samba - Oct 2018 - getent not showing domain users and groups with winbind but works with sssd

On Tue, 2 Oct 2018 12:40:19 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> On 10/1/18 8:40 PM, Rowland Penny via samba wrote:
> > On Mon, 1 Oct 2018 19:28:29 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi Louis and Rowland,
> >>
> >> I'm just reporting back on this, in case it may help somebody
else.
> >>
> >> Getting a working getent (or id) under the current version of
> >> CentOS with winbind just doesn't seems possible. I haven't
got a
> >> clue where the problem is. I have tried the suggestions, I did a
> >> clean installation, and built Samba myself from source, but no
way.
> >> Installing sssd, a few lines of configuration, disabling winbind,
> >> and it just works. I just want to stress, that the problems I have
> >> had getting the Samba domain member to work, are most probably
> >> CentOS-related.
> >>
> >> Unfortunately, I must leave it at this point, as I have spent way
> >> too much time already. At least I'm glad that I didn't
upgrade the
> >> production server directly, and instead spent time trying to get
> >> things to work in the test environment. Otherwise there would have
> >> been tar and feathers at noon today.
> >>
> >> A sincere thank you for your time and suggestions.
> >>
> > OK, it is your decision (and I don't blame you for your choice) to
> > use sssd, but I feel I should point out that using wimbind does
> > work on Centos 7.1.
> >
> > I had Centos 7 in a VM, so I started it, updated it and installed
> > the centos Samba packages (by the way, who thought that it was a
> > good idea to call 'winbind' 'samba-winbind' ?).
Installed a copy of
> > a known working smb.conf from a Devuan machine. I should mention
> > that the Centos VM was previously running a compiled version Samba,
> > so most of the set up was already done (This set up was based on
> > what I do for Devuan).
> >
> > And........
> >
> > [root at cen1804 ~]# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> > [root at cen1804 ~]# getent group domain\ users
> > domain users:x:10000:......long list of users
> >
> > There is undoubtedly something different between your setup and
> > mine.
> >
> > Rowland
> 
> Hi Rowland,
> 
> Now I'm bothering you with getent and winbind again.
> 
> I got winbind working. Sort of. It turned out to be that the 
> libwbclient.so library wasn't registered with ld.so.conf.
Just check you are using the correct libwbclient.so, sssd uses some of
the Samba code.
> 
> What happens now is, that some users and groups are listed when I run 
> getent. I guess that it may be due to some cache files still
> containing residue. Any suggestions?
> 
Try running 'net cache flush'

Rowland

On 10/2/18 1:07 PM, Rowland Penny via samba wrote:
> On Tue, 2 Oct 2018 12:40:19 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> On 10/1/18 8:40 PM, Rowland Penny via samba wrote:
>>> On Mon, 1 Oct 2018 19:28:29 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi Louis and Rowland,
>>>>
>>>> I'm just reporting back on this, in case it may help
somebody else.
>>>>
>>>> Getting a working getent (or id) under the current version of
>>>> CentOS with winbind just doesn't seems possible. I
haven't got a
>>>> clue where the problem is. I have tried the suggestions, I did
a
>>>> clean installation, and built Samba myself from source, but no
way.
>>>> Installing sssd, a few lines of configuration, disabling
winbind,
>>>> and it just works. I just want to stress, that the problems I
have
>>>> had getting the Samba domain member to work, are most probably
>>>> CentOS-related.
>>>>
>>>> Unfortunately, I must leave it at this point, as I have spent
way
>>>> too much time already. At least I'm glad that I didn't
upgrade the
>>>> production server directly, and instead spent time trying to
get
>>>> things to work in the test environment. Otherwise there would
have
>>>> been tar and feathers at noon today.
>>>>
>>>> A sincere thank you for your time and suggestions.
>>>>
>>> OK, it is your decision (and I don't blame you for your choice)
to
>>> use sssd, but I feel I should point out that using wimbind does
>>> work on Centos 7.1.
>>>
>>> I had Centos 7 in a VM, so I started it, updated it and installed
>>> the centos Samba packages (by the way, who thought that it was a
>>> good idea to call 'winbind' 'samba-winbind' ?).
Installed a copy of
>>> a known working smb.conf from a Devuan machine. I should mention
>>> that the Centos VM was previously running a compiled version Samba,
>>> so most of the set up was already done (This set up was based on
>>> what I do for Devuan).
>>>
>>> And........
>>>
>>> [root at cen1804 ~]# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>
>>> [root at cen1804 ~]# getent group domain\ users
>>> domain users:x:10000:......long list of users
>>>
>>> There is undoubtedly something different between your setup and
>>> mine.
>>>
>>> Rowland
>> Hi Rowland,
>>
>> Now I'm bothering you with getent and winbind again.
>>
>> I got winbind working. Sort of. It turned out to be that the
>> libwbclient.so library wasn't registered with ld.so.conf.
> Just check you are using the correct libwbclient.so, sssd uses some of
> the Samba code.
>
>> What happens now is, that some users and groups are listed when I run
>> getent. I guess that it may be due to some cache files still
>> containing residue. Any suggestions?
>>
> Try running 'net cache flush'
>
> Rowland
>   
>
>
Hi folks,

I have finally nailed down the problem with the non-functional getent 
command when using winbind on a samba member server (AD domain).

The problem was the entry

    idmap config * : range 3000-9999

in smb.conf

I used the instructions in 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member as 
a template when setting up the server.

Changing the line idmap config to

    idmap config * : range = 16777216-33554431

made all the difference.

I got that range by using the authconfig tool, and then commenting out 
some lines, most notably "password server"

A change of the wiki page would be in order ;-)

The smb.conf below works well against my Samba AD DC. There are no 
shares defined (yet), which depends on the local needs.

Best regards,

Peter


[global]
     workgroup = SAMDOM
#   password server = samadc.samdom.local
    realm = SAMDOM.LOCAL
    security = ads
    template homedir = /dev/null
    template shell = /sbin/nologin
#   kerberos method = secrets only
    winbind use default domain = true
    winbind offline logon = true

    idmap config * : backend = tdb
    idmap config * : range = 16777216-33554431

#   idmap config * : range 3000-9999
    idmap config SAMDOM:backend = rid
    idmap config SAMDOM:range = 10000-99999

    local master = no
;   domain master = no
    preferred master = no

    username map = /etc/samba/user.map

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    client signing = mandatory

    winbind enum users = yes
    winbind enum groups = yes

    printing = bsd
    printcap name = /dev/null
    load printers = no
    disable spoolss = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes

On Wed, 3 Oct 2018 12:45:11 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> I have finally nailed down the problem with the non-functional getent 
> command when using winbind on a samba member server (AD domain).
> 
> The problem was the entry
> 
>     idmap config * : range 3000-9999
No, it wasn't
> I used the instructions in 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> as a template when setting up the server.
> 
> Changing the line idmap config to
> 
>     idmap config * : range = 16777216-33554431
I have no idea why doing that worked for you, all you have done is
moved the range.
> A change of the wiki page would be in order ;-)
Sorry, but that isn't going to happen ;-)
> 
> The smb.conf below works well against my Samba AD DC. 
and this is mine that works on my Centos 7 VM:

[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.EXAMPLE.COM

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind refresh tickets = Yes
    winbind offline logon = yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 3000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : unix_nss_info = yes
    idmap config SAMDOM : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr full_audit
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

    # logging
    #log level = 10
    log level = 0
    map untrusted to domain = yes

and this is the result:

[root at cen1804 ~]# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
[root at cen1804 ~]# getent group Domain\ Users
domain users:x:10000:rowland,...... long list of users.

All I can think of is, you still have sssd installed, I don't.
Or something else isn't set up correctly.

What do the following commands return:

hostname
hostname -s
hostname -d
hostname -f
hostname -i

What is in /etc/resolv.conf
What is in /etc/hosts
What is in /etc/krb5.conf

Rowland