I have read numerous posts regarding this issue without finding a resolution. I have a fresh Samba AD DC & a Samba Member server. the member server has been setup using idmap config ad wbinfo -u & wbinfo -g both work and list the domain users & groups getent passwd & getent group both only display the local member server users and groups>From what I have read I understand getent passwd & getent group shoulddisplay the domain users & groups. "getent passwd administrator" returns nothing Any help would be greatly appreciated... root at ares:/# cat /etc/samba/smb.conf # Global parameters [global] workgroup = SAMDOM realm = INT.SAMDOM.COM.AU netbios name = ARES server role = active directory domain controller dns forwarder = 192.168.1.254 idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/int.samdom.com.au/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No root at aphrodite:/# cat /etc/samba/smb.conf [global] security = ADS workgroup = SAMDOM realm = INT.SAMDOM.COM.AU log file = /var/log/samba/%m.log log level = 1 # Default idmap config used for BUILTIN and local windows accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 root at aphrodite:/# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. #passwd: compat passwd: files winbind #group: compat group: files winbind shadow: compat gshadow: files hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis
On Thu, 24 Nov 2016 14:08:18 +1100 Henry via samba <samba at lists.samba.org> wrote:> I have read numerous posts regarding this issue without finding a > resolution. I have a fresh Samba AD DC & a Samba Member server. the > member server has been setup using idmap config ad > > wbinfo -u & wbinfo -g both work and list the domain users & groups > getent passwd & getent group both only display the local member server > users and groups > > From what I have read I understand getent passwd & getent group should > display the domain users & groups. "getent passwd administrator" > returns nothing > > Any help would be greatly appreciated... > > > > root at ares:/# cat /etc/samba/smb.conf > # Global parameters > [global] > workgroup = SAMDOM > realm = INT.SAMDOM.COM.AU > netbios name = ARES > server role = active directory domain controller > dns forwarder = 192.168.1.254 > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/int.samdom.com.au/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > root at aphrodite:/# cat /etc/samba/smb.conf > [global] > security = ADS > workgroup = SAMDOM > realm = INT.SAMDOM.COM.AU > > log file = /var/log/samba/%m.log > log level = 1 > > # Default idmap config used for BUILTIN and local windows > accounts/groups idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > > > > root at aphrodite:/# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: # `info libc "Name Service Switch"' for information > about this file. > > #passwd: compat > passwd: files winbind > #group: compat > group: files winbind > shadow: compat > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis >It sounds likely you have made the same assumption that a lot a of people make, you assume that by adding the 'idmap config' lines to smb.conf, you will get users & groups shown by 'getent'. It's not that simple, you need to give your users a 'uidNumber' attribute containing a unique number inside the range '10000-99999'. You will also need to give 'Domain Users' a 'gidNumber' containing a number inside the same range. Do not give Administrator a 'uidNumber', use a user.map instead,add this to smb.conf on the domain member: username map = /etc/samba/user.map Then create /etc/samba/user.map containing this: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator Restart Samba and Administrator will now be mapped to the Unix user 'root' Rowland
On Fri, 25 Nov 2016 07:45:06 +1100 Henry <dercni at gmail.com> wrote:> Hi Rowland. > > Have included the usermap for administrator and given domain users an > ID in ADUC > > getent passwd & group still only displays the local accounts ? > > getent passwd administrator => nothing >Firstly 'getent passwd administrator' on a domain member shouldn't show anything (it does on a Samba AD DC), remember it is now mapped to root. If you run 'getent passwd <a username>' does this produce any output ? By default, 'getent passwd' without a username will show nothing, you will need to add these lines to smb.conf: winbind enum users = yes winbind enum groups = yes I don't think you mentioned what OS you are using, but you will also need a few extra packages installed, on debian based distros these are: libnss-winbind and libpam-winbind I also install libpam-krb5 Rowland
On Fri, 25 Nov 2016 12:34:57 +1100 Henry <dercni at gmail.com> wrote:> Thanks Rowland. > > getent passwd => lists all local users > > getent passwd administrator => returns nothing on DC or member. > > I have created an AD user called "henry" and assigned a uid > getent passwd henry => returns nothing'getent' will only display domain users provided that: Each user has a uidNumber attribute containing a unique number inside the DOMAIN range set in smb.conf, in your case '10000-99999' The group 'Domain Users' has a gidNumber attribute containing a number inside the same range The necessary PAM glue is installed i.e. PAM can talk to winbind. 'winbind' is added to the 'passwd' & 'group' lines in /etc/nsswitch.conf> > root at aphrodite:~# wbinfo -u > SAMDOM\henry > SAMDOM\administrator > SAMDOM\krbtgt > SAMDOM\guest > > I am using Ubuntu 16.04 > > Are these three extra packages installed on DC or member? >You can install them on both if you need to, if you only use the DC for authentication, then don't install them on the DC, they are the 'missing' bits that turn a DC into a 'fileserver' as well. If everything is correct, you should get results like this: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash Rowland
On Sat, 26 Nov 2016 12:25:23 +1100 Henry <dercni at gmail.com> wrote:> thanks again Rowland however I must have something wrong as I have > double checked everything... > > Group: Domains Users has GID of 10000 > User: henry has UID of 10000 > can the user and group have the same number?Yes, this is me on my Unix domain member: rowland at devstation:~$ getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash> henry is a member of "Domain Users" > /etc/nnswitch.conf has winbind the the passwd & group lines > I have installed libnss-winbind and libpam-winbind on the member > server. > > getent passwd henry => returns nothingAh, do you have this line in smb.conf: winbind use default domain = yes If not, try like this: getent passwd SAMDOM\\henry> > I note when I click the "UNIX Attributes" tab for the group I > initially receive a popup message of "Unwilling to Perform" and once I > click OK it goes away and display the attributes. I do not get this on > the user properties. >ADUC does funny things like that.> Above you made the following comment: > "Firstly 'getent passwd administrator' on a domain member shouldn't > show anything (it does on a Samba AD DC), remember it is now mapped to > root." > > I note on my DC getent passwd administrator => returns nothing, could > this indicate the problem cause?Unlikely, as I said, you need the PAM glue to get 'getent' to work, without libnss-winbind & PAM, 'getent' will only show local users.> As I have the user.map on the member server how would the DC know > administrator is mapped to root?It is mapped in idmap.ldb on the DC, if you open this in ldbedit, i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb You should find something like this: dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500 cn: S-1-5-21-1768301897-3342589593-1064908849-500 objectClass: sidMap objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500 Administrator has the windows RID '500' and is mapped to the Unix ID '0' and this is always 'root' Rowland
On Sun, 27 Nov 2016 10:33:04 +1100 Henry <dercni at gmail.com> wrote:> On Sat, Nov 26, 2016 at 8:30 PM, Rowland Penny via samba > <samba at lists.samba.org> wrote: > > On Sat, 26 Nov 2016 12:25:23 +1100 > > Henry <dercni at gmail.com> wrote: > > > >> thanks again Rowland however I must have something wrong as I have > >> double checked everything... > >> > >> Group: Domains Users has GID of 10000 > >> User: henry has UID of 10000 > >> can the user and group have the same number? > > > > Yes, this is me on my Unix domain member: > > > > rowland at devstation:~$ getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > > >> henry is a member of "Domain Users" > >> /etc/nnswitch.conf has winbind the the passwd & group lines > >> I have installed libnss-winbind and libpam-winbind on the member > >> server. > >> > >> getent passwd henry => returns nothing > > > > Ah, do you have this line in smb.conf: > > > > winbind use default domain = yes > > > > If not, try like this: > > > > getent passwd SAMDOM\\henry > > It works !!!! > > root at aphrodite:~# getent passwd SAMDOM\\henry > SAMDOM\henry:*:10000:10000:Henry:/home/henry:/bin/sh > root at aphrodite:~# vi /etc/samba/smb.conf > ** REBOOT ** > root at aphrodite:~# getent passwd henry > henry:*:10000:10000:Henry McLaughlin:/home/henry:/bin/sh > root at aphrodite:~# getent group Domain\ Users > domain users:x:10000: > > > > >> > >> I note when I click the "UNIX Attributes" tab for the group I > >> initially receive a popup message of "Unwilling to Perform" and > >> once I click OK it goes away and display the attributes. I do not > >> get this on the user properties. > >> > > > > ADUC does funny things like that. > > OK > > > > >> Above you made the following comment: > >> "Firstly 'getent passwd administrator' on a domain member shouldn't > >> show anything (it does on a Samba AD DC), remember it is now > >> mapped to root." > >> > >> I note on my DC getent passwd administrator => returns nothing, > >> could this indicate the problem cause? > > > > Unlikely, as I said, you need the PAM glue to get 'getent' to work, > > without libnss-winbind & PAM, 'getent' will only show local users. > > > >> As I have the user.map on the member server how would the DC know > >> administrator is mapped to root? > > > > It is mapped in idmap.ldb on the DC, if you open this in ldbedit, > > i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb > > > > You should find something like this: > > > > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500 > > cn: S-1-5-21-1768301897-3342589593-1064908849-500 > > objectClass: sidMap > > objectSid: S-1-5-21-1768301897-3342589593-1064908849-500 > > type: ID_TYPE_UID > > xidNumber: 0 > > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500 > > > > Administrator has the windows RID '500' and is mapped to the Unix ID > > '0' and this is always 'root' > > Does this mean that on the DC "administrator" is auto mapped to "root" > however not on the member so we need the usermap on the member to tell > it what the mapping is?That is a very good way of putting it.> > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > Once again Rowland thanks for all your help here. Could not have got > this far without your help :)Np problem. glad to help. Rowland