Timo Dachs-Wegmann
2016-Jul-19 12:28 UTC
[Samba] Getent passwd doesn't show Domain Members
Dear Support-Team, i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. I installed samba4 from the standard debian sources. Made the domain provisioning and installed Kerberos. After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. Wbinfo -u and wbinfo -g do work properly. The strange thing is, that "getent passwd administrator" gives back this line: "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). Can you help me with this? I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. Samba config: [global] workgroup = PROCITEC realm = PROCITEC.DE netbios name = SAMBAPRO server role = active directory domain controller dns forwarder = 192.168.0.1 idmap_ldb:use rfc2307 = yes registry shares = yes template homedir = /srv/samba/%D/%U I edited the nsswitch.conf: passwd: compat winbind group: compat winbind If you need further information please don’t hesitate to contact me Kind regards Timo Dachs-Wegmann
On 19/07/16 13:28, Timo Dachs-Wegmann wrote:> Dear Support-Team, > > i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. > > I installed samba4 from the standard debian sources. > Made the domain provisioning and installed Kerberos. > After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. > Wbinfo -u and wbinfo -g do work properly. > > The strange thing is, that > "getent passwd administrator" gives back this line: > "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" > So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). > > Can you help me with this? > > I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. > I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. > > Samba config: > [global] > workgroup = PROCITEC > realm = PROCITEC.DE > netbios name = SAMBAPRO > server role = active directory domain controller > dns forwarder = 192.168.0.1 > idmap_ldb:use rfc2307 = yes > registry shares = yes > template homedir = /srv/samba/%D/%U > > I edited the nsswitch.conf: > passwd: compat winbind > group: compat winbind > > If you need further information please don’t hesitate to contact me > > Kind regards > > Timo Dachs-Wegmann > > > >Try adding: winbind enum users = yes winbind enum groups = yes to smb.conf and restart samba. Rowland
Timo Dachs-Wegmann
2016-Jul-19 14:55 UTC
[Samba] Getent passwd doesn't show Domain Members
We already tried this without success... Kind regards Timo Dachs-Wegmann -EDV- -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny Gesendet: Dienstag, 19. Juli 2016 16:30 An: samba at lists.samba.org Betreff: Re: [Samba] Getent passwd doesn't show Domain Members On 19/07/16 13:28, Timo Dachs-Wegmann wrote:> Dear Support-Team, > > i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. > > I installed samba4 from the standard debian sources. > Made the domain provisioning and installed Kerberos. > After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. > Wbinfo -u and wbinfo -g do work properly. > > The strange thing is, that > "getent passwd administrator" gives back this line: > "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" > So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). > > Can you help me with this? > > I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. > I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. > > Samba config: > [global] > workgroup = PROCITEC > realm = PROCITEC.DE > netbios name = SAMBAPRO > server role = active directory domain controller > dns forwarder = 192.168.0.1 > idmap_ldb:use rfc2307 = yes > registry shares = yes > template homedir = /srv/samba/%D/%U > > I edited the nsswitch.conf: > passwd: compat winbind > group: compat winbind > > If you need further information please don’t hesitate to contact me > > Kind regards > > Timo Dachs-Wegmann > > > >Try adding: winbind enum users = yes winbind enum groups = yes to smb.conf and restart samba. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 19/07/16 15:55, Timo Dachs-Wegmann wrote:> We already tried this without success... > > > Kind regards > > Timo Dachs-Wegmann > -EDV- > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny > Gesendet: Dienstag, 19. Juli 2016 16:30 > An: samba at lists.samba.org > Betreff: Re: [Samba] Getent passwd doesn't show Domain Members > > On 19/07/16 13:28, Timo Dachs-Wegmann wrote: >> Dear Support-Team, >> >> i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. >> >> I installed samba4 from the standard debian sources. >> Made the domain provisioning and installed Kerberos. >> After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. >> Wbinfo -u and wbinfo -g do work properly. >> >> The strange thing is, that >> "getent passwd administrator" gives back this line: >> "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" >> So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). >> >> Can you help me with this? >> >> I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. >> I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. >> >> Samba config: >> [global] >> workgroup = PROCITEC >> realm = PROCITEC.DE >> netbios name = SAMBAPRO >> server role = active directory domain controller >> dns forwarder = 192.168.0.1 >> idmap_ldb:use rfc2307 = yes >> registry shares = yes >> template homedir = /srv/samba/%D/%U >> >> I edited the nsswitch.conf: >> passwd: compat winbind >> group: compat winbind >> >> If you need further information please don’t hesitate to contact me >> >> Kind regards >> >> Timo Dachs-Wegmann >> >> >> >> > Try adding: > > winbind enum users = yes > winbind enum groups = yes > > to smb.conf and restart samba. > > Rowland > >It should. You posted this: I installed samba4 from the standard debian sources. Made the domain provisioning and installed Kerberos. After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. When you installed from debian sources, do you mean you installed the debian packages or that you used them to compile your own ? If you just installed packages, then you don't need to create the links, just install libnss-winbind and libpam-winbind You also say that you installed kerberos, do you mean the client packages or server packages ? Rowland
Am 19.07.2016 um 16:55 schrieb Timo Dachs-Wegmann:> We already tried this without success... > > > Kind regards > > Timo Dachs-Wegmann > -EDV- > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny > Gesendet: Dienstag, 19. Juli 2016 16:30 > An: samba at lists.samba.org > Betreff: Re: [Samba] Getent passwd doesn't show Domain Members > > On 19/07/16 13:28, Timo Dachs-Wegmann wrote: >> Dear Support-Team, >> >> i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. >> >> I installed samba4 from the standard debian sources. >> Made the domain provisioning and installed Kerberos. >> After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. >> Wbinfo -u and wbinfo -g do work properly. >> >> The strange thing is, that >> "getent passwd administrator" gives back this line: >> "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" >> So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). >> >> Can you help me with this? >> >> I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. >> I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. >> >> Samba config: >> [global] >> workgroup = PROCITEC >> realm = PROCITEC.DE >> netbios name = SAMBAPRO >> server role = active directory domain controller >> dns forwarder = 192.168.0.1 >> idmap_ldb:use rfc2307 = yes >> registry shares = yes >> template homedir = /srv/samba/%D/%U >> >> I edited the nsswitch.conf: >> passwd: compat winbind >> group: compat winbind >> >> If you need further information please don’t hesitate to contact me >> >> Kind regards >> >> Timo Dachs-Wegmann >> >> >> >> > Try adding: > > winbind enum users = yes > winbind enum groups = yes > > to smb.conf and restart samba. > > RowlandIn my debian jessie test environment this does not work with jessies 4.2 packages. With backported 4.4.5 packages from sid it works. Also on my production servers the enumeration of groups and users stopped working after the 4.1-4.2 upgrade (sernet packages). It did not cause issues there last few month. achim~
Timo Dachs-Wegmann
2016-Jul-20 07:22 UTC
[Samba] Getent passwd doesn't show Domain Members
Okay, i tried to install the server without winbind but with libnss-winbind. Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users. This seems to be the same bug as achims. We are running a Debian 4.8 with samba 4.2 packages... A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version... Can I report this bug somewhere or is there a workaround? Kind regards Timo Dachs-Wegmann -EDV- ------------------------------------- PROCITEC GmbH Rastatter Strasse 41 D-75179 Pforzheim Fon: +49 7231 15561-29 Fax: +49 7231 15561-11 Mailto: t.wegmann at procitec.de Mannheim HRB 504702 Geschäftsführer: Dipl.-Ing. (FH) Dipl.-Inf. (FH) Jens Heyen -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Achim Gottinger Gesendet: Dienstag, 19. Juli 2016 18:28 An: samba at lists.samba.org Betreff: Re: [Samba] Getent passwd doesn't show Domain Members Am 19.07.2016 um 16:55 schrieb Timo Dachs-Wegmann:> We already tried this without success... > > > Kind regards > > Timo Dachs-Wegmann > -EDV- > > -----Ursprüngliche Nachricht----- > Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von > Rowland penny > Gesendet: Dienstag, 19. Juli 2016 16:30 > An: samba at lists.samba.org > Betreff: Re: [Samba] Getent passwd doesn't show Domain Members > > On 19/07/16 13:28, Timo Dachs-Wegmann wrote: >> Dear Support-Team, >> >> i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller. >> >> I installed samba4 from the standard debian sources. >> Made the domain provisioning and installed Kerberos. >> After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so. >> Wbinfo -u and wbinfo -g do work properly. >> >> The strange thing is, that >> "getent passwd administrator" gives back this line: >> "administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false" >> So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group). >> >> Can you help me with this? >> >> I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem. >> I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions. >> >> Samba config: >> [global] >> workgroup = PROCITEC >> realm = PROCITEC.DE >> netbios name = SAMBAPRO >> server role = active directory domain controller >> dns forwarder = 192.168.0.1 >> idmap_ldb:use rfc2307 = yes >> registry shares = yes >> template homedir = /srv/samba/%D/%U >> >> I edited the nsswitch.conf: >> passwd: compat winbind >> group: compat winbind >> >> If you need further information please don’t hesitate to contact me >> >> Kind regards >> >> Timo Dachs-Wegmann >> >> >> >> > Try adding: > > winbind enum users = yes > winbind enum groups = yes > > to smb.conf and restart samba. > > RowlandIn my debian jessie test environment this does not work with jessies 4.2 packages. With backported 4.4.5 packages from sid it works. Also on my production servers the enumeration of groups and users stopped working after the 4.1-4.2 upgrade (sernet packages). It did not cause issues there last few month. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 20/07/16 08:22, Timo Dachs-Wegmann wrote:> Okay, i tried to install the server without winbind but with libnss-winbind. > > Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users. > This seems to be the same bug as achims. > We are running a Debian 4.8 with samba 4.2 packages... > > A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version... > > Can I report this bug somewhere or is there a workaround?OK, I have installed Samba 4.2.0 using distro packages on Devuan in a VM and set it up as I would normally do. From my testing, 'getent passwd' and 'getent group' works, so the question seems to be, how have you set up your domain member ? The VM I set up uses a fixed IP and this is the list of packages I installed: samba samba-common-bin samba-common samba-libs samba-vfs-modules samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user /etc/resolv.conf contains this: search samdom.example.com nameserver 192.168.0.5 nameserver 192.168.0.6 The nameservers are my two DCs /etc/hosts contains this: 127.0.0.1 localhost 192.168.0.8 devtest.samdom.example.com devtest # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters If the computer was using dhcp, the '192.168.0.8' line wouldn't be there. /etc/krb5.conf contains: [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true It doesn't need to contain anything else. /etc/samba/smb.conf contains this: [global] workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = Yes winbind offline logon = yes winbind normalize names = Yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : range = 10000-999999 domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes log file = /usr/local/samba/var/log.%m [homes] path = /home/%U read only = no /etc/samba/user.map contains this: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator The relevant lines in /etc/nsswitch.conf look like this: passwd: compat winbind group: compat winbind Which leads to this: root at devtest:~# getent passwd root:x:0:0:root:/root:/bin/bash ....... ....... It displays no AD users, but if you run it again root at devtest:~# getent passwd root:x:0:0:root:/root:/bin/bash ....... ....... albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash ........ ........ It doesn't really matter if 'getent passwd' doesn't display all your users, as long as it will display individual users: root at devtest:~# getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Rowland
Timo Dachs-Wegmann
2016-Jul-21 06:08 UTC
[Samba] Getent passwd doesn't show Domain Members
Well, thank you for your support. I guess you can't tell when debian will release new packages? I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :) Kind regards Timo Dachs-Wegmann -EDV- -----Ursprüngliche Nachricht----- Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny Gesendet: Mittwoch, 20. Juli 2016 17:59 An: samba at lists.samba.org Betreff: Re: [Samba] Getent passwd doesn't show Domain Members On 20/07/16 11:56, Rowland penny wrote:> On 20/07/16 11:49, Achim Gottinger wrote: >> >> >> Am 20.07.2016 um 11:33 schrieb Rowland penny: >>> On 20/07/16 08:22, Timo Dachs-Wegmann wrote: >>>> Okay, i tried to install the server without winbind but with >>>> libnss-winbind. >>>> >>>> Still the same problem. Getent passwd administrator works but the >>>> result of getent passwd only shows local users. >>>> This seems to be the same bug as achims. >>>> We are running a Debian 4.8 with samba 4.2 packages... >>>> >>>> A few months ago I installed a test environement for samba with >>>> samba version 4.1.17. There the getent command works perfectly. So >>>> I guess this is a bug in the latest version... >>>> >>>> Can I report this bug somewhere or is there a workaround? >>> >>> OK, I have installed Samba 4.2.0 using distro packages on Devuan in >>> a VM and set it up as I would normally do. >>> From my testing, 'getent passwd' and 'getent group' works, so the >>> question seems to be, how have you set up your domain member ? >>> >>> The VM I set up uses a fixed IP and this is the list of packages I >>> installed: >>> >>> samba samba-common-bin samba-common samba-libs samba-vfs-modules >>> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr >>> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user >>> >>> /etc/resolv.conf contains this: >>> >>> search samdom.example.com >>> nameserver 192.168.0.5 >>> nameserver 192.168.0.6 >>> >>> The nameservers are my two DCs >>> >>> /etc/hosts contains this: >>> >>> 127.0.0.1 localhost >>> 192.168.0.8 devtest.samdom.example.com devtest >>> >>> # The following lines are desirable for IPv6 capable hosts >>> ::1 localhost ip6-localhost ip6-loopback >>> ff02::1 ip6-allnodes >>> ff02::2 ip6-allrouters >>> >>> If the computer was using dhcp, the '192.168.0.8' line wouldn't be >>> there. >>> >>> /etc/krb5.conf contains: >>> >>> [libdefaults] >>> default_realm = SAMDOM.EXAMPLE.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = true >>> >>> It doesn't need to contain anything else. >>> >>> /etc/samba/smb.conf contains this: >>> >>> [global] >>> workgroup = SAMDOM >>> security = ADS >>> realm = SAMDOM.EXAMPLE.COM >>> >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> server string = Samba 4 Client %h >>> >>> winbind enum users = yes >>> winbind enum groups = yes >>> winbind use default domain = yes >>> winbind expand groups = 4 >>> winbind nss info = rfc2307 >>> winbind refresh tickets = Yes >>> winbind offline logon = yes >>> winbind normalize names = Yes >>> >>> ## map ids outside of domain to tdb files. >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> ## map ids from the domain the ranges may not overlap ! >>> idmap config SAMDOM : backend = ad >>> idmap config SAMDOM : schema_mode = rfc2307 >>> idmap config SAMDOM : range = 10000-999999 >>> >>> domain master = no >>> local master = no >>> preferred master = no >>> os level = 20 >>> map to guest = bad user >>> host msdfs = no >>> >>> # user Administrator workaround, without it you are unable to >>> set privileges >>> username map = /etc/samba/user.map >>> >>> # For ACL support on domain member >>> vfs objects = acl_xattr >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> # Share Setting Globally >>> unix extensions = no >>> reset on zero vc = yes >>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ >>> hide unreadable = yes >>> >>> log file = /usr/local/samba/var/log.%m >>> >>> [homes] >>> path = /home/%U >>> read only = no >>> >>> /etc/samba/user.map contains this: >>> >>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator >>> administrator >>> >>> The relevant lines in /etc/nsswitch.conf look like this: >>> >>> passwd: compat winbind >>> group: compat winbind >>> >>> Which leads to this: >>> >>> root at devtest:~# getent passwd >>> root:x:0:0:root:/root:/bin/bash >>> ....... >>> ....... >>> >>> It displays no AD users, but if you run it again >>> >>> root at devtest:~# getent passwd >>> root:x:0:0:root:/root:/bin/bash >>> ....... >>> ....... >>> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false >>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash ........ >>> ........ >>> >>> It doesn't really matter if 'getent passwd' doesn't display all your >>> users, as long as it will display individual users: >>> >>> root at devtest:~# getent passwd rowland rowland:*:10000:10000:Rowland >>> Penny:/home/rowland:/bin/bash >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> The OP is running in ADDC mode! >> >> achim~ >> >> > > Ah, missed that, I will go and try again and report back, it should work. > > Rowland > >OK, I know what is wrong now, the debian Samba package (version 4.2.10 that is really 4.2.11) is the one that came out after the badlock patches were released. A few regressions were introduced by the badlock patches and these have been fixed in later releases. To put it bluntly, debian needs to release a later version, even more so, when you take into account that 4.5.0 is nearing release, at which point, the 4.2.x series will go EOL. Your choices if you need 'getent passwd' to work (if 'getent passwd username' isn't enough) are a bit limited, you could use the Sernet packages (free or paid for), wait until debian releases a later package or compile Samba yourself. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 21/07/16 07:08, Timo Dachs-Wegmann wrote:> Well, thank you for your support. > I guess you can't tell when debian will release new packages?No, but perhaps Andrew Bartlett can ? Rowland> > I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :) > > Kind regards > > Timo Dachs-Wegmann > -EDV- > >