samba - Jul 2017 - getent group not working on new domain member

I have a troubling circumstance. I've installed a new domain member running
Slackware64 14.2.
This computer is practically a clone of another domain member I've had set
up and running for
over a year.

Most everything seems to work. I have joined the domain and it does show up as a
domain
computer. The domain user can log onto the computer just fine. I can run `wbinfo
-u`, `wbinfo
-g` and `getent passwd myuser`. All return the correct information.

What I cannot run is `getent group Domain\ Users`. I get nothing why I try. I
can run this w/o
problem on the other domain member. It doesn't seem to be affecting
functionality so far, but
the fact that it doesn't return my Domain Users info worrys me that
something is broken.

I do have "group: compat windbind" in nsswitch.conf.

Any ideas as to what I should do or where I should look?

--Mark

Mark Foley via samba <samba at lists.samba.org> wrote:
> I have a troubling circumstance. I've installed a new domain member
running Slackware64 14.2.
> This computer is practically a clone of another domain member I've had
set up and running for
> over a year.
>
> Most everything seems to work. I have joined the domain and it does show up
as a domain
> computer. The domain user can log onto the computer just fine. I can run
`wbinfo -u`, `wbinfo
> -g` and `getent passwd myuser`. All return the correct information.
>
> What I cannot run is `getent group Domain\ Users`. I get nothing why I try.
I can run this w/o
> problem on the other domain member. It doesn't seem to be affecting
functionality so far, but
> the fact that it doesn't return my Domain Users info worrys me that
something is broken.
>
> I do have "group: compat windbind" in nsswitch.conf.
>
> Any ideas as to what I should do or where I should look?
>
> --Mark
>
I haven't received any feedback on this yet, but I just ran into a situation
where this
group-thing may be affecting. In /etc/cups/cups-files.conf I've set
SystemGroup as:

SystemGroup sys root users "domain users"

However, cups does not like this:

# cupsd -t
"/etc/cups/cups-files.conf" contains errors.

I have to remve the "domain users" setting for cups to run. On the
other domain member where
`getent group Domain\ Users` works, this cups SystemGroup setting is accepted.

--Mark

On Sat, 08 Jul 2017 12:47:13 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:
> I have a troubling circumstance. I've installed a new domain member
> running Slackware64 14.2. This computer is practically a clone of
> another domain member I've had set up and running for over a year.
> 
> Most everything seems to work. I have joined the domain and it does
> show up as a domain computer. The domain user can log onto the
> computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent
> passwd myuser`. All return the correct information.
> 
> What I cannot run is `getent group Domain\ Users`. I get nothing why
> I try. I can run this w/o problem on the other domain member. It
> doesn't seem to be affecting functionality so far, but the fact that
> it doesn't return my Domain Users info worrys me that something is
> broken.
> 
> I do have "group: compat windbind" in nsswitch.conf.
> 
> Any ideas as to what I should do or where I should look?
> 
> --Mark
> 
If one Unix domain member works, but another set up exactly the same
doesn't, usually means one of two things. You haven't set up the second
one correctly, or something has changed in Samba.

Can you post your smb.conf and tell us what versions of Samba you are
using on the two machines.

Rowland

The only thing that works for me was this: 

root at samba:~# getent
passwd|tail
systemd-resolve:x:102:104:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd
Bus
Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
ntp:x:106:110::/home/ntp:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false

SAMDOMadministrator:*:0:100::/home/administrator:/bin/false
SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false
SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false
SAMDOMguest:*:3000011:100::/home/guest:/bin/false

root at samba:~#
grep enum /etc/samba/*
/etc/samba/smb.conf:winbind enum users yes
/etc/samba/smb.conf:winbind enum groups = yes

On Sat, 08 Jul 2017
12:47:13 -0400, Mark Foley via samba wrote: 
> I have a troubling
circumstance. I've installed a new domain member running Slackware64
14.2.
> This computer is practically a clone of another domain member
I've had set up and running for
> over a year.
> 
> Most everything
seems to work. I have joined the domain and it does show up as a
domain
> computer. The domain user can log onto the computer just fine.
I can run `wbinfo -u`, `wbinfo
> -g` and `getent passwd myuser`. All
return the correct information.
> 
> What I cannot run is `getent group
Domain Users`. I get nothing why I try. I can run this
w/o
> problem on
the other domain member. It doesn't seem to be affecting functionality
so far, but
> the fact that it doesn't return my Domain Users info
worrys me that something is broken.
> 
> I do have "group: compat
windbind" in nsswitch.conf.
> 
> Any ideas as to what I should do or
where I should look?
> 
> --Mark

On Sun, 09 Jul 2017 10:53:58 -0300
Guido Lorenzutti via samba <samba at lists.samba.org> wrote:
>   
> 
> The only thing that works for me was this: 
> 
> root at samba:~# getent
> passwd|tail
> systemd-resolve:x:102:104:systemd
> Resolver,,,:/run/systemd/resolve:/bin/false
> systemd-bus-proxy:x:103:105:systemd
> Bus
> Proxy,,,:/run/systemd:/bin/false
> _apt:x:104:65534::/nonexistent:/bin/false
> sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
> ntp:x:106:110::/home/ntp:/bin/false
> messagebus:x:107:111::/var/run/dbus:/bin/false
> 
> SAMDOMadministrator:*:0:100::/home/administrator:/bin/false
> SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false
> SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false
> SAMDOMguest:*:3000011:100::/home/guest:/bin/false
> 
> root at samba:~#
> grep enum /etc/samba/*
> /etc/samba/smb.conf:winbind enum users > yes
> /etc/samba/smb.conf:winbind enum groups = yes
> 
The 'winbind enum' lines are only required if you want getent to
show all the users and groups, you do not NEED to do this

There is no need for the lines and they will slow things down if you
have a lot of users (imagine if you have a 10,000 users, how long will
that take to print to screen ?). If 'getent passwd username' works, this
is sufficient to prove getent works.

Rowland

Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Sat, 08 Jul 2017 12:47:13 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I have a troubling circumstance. I've installed a new domain
member
> > running Slackware64 14.2. This computer is practically a clone of
> > another domain member I've had set up and running for over a year.
> > 
> > Most everything seems to work. I have joined the domain and it does
> > show up as a domain computer. The domain user can log onto the
> > computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent
> > passwd myuser`. All return the correct information.
> > 
> > What I cannot run is `getent group Domain\ Users`. I get nothing why
> > I try. I can run this w/o problem on the other domain member. It
> > doesn't seem to be affecting functionality so far, but the fact
that
> > it doesn't return my Domain Users info worrys me that something is
> > broken.
> > 
> > I do have "group: compat windbind" in nsswitch.conf.
> > 
> > Any ideas as to what I should do or where I should look?
> > 
> > --Mark
> > 
> If one Unix domain member works, but another set up exactly the same
> doesn't, usually means one of two things. You haven't set up the
second
> one correctly, or something has changed in Samba.
>
> Can you post your smb.conf and tell us what versions of Samba you are
> using on the two machines.
>
> Rowland
Both systems: Slackware64 14.2, Samba 4.4.13

Working system kernel 4.4.19
Non-working system kernel 4.4.75

smb.conf, same on both systems:

[global]
        realm = HPRS.LOCAL
        workgroup = HPRS
        usershare allow guests = Yes
        usershare max shares = 10
        security = ADS
        template shell = /bin/bash

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

       winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes

To ACR ACR's comment about the libnss_winbind.so* links, yes I have those.

THX --Mark