: files dns >>> >>> protocols: db files >>> services: db files >>> ethers: db files >>> rpc: db files >>> >>> >>> >>> >>> >>> >>> >> >> > >OK, try this smb.conf, don't add anything else until you have getent working: [global] workgroup = DOMAIN security = ADS realm = DOMAIN.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config * : range = 1000000-2000000 idmap config * : backend = tdb idmap config DOMAIN : range = 1000-2000 idmap config DOMAIN : backend = rid winbind nss info = template winbind trusted domains only = no winbind use default domain = yes winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = Yes winbind offline logon = Yes username map = /etc/samba/users.map template homedir = /data/users/%U template shell = /bin/bash vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes The above should work against an AD DC Your users.map should be: !root = DOMAIN\Administrator DOMAIN\administrator Rowland
OK, try this smb.conf, don't add anything else until you have getent working:> > [global] > workgroup = DOMAIN > security = ADS > realm = DOMAIN.COM > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config * : range = 1000000-2000000 > idmap config * : backend = tdb > idmap config DOMAIN : range = 1000-2000 > idmap config DOMAIN : backend = rid > winbind nss info = template > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = Yes > winbind enum groups = Yes > winbind refresh tickets = Yes > winbind offline logon = Yes > username map = /etc/samba/users.map > template homedir = /data/users/%U > template shell = /bin/bash > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > The above should work against an AD DC > > Your users.map should be: > > !root = DOMAIN\Administrator DOMAIN\administrator > > Rowland > >Thanks, Rowland. I've gotten it working for the most part. There are some permissions issues with vfs recycle, but I'll have to work those out later. Just to satisfy my curiosity more than anything, I'd like to clarify a few things. 1. What is the benefit of using 'secrets and keytab'? All of my other member servers seem to function OK with the default 'secrets only'. 2. What does the syntax of the users.map file that you have presented mean, or maybe it would be better stated as what does it do? That is nothing at all like the mapping files I have used for the past 12 years. I have seen this before, but have never seen an explanation of it. 3. Some time back, you mentioned the name of the file in Debian that listed the default mount options. Would you please state it again? I can't seem to locate that particular email in the archives. Thanks again, Dale