On 20/07/16 08:22, Timo Dachs-Wegmann wrote:> Okay, i tried to install the server without winbind but with libnss-winbind. > > Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users. > This seems to be the same bug as achims. > We are running a Debian 4.8 with samba 4.2 packages... > > A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version... > > Can I report this bug somewhere or is there a workaround?OK, I have installed Samba 4.2.0 using distro packages on Devuan in a VM and set it up as I would normally do. From my testing, 'getent passwd' and 'getent group' works, so the question seems to be, how have you set up your domain member ? The VM I set up uses a fixed IP and this is the list of packages I installed: samba samba-common-bin samba-common samba-libs samba-vfs-modules samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user /etc/resolv.conf contains this: search samdom.example.com nameserver 192.168.0.5 nameserver 192.168.0.6 The nameservers are my two DCs /etc/hosts contains this: 127.0.0.1 localhost 192.168.0.8 devtest.samdom.example.com devtest # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters If the computer was using dhcp, the '192.168.0.8' line wouldn't be there. /etc/krb5.conf contains: [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true It doesn't need to contain anything else. /etc/samba/smb.conf contains this: [global] workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes log file = /usr/local/samba/var/log.%m [homes] path = /home/%U read only = no /etc/samba/user.map contains this: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator The relevant lines in /etc/nsswitch.conf look like this: passwd: compat winbind group: compat winbind Which leads to this: root at devtest:~# getent passwd root:x:0:0:root:/root:/bin/bash ....... ....... It displays no AD users, but if you run it again root at devtest:~# getent passwd root:x:0:0:root:/root:/bin/bash ....... ....... albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash ........ ........ It doesn't really matter if 'getent passwd' doesn't display all your users, as long as it will display individual users: root at devtest:~# getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Rowland
Am 20.07.2016 um 11:33 schrieb Rowland penny:> On 20/07/16 08:22, Timo Dachs-Wegmann wrote: >> Okay, i tried to install the server without winbind but with >> libnss-winbind. >> >> Still the same problem. Getent passwd administrator works but the >> result of getent passwd only shows local users. >> This seems to be the same bug as achims. >> We are running a Debian 4.8 with samba 4.2 packages... >> >> A few months ago I installed a test environement for samba with samba >> version 4.1.17. There the getent command works perfectly. So I guess >> this is a bug in the latest version... >> >> Can I report this bug somewhere or is there a workaround? > > OK, I have installed Samba 4.2.0 using distro packages on Devuan in a > VM and set it up as I would normally do. > From my testing, 'getent passwd' and 'getent group' works, so the > question seems to be, how have you set up your domain member ? > > The VM I set up uses a fixed IP and this is the list of packages I > installed: > > samba samba-common-bin samba-common samba-libs samba-vfs-modules > samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr > krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user > > /etc/resolv.conf contains this: > > search samdom.example.com > nameserver 192.168.0.5 > nameserver 192.168.0.6 > > The nameservers are my two DCs > > /etc/hosts contains this: > > 127.0.0.1 localhost > 192.168.0.8 devtest.samdom.example.com devtest > > # The following lines are desirable for IPv6 capable hosts > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > If the computer was using dhcp, the '192.168.0.8' line wouldn't be there. > > /etc/krb5.conf contains: > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > It doesn't need to contain anything else. > > /etc/samba/smb.conf contains this: > > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind expand groups = 4 > winbind nss info = rfc2307 > winbind refresh tickets = Yes > winbind offline logon = yes > winbind normalize names = Yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : range = 10000-999999 > > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > host msdfs = no > > # user Administrator workaround, without it you are unable to set > privileges > username map = /etc/samba/user.map > > # For ACL support on domain member > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > # Share Setting Globally > unix extensions = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > log file = /usr/local/samba/var/log.%m > > [homes] > path = /home/%U > read only = no > > /etc/samba/user.map contains this: > > !root = SAMDOM\Administrator SAMDOM\administrator Administrator > administrator > > The relevant lines in /etc/nsswitch.conf look like this: > > passwd: compat winbind > group: compat winbind > > Which leads to this: > > root at devtest:~# getent passwd > root:x:0:0:root:/root:/bin/bash > ....... > ....... > > It displays no AD users, but if you run it again > > root at devtest:~# getent passwd > root:x:0:0:root:/root:/bin/bash > ....... > ....... > albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > ........ > ........ > > It doesn't really matter if 'getent passwd' doesn't display all your > users, as long as it will display individual users: > > root at devtest:~# getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > Rowland > >Hi Rowland, The OP is running in ADDC mode! achim~
On 20/07/16 11:49, Achim Gottinger wrote:> > > Am 20.07.2016 um 11:33 schrieb Rowland penny: >> On 20/07/16 08:22, Timo Dachs-Wegmann wrote: >>> Okay, i tried to install the server without winbind but with >>> libnss-winbind. >>> >>> Still the same problem. Getent passwd administrator works but the >>> result of getent passwd only shows local users. >>> This seems to be the same bug as achims. >>> We are running a Debian 4.8 with samba 4.2 packages... >>> >>> A few months ago I installed a test environement for samba with >>> samba version 4.1.17. There the getent command works perfectly. So I >>> guess this is a bug in the latest version... >>> >>> Can I report this bug somewhere or is there a workaround? >> >> OK, I have installed Samba 4.2.0 using distro packages on Devuan in a >> VM and set it up as I would normally do. >> From my testing, 'getent passwd' and 'getent group' works, so the >> question seems to be, how have you set up your domain member ? >> >> The VM I set up uses a fixed IP and this is the list of packages I >> installed: >> >> samba samba-common-bin samba-common samba-libs samba-vfs-modules >> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr >> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user >> >> /etc/resolv.conf contains this: >> >> search samdom.example.com >> nameserver 192.168.0.5 >> nameserver 192.168.0.6 >> >> The nameservers are my two DCs >> >> /etc/hosts contains this: >> >> 127.0.0.1 localhost >> 192.168.0.8 devtest.samdom.example.com devtest >> >> # The following lines are desirable for IPv6 capable hosts >> ::1 localhost ip6-localhost ip6-loopback >> ff02::1 ip6-allnodes >> ff02::2 ip6-allrouters >> >> If the computer was using dhcp, the '192.168.0.8' line wouldn't be >> there. >> >> /etc/krb5.conf contains: >> >> [libdefaults] >> default_realm = SAMDOM.EXAMPLE.COM >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> It doesn't need to contain anything else. >> >> /etc/samba/smb.conf contains this: >> >> [global] >> workgroup = SAMDOM >> security = ADS >> realm = SAMDOM.EXAMPLE.COM >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> server string = Samba 4 Client %h >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind use default domain = yes >> winbind expand groups = 4 >> winbind nss info = rfc2307 >> winbind refresh tickets = Yes >> winbind offline logon = yes >> winbind normalize names = Yes >> >> ## map ids outside of domain to tdb files. >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> ## map ids from the domain the ranges may not overlap ! >> idmap config SAMDOM : backend = ad >> idmap config SAMDOM : schema_mode = rfc2307 >> idmap config SAMDOM : range = 10000-999999 >> >> domain master = no >> local master = no >> preferred master = no >> os level = 20 >> map to guest = bad user >> host msdfs = no >> >> # user Administrator workaround, without it you are unable to set >> privileges >> username map = /etc/samba/user.map >> >> # For ACL support on domain member >> vfs objects = acl_xattr >> map acl inherit = Yes >> store dos attributes = Yes >> >> # Share Setting Globally >> unix extensions = no >> reset on zero vc = yes >> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ >> hide unreadable = yes >> >> log file = /usr/local/samba/var/log.%m >> >> [homes] >> path = /home/%U >> read only = no >> >> /etc/samba/user.map contains this: >> >> !root = SAMDOM\Administrator SAMDOM\administrator Administrator >> administrator >> >> The relevant lines in /etc/nsswitch.conf look like this: >> >> passwd: compat winbind >> group: compat winbind >> >> Which leads to this: >> >> root at devtest:~# getent passwd >> root:x:0:0:root:/root:/bin/bash >> ....... >> ....... >> >> It displays no AD users, but if you run it again >> >> root at devtest:~# getent passwd >> root:x:0:0:root:/root:/bin/bash >> ....... >> ....... >> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> ........ >> ........ >> >> It doesn't really matter if 'getent passwd' doesn't display all your >> users, as long as it will display individual users: >> >> root at devtest:~# getent passwd rowland >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >> >> Rowland >> >> > Hi Rowland, > > The OP is running in ADDC mode! > > achim~ > >Ah, missed that, I will go and try again and report back, it should work. Rowland