Rowland Penny
2018-Oct-03 11:09 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Wed, 3 Oct 2018 12:45:11 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> Hi folks, > > I have finally nailed down the problem with the non-functional getent > command when using winbind on a samba member server (AD domain). > > The problem was the entry > > idmap config * : range 3000-9999No, it wasn't> I used the instructions in > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > as a template when setting up the server. > > Changing the line idmap config to > > idmap config * : range = 16777216-33554431I have no idea why doing that worked for you, all you have done is moved the range.> A change of the wiki page would be in order ;-)Sorry, but that isn't going to happen ;-)> > The smb.conf below works well against my Samba AD DC.and this is mine that works on my Centos 7 VM: [global] workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab server string = Samba 4 Client %h winbind use default domain = yes winbind expand groups = 4 winbind refresh tickets = Yes winbind offline logon = yes ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 3000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = ad idmap config SAMDOM : schema_mode = rfc2307 idmap config SAMDOM : unix_nss_info = yes idmap config SAMDOM : range = 10000-999999 template shell = /bin/bash template homedir = /home/%U domain master = no local master = no preferred master = no os level = 20 map to guest = bad user host msdfs = no # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/user.map # For ACL support on domain member vfs objects = acl_xattr full_audit map acl inherit = Yes store dos attributes = Yes # Share Setting Globally unix extensions = no reset on zero vc = yes veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # logging #log level = 10 log level = 0 map untrusted to domain = yes and this is the result: [root at cen1804 ~]# getent passwd rowland rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash [root at cen1804 ~]# getent group Domain\ Users domain users:x:10000:rowland,...... long list of users. All I can think of is, you still have sssd installed, I don't. Or something else isn't set up correctly. What do the following commands return: hostname hostname -s hostname -d hostname -f hostname -i What is in /etc/resolv.conf What is in /etc/hosts What is in /etc/krb5.conf Rowland
Peter Milesson
2018-Oct-03 13:16 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On 10/3/18 1:09 PM, Rowland Penny via samba wrote:> On Wed, 3 Oct 2018 12:45:11 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> Hi folks, >> >> I have finally nailed down the problem with the non-functional getent >> command when using winbind on a samba member server (AD domain). >> >> The problem was the entry >> >> idmap config * : range 3000-9999 > No, it wasn't > >> I used the instructions in >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >> as a template when setting up the server. >> >> Changing the line idmap config to >> >> idmap config * : range = 16777216-33554431 > I have no idea why doing that worked for you, all you have done is > moved the range. > >> A change of the wiki page would be in order ;-) > Sorry, but that isn't going to happen ;-) > >> The smb.conf below works well against my Samba AD DC. > and this is mine that works on my Centos 7 VM: > > [global] > workgroup = SAMDOM > security = ADS > realm = SAMDOM.EXAMPLE.COM > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > server string = Samba 4 Client %h > > winbind use default domain = yes > winbind expand groups = 4 > winbind refresh tickets = Yes > winbind offline logon = yes > > ## map ids outside of domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 3000-9999 > ## map ids from the domain the ranges may not overlap ! > idmap config SAMDOM : backend = ad > idmap config SAMDOM : schema_mode = rfc2307 > idmap config SAMDOM : unix_nss_info = yes > idmap config SAMDOM : range = 10000-999999 > template shell = /bin/bash > template homedir = /home/%U > > domain master = no > local master = no > preferred master = no > os level = 20 > map to guest = bad user > host msdfs = no > > # user Administrator workaround, without it you are unable to set privileges > username map = /etc/samba/user.map > > # For ACL support on domain member > vfs objects = acl_xattr full_audit > map acl inherit = Yes > store dos attributes = Yes > > # Share Setting Globally > unix extensions = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > # disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # logging > #log level = 10 > log level = 0 > map untrusted to domain = yes > > and this is the result: > > [root at cen1804 ~]# getent passwd rowland > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > [root at cen1804 ~]# getent group Domain\ Users > domain users:x:10000:rowland,...... long list of users. > > All I can think of is, you still have sssd installed, I don't. > Or something else isn't set up correctly. > > What do the following commands return: > > hostname > hostname -s > hostname -d > hostname -f > hostname -i > > What is in /etc/resolv.conf > What is in /etc/hosts > What is in /etc/krb5.conf > > Rowland >Hi Rowland, Seems that I forgot to put the IP address of the host in hosts. SSSD is not installed. I wiped the previous installation, and installed again. I was very careful not to install SSSD. The packages I installed were: samba samba-common samba-client samba-winbind samba-winbind-clients krb5-workstation authconfig When trying to use a Windows computer for administration (Computer management) and connecting to the member server, there is a Windows message that it was not possible to connect (problems with DCOM). However, it's possible to browse the share on the samba member, and create files. Still works, after several restarts ;-) Best regards, Peter hostname: smbtest.samdom.local hostname -s: smbtest hostname -d: samdom.local hostname -f: smbtest hostname -i: 192.168.6.79 resolv.conf ====== search samdom.local nameserver 192.168.6.80 hosts === 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.6.79 smbtest.samdom.local smbtest krb5.conf ===== [libdefaults] default_realm = SAMDOM.LOCAL dns_lookup_realm = false dns_lookup_kdc = true
Rowland Penny
2018-Oct-03 13:38 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Wed, 3 Oct 2018 15:16:50 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > On 10/3/18 1:09 PM, Rowland Penny via samba wrote: > > On Wed, 3 Oct 2018 12:45:11 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> I have finally nailed down the problem with the non-functional > >> getent command when using winbind on a samba member server (AD > >> domain). > >> > >> The problem was the entry > >> > >> idmap config * : range 3000-9999 > > No, it wasn't > > > >> I used the instructions in > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >> as a template when setting up the server. > >> > >> Changing the line idmap config to > >> > >> idmap config * : range = 16777216-33554431 > > I have no idea why doing that worked for you, all you have done is > > moved the range. > > > >> A change of the wiki page would be in order ;-) > > Sorry, but that isn't going to happen ;-) > > > >> The smb.conf below works well against my Samba AD DC. > > and this is mine that works on my Centos 7 VM: > > > > [global] > > workgroup = SAMDOM > > security = ADS > > realm = SAMDOM.EXAMPLE.COM > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > server string = Samba 4 Client %h > > > > winbind use default domain = yes > > winbind expand groups = 4 > > winbind refresh tickets = Yes > > winbind offline logon = yes > > > > ## map ids outside of domain to tdb files. > > idmap config *:backend = tdb > > idmap config *:range = 3000-9999 > > ## map ids from the domain the ranges may not overlap ! > > idmap config SAMDOM : backend = ad > > idmap config SAMDOM : schema_mode = rfc2307 > > idmap config SAMDOM : unix_nss_info = yes > > idmap config SAMDOM : range = 10000-999999 > > template shell = /bin/bash > > template homedir = /home/%U > > > > domain master = no > > local master = no > > preferred master = no > > os level = 20 > > map to guest = bad user > > host msdfs = no > > > > # user Administrator workaround, without it you are unable to > > set privileges username map = /etc/samba/user.map > > > > # For ACL support on domain member > > vfs objects = acl_xattr full_audit > > map acl inherit = Yes > > store dos attributes = Yes > > > > # Share Setting Globally > > unix extensions = no > > reset on zero vc = yes > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > > hide unreadable = yes > > > > # disable printing completely > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > # logging > > #log level = 10 > > log level = 0 > > map untrusted to domain = yes > > > > and this is the result: > > > > [root at cen1804 ~]# getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > [root at cen1804 ~]# getent group Domain\ Users > > domain users:x:10000:rowland,...... long list of users. > > > > All I can think of is, you still have sssd installed, I don't. > > Or something else isn't set up correctly. > > > > What do the following commands return: > > > > hostname > > hostname -s > > hostname -d > > hostname -f > > hostname -i > > > > What is in /etc/resolv.conf > > What is in /etc/hosts > > What is in /etc/krb5.conf > > > > Rowland > > > Hi Rowland, > > Seems that I forgot to put the IP address of the host in hosts. SSSD > is not installed. I wiped the previous installation, and installed > again. I was very careful not to install SSSD. The packages I > installed were: > > samba samba-common samba-client samba-winbind samba-winbind-clients > krb5-workstation authconfig > > When trying to use a Windows computer for administration (Computer > management) and connecting to the member server, there is a Windows > message that it was not possible to connect (problems with DCOM). > However, it's possible to browse the share on the samba member, and > create files. > > Still works, after several restarts ;-) > > Best regards, > > Peter > > hostname: smbtest.samdom.local > > hostname -s: smbtest > > hostname -d: samdom.local > > hostname -f: smbtest > > hostname -i: 192.168.6.79Oh great, the 'hostname' and 'hostname -f' test results are the wrong way round. Try opening /etc/hostname in an editor and remove the domain name i.e. I think you will find it is 'smbtest.samdom.local' make it just 'smbtest'> hosts > ===> > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.6.79 smbtest.samdom.local smbtest >Try making /etc/hosts look like this: 127.0.0.1 localhost ::1 localhost 192.168.6.79 smbtest.samdom.local smbtest Now run the 'hostname' tests again Rowland
Possibly Parallel Threads
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd