I have a troubling circumstance. I've installed a new domain member running Slackware64 14.2. This computer is practically a clone of another domain member I've had set up and running for over a year. Most everything seems to work. I have joined the domain and it does show up as a domain computer. The domain user can log onto the computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent passwd myuser`. All return the correct information. What I cannot run is `getent group Domain\ Users`. I get nothing why I try. I can run this w/o problem on the other domain member. It doesn't seem to be affecting functionality so far, but the fact that it doesn't return my Domain Users info worrys me that something is broken. I do have "group: compat windbind" in nsswitch.conf. Any ideas as to what I should do or where I should look? --Mark
Mark Foley via samba <samba at lists.samba.org> wrote:> I have a troubling circumstance. I've installed a new domain member running Slackware64 14.2. > This computer is practically a clone of another domain member I've had set up and running for > over a year. > > Most everything seems to work. I have joined the domain and it does show up as a domain > computer. The domain user can log onto the computer just fine. I can run `wbinfo -u`, `wbinfo > -g` and `getent passwd myuser`. All return the correct information. > > What I cannot run is `getent group Domain\ Users`. I get nothing why I try. I can run this w/o > problem on the other domain member. It doesn't seem to be affecting functionality so far, but > the fact that it doesn't return my Domain Users info worrys me that something is broken. > > I do have "group: compat windbind" in nsswitch.conf. > > Any ideas as to what I should do or where I should look? > > --Mark >I haven't received any feedback on this yet, but I just ran into a situation where this group-thing may be affecting. In /etc/cups/cups-files.conf I've set SystemGroup as: SystemGroup sys root users "domain users" However, cups does not like this: # cupsd -t "/etc/cups/cups-files.conf" contains errors. I have to remve the "domain users" setting for cups to run. On the other domain member where `getent group Domain\ Users` works, this cups SystemGroup setting is accepted. --Mark
On Sat, 08 Jul 2017 12:47:13 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I have a troubling circumstance. I've installed a new domain member > running Slackware64 14.2. This computer is practically a clone of > another domain member I've had set up and running for over a year. > > Most everything seems to work. I have joined the domain and it does > show up as a domain computer. The domain user can log onto the > computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent > passwd myuser`. All return the correct information. > > What I cannot run is `getent group Domain\ Users`. I get nothing why > I try. I can run this w/o problem on the other domain member. It > doesn't seem to be affecting functionality so far, but the fact that > it doesn't return my Domain Users info worrys me that something is > broken. > > I do have "group: compat windbind" in nsswitch.conf. > > Any ideas as to what I should do or where I should look? > > --Mark >If one Unix domain member works, but another set up exactly the same doesn't, usually means one of two things. You haven't set up the second one correctly, or something has changed in Samba. Can you post your smb.conf and tell us what versions of Samba you are using on the two machines. Rowland
Guido Lorenzutti
2017-Jul-09 13:53 UTC
[Samba] getent group not working on new domain member
The only thing that works for me was this: root at samba:~# getent passwd|tail systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false sshd:x:105:65534::/run/sshd:/usr/sbin/nologin ntp:x:106:110::/home/ntp:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false SAMDOMadministrator:*:0:100::/home/administrator:/bin/false SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false SAMDOMguest:*:3000011:100::/home/guest:/bin/false root at samba:~# grep enum /etc/samba/* /etc/samba/smb.conf:winbind enum users yes /etc/samba/smb.conf:winbind enum groups = yes On Sat, 08 Jul 2017 12:47:13 -0400, Mark Foley via samba wrote:> I have a troublingcircumstance. I've installed a new domain member running Slackware64 14.2.> This computer is practically a clone of another domain memberI've had set up and running for> over a year. > > Most everythingseems to work. I have joined the domain and it does show up as a domain> computer. The domain user can log onto the computer just fine.I can run `wbinfo -u`, `wbinfo> -g` and `getent passwd myuser`. Allreturn the correct information.> > What I cannot run is `getent groupDomain Users`. I get nothing why I try. I can run this w/o> problem onthe other domain member. It doesn't seem to be affecting functionality so far, but> the fact that it doesn't return my Domain Users infoworrys me that something is broken.> > I do have "group: compatwindbind" in nsswitch.conf.> > Any ideas as to what I should do orwhere I should look?> > --Mark
On Sun, 09 Jul 2017 10:53:58 -0300 Guido Lorenzutti via samba <samba at lists.samba.org> wrote:> > > The only thing that works for me was this: > > root at samba:~# getent > passwd|tail > systemd-resolve:x:102:104:systemd > Resolver,,,:/run/systemd/resolve:/bin/false > systemd-bus-proxy:x:103:105:systemd > Bus > Proxy,,,:/run/systemd:/bin/false > _apt:x:104:65534::/nonexistent:/bin/false > sshd:x:105:65534::/run/sshd:/usr/sbin/nologin > ntp:x:106:110::/home/ntp:/bin/false > messagebus:x:107:111::/var/run/dbus:/bin/false > > SAMDOMadministrator:*:0:100::/home/administrator:/bin/false > SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false > SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false > SAMDOMguest:*:3000011:100::/home/guest:/bin/false > > root at samba:~# > grep enum /etc/samba/* > /etc/samba/smb.conf:winbind enum users > yes > /etc/samba/smb.conf:winbind enum groups = yes >The 'winbind enum' lines are only required if you want getent to show all the users and groups, you do not NEED to do this There is no need for the lines and they will slow things down if you have a lot of users (imagine if you have a 10,000 users, how long will that take to print to screen ?). If 'getent passwd username' works, this is sufficient to prove getent works. Rowland
Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sat, 08 Jul 2017 12:47:13 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > I have a troubling circumstance. I've installed a new domain member > > running Slackware64 14.2. This computer is practically a clone of > > another domain member I've had set up and running for over a year. > > > > Most everything seems to work. I have joined the domain and it does > > show up as a domain computer. The domain user can log onto the > > computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent > > passwd myuser`. All return the correct information. > > > > What I cannot run is `getent group Domain\ Users`. I get nothing why > > I try. I can run this w/o problem on the other domain member. It > > doesn't seem to be affecting functionality so far, but the fact that > > it doesn't return my Domain Users info worrys me that something is > > broken. > > > > I do have "group: compat windbind" in nsswitch.conf. > > > > Any ideas as to what I should do or where I should look? > > > > --Mark > >> If one Unix domain member works, but another set up exactly the same > doesn't, usually means one of two things. You haven't set up the second > one correctly, or something has changed in Samba. > > Can you post your smb.conf and tell us what versions of Samba you are > using on the two machines. > > RowlandBoth systems: Slackware64 14.2, Samba 4.4.13 Working system kernel 4.4.19 Non-working system kernel 4.4.75 smb.conf, same on both systems: [global] realm = HPRS.LOCAL workgroup = HPRS usershare allow guests = Yes usershare max shares = 10 security = ADS template shell = /bin/bash idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config HPRS:backend = ad idmap config HPRS:schema_mode = rfc2307 idmap config HPRS:range = 10000-10099 winbind enum groups = Yes winbind enum users = Yes winbind nss info = rfc2307 winbind offline logon = Yes winbind refresh tickets = Yes winbind use default domain = Yes To ACR ACR's comment about the libnss_winbind.so* links, yes I have those. THX --Mark