Rowland Penny
2018-Oct-03 13:38 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Wed, 3 Oct 2018 15:16:50 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > On 10/3/18 1:09 PM, Rowland Penny via samba wrote: > > On Wed, 3 Oct 2018 12:45:11 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> I have finally nailed down the problem with the non-functional > >> getent command when using winbind on a samba member server (AD > >> domain). > >> > >> The problem was the entry > >> > >> idmap config * : range 3000-9999 > > No, it wasn't > > > >> I used the instructions in > >> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >> as a template when setting up the server. > >> > >> Changing the line idmap config to > >> > >> idmap config * : range = 16777216-33554431 > > I have no idea why doing that worked for you, all you have done is > > moved the range. > > > >> A change of the wiki page would be in order ;-) > > Sorry, but that isn't going to happen ;-) > > > >> The smb.conf below works well against my Samba AD DC. > > and this is mine that works on my Centos 7 VM: > > > > [global] > > workgroup = SAMDOM > > security = ADS > > realm = SAMDOM.EXAMPLE.COM > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > server string = Samba 4 Client %h > > > > winbind use default domain = yes > > winbind expand groups = 4 > > winbind refresh tickets = Yes > > winbind offline logon = yes > > > > ## map ids outside of domain to tdb files. > > idmap config *:backend = tdb > > idmap config *:range = 3000-9999 > > ## map ids from the domain the ranges may not overlap ! > > idmap config SAMDOM : backend = ad > > idmap config SAMDOM : schema_mode = rfc2307 > > idmap config SAMDOM : unix_nss_info = yes > > idmap config SAMDOM : range = 10000-999999 > > template shell = /bin/bash > > template homedir = /home/%U > > > > domain master = no > > local master = no > > preferred master = no > > os level = 20 > > map to guest = bad user > > host msdfs = no > > > > # user Administrator workaround, without it you are unable to > > set privileges username map = /etc/samba/user.map > > > > # For ACL support on domain member > > vfs objects = acl_xattr full_audit > > map acl inherit = Yes > > store dos attributes = Yes > > > > # Share Setting Globally > > unix extensions = no > > reset on zero vc = yes > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > > hide unreadable = yes > > > > # disable printing completely > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > # logging > > #log level = 10 > > log level = 0 > > map untrusted to domain = yes > > > > and this is the result: > > > > [root at cen1804 ~]# getent passwd rowland > > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > [root at cen1804 ~]# getent group Domain\ Users > > domain users:x:10000:rowland,...... long list of users. > > > > All I can think of is, you still have sssd installed, I don't. > > Or something else isn't set up correctly. > > > > What do the following commands return: > > > > hostname > > hostname -s > > hostname -d > > hostname -f > > hostname -i > > > > What is in /etc/resolv.conf > > What is in /etc/hosts > > What is in /etc/krb5.conf > > > > Rowland > > > Hi Rowland, > > Seems that I forgot to put the IP address of the host in hosts. SSSD > is not installed. I wiped the previous installation, and installed > again. I was very careful not to install SSSD. The packages I > installed were: > > samba samba-common samba-client samba-winbind samba-winbind-clients > krb5-workstation authconfig > > When trying to use a Windows computer for administration (Computer > management) and connecting to the member server, there is a Windows > message that it was not possible to connect (problems with DCOM). > However, it's possible to browse the share on the samba member, and > create files. > > Still works, after several restarts ;-) > > Best regards, > > Peter > > hostname: smbtest.samdom.local > > hostname -s: smbtest > > hostname -d: samdom.local > > hostname -f: smbtest > > hostname -i: 192.168.6.79Oh great, the 'hostname' and 'hostname -f' test results are the wrong way round. Try opening /etc/hostname in an editor and remove the domain name i.e. I think you will find it is 'smbtest.samdom.local' make it just 'smbtest'> hosts > ===> > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 > ::1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 > 192.168.6.79 smbtest.samdom.local smbtest >Try making /etc/hosts look like this: 127.0.0.1 localhost ::1 localhost 192.168.6.79 smbtest.samdom.local smbtest Now run the 'hostname' tests again Rowland
Peter Milesson
2018-Oct-03 14:57 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On 03.10.2018 15:38, Rowland Penny via samba wrote:> On Wed, 3 Oct 2018 15:16:50 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> On 10/3/18 1:09 PM, Rowland Penny via samba wrote: >>> On Wed, 3 Oct 2018 12:45:11 +0200 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> I have finally nailed down the problem with the non-functional >>>> getent command when using winbind on a samba member server (AD >>>> domain). >>>> >>>> The problem was the entry >>>> >>>> idmap config * : range 3000-9999 >>> No, it wasn't >>> >>>> I used the instructions in >>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member >>>> as a template when setting up the server. >>>> >>>> Changing the line idmap config to >>>> >>>> idmap config * : range = 16777216-33554431 >>> I have no idea why doing that worked for you, all you have done is >>> moved the range. >>> >>>> A change of the wiki page would be in order ;-) >>> Sorry, but that isn't going to happen ;-) >>> >>>> The smb.conf below works well against my Samba AD DC. >>> and this is mine that works on my Centos 7 VM: >>> >>> [global] >>> workgroup = SAMDOM >>> security = ADS >>> realm = SAMDOM.EXAMPLE.COM >>> >>> dedicated keytab file = /etc/krb5.keytab >>> kerberos method = secrets and keytab >>> server string = Samba 4 Client %h >>> >>> winbind use default domain = yes >>> winbind expand groups = 4 >>> winbind refresh tickets = Yes >>> winbind offline logon = yes >>> >>> ## map ids outside of domain to tdb files. >>> idmap config *:backend = tdb >>> idmap config *:range = 3000-9999 >>> ## map ids from the domain the ranges may not overlap ! >>> idmap config SAMDOM : backend = ad >>> idmap config SAMDOM : schema_mode = rfc2307 >>> idmap config SAMDOM : unix_nss_info = yes >>> idmap config SAMDOM : range = 10000-999999 >>> template shell = /bin/bash >>> template homedir = /home/%U >>> >>> domain master = no >>> local master = no >>> preferred master = no >>> os level = 20 >>> map to guest = bad user >>> host msdfs = no >>> >>> # user Administrator workaround, without it you are unable to >>> set privileges username map = /etc/samba/user.map >>> >>> # For ACL support on domain member >>> vfs objects = acl_xattr full_audit >>> map acl inherit = Yes >>> store dos attributes = Yes >>> >>> # Share Setting Globally >>> unix extensions = no >>> reset on zero vc = yes >>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ >>> hide unreadable = yes >>> >>> # disable printing completely >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> # logging >>> #log level = 10 >>> log level = 0 >>> map untrusted to domain = yes >>> >>> and this is the result: >>> >>> [root at cen1804 ~]# getent passwd rowland >>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash >>> [root at cen1804 ~]# getent group Domain\ Users >>> domain users:x:10000:rowland,...... long list of users. >>> >>> All I can think of is, you still have sssd installed, I don't. >>> Or something else isn't set up correctly. >>> >>> What do the following commands return: >>> >>> hostname >>> hostname -s >>> hostname -d >>> hostname -f >>> hostname -i >>> >>> What is in /etc/resolv.conf >>> What is in /etc/hosts >>> What is in /etc/krb5.conf >>> >>> Rowland >>> >> Hi Rowland, >> >> Seems that I forgot to put the IP address of the host in hosts. SSSD >> is not installed. I wiped the previous installation, and installed >> again. I was very careful not to install SSSD. The packages I >> installed were: >> >> samba samba-common samba-client samba-winbind samba-winbind-clients >> krb5-workstation authconfig >> >> When trying to use a Windows computer for administration (Computer >> management) and connecting to the member server, there is a Windows >> message that it was not possible to connect (problems with DCOM). >> However, it's possible to browse the share on the samba member, and >> create files. >> >> Still works, after several restarts ;-) >> >> Best regards, >> >> Peter >> >> hostname: smbtest.samdom.local >> >> hostname -s: smbtest >> >> hostname -d: samdom.local >> >> hostname -f: smbtest >> >> hostname -i: 192.168.6.79 > Oh great, the 'hostname' and 'hostname -f' test results are the wrong > way round. Try opening /etc/hostname in an editor and remove the domain > name i.e. I think you will find it is 'smbtest.samdom.local' make it > just 'smbtest' > >> hosts >> ===>> >> 127.0.0.1 localhost localhost.localdomain localhost4 >> localhost4.localdomain4 >> ::1 localhost localhost.localdomain localhost6 >> localhost6.localdomain6 >> 192.168.6.79 smbtest.samdom.local smbtest >> > Try making /etc/hosts look like this: > > 127.0.0.1 localhost > ::1 localhost > 192.168.6.79 smbtest.samdom.local smbtest > > Now run the 'hostname' tests again > > Rowland > > >Hi Rowland, I changed the hosts file, and now the hostname and hostname -f returns the same string (smbtest.samdom.local). It seems to be on a good way now. What still does not work is the security tab for the share itself. When I get to the security tab as Administrator, it behaves like I haven't got permission. When trying to set/change ownership of the share, Windows shows an error message. That must wait until Friday, as I'm off tomorrow. Thanks for you help so far. Peter
Rowland Penny
2018-Oct-03 15:37 UTC
[Samba] getent not showing domain users and groups with winbind but works with sssd
On Wed, 3 Oct 2018 16:57:07 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 03.10.2018 15:38, Rowland Penny via samba wrote: > > On Wed, 3 Oct 2018 15:16:50 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> On 10/3/18 1:09 PM, Rowland Penny via samba wrote: > >>> On Wed, 3 Oct 2018 12:45:11 +0200 > >>> Peter Milesson via samba <samba at lists.samba.org> wrote: > >>> > >>>> Hi folks, > >>>> > >>>> I have finally nailed down the problem with the non-functional > >>>> getent command when using winbind on a samba member server (AD > >>>> domain). > >>>> > >>>> The problem was the entry > >>>> > >>>> idmap config * : range 3000-9999 > >>> No, it wasn't > >>> > >>>> I used the instructions in > >>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > >>>> as a template when setting up the server. > >>>> > >>>> Changing the line idmap config to > >>>> > >>>> idmap config * : range = 16777216-33554431 > >>> I have no idea why doing that worked for you, all you have done is > >>> moved the range. > >>> > >>>> A change of the wiki page would be in order ;-) > >>> Sorry, but that isn't going to happen ;-) > >>> > >>>> The smb.conf below works well against my Samba AD DC. > >>> and this is mine that works on my Centos 7 VM: > >>> > >>> [global] > >>> workgroup = SAMDOM > >>> security = ADS > >>> realm = SAMDOM.EXAMPLE.COM > >>> > >>> dedicated keytab file = /etc/krb5.keytab > >>> kerberos method = secrets and keytab > >>> server string = Samba 4 Client %h > >>> > >>> winbind use default domain = yes > >>> winbind expand groups = 4 > >>> winbind refresh tickets = Yes > >>> winbind offline logon = yes > >>> > >>> ## map ids outside of domain to tdb files. > >>> idmap config *:backend = tdb > >>> idmap config *:range = 3000-9999 > >>> ## map ids from the domain the ranges may not overlap ! > >>> idmap config SAMDOM : backend = ad > >>> idmap config SAMDOM : schema_mode = rfc2307 > >>> idmap config SAMDOM : unix_nss_info = yes > >>> idmap config SAMDOM : range = 10000-999999 > >>> template shell = /bin/bash > >>> template homedir = /home/%U > >>> > >>> domain master = no > >>> local master = no > >>> preferred master = no > >>> os level = 20 > >>> map to guest = bad user > >>> host msdfs = no > >>> > >>> # user Administrator workaround, without it you are unable > >>> to set privileges username map = /etc/samba/user.map > >>> > >>> # For ACL support on domain member > >>> vfs objects = acl_xattr full_audit > >>> map acl inherit = Yes > >>> store dos attributes = Yes > >>> > >>> # Share Setting Globally > >>> unix extensions = no > >>> reset on zero vc = yes > >>> veto files > >>> = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide > >>> unreadable = yes > >>> > >>> # disable printing completely > >>> load printers = no > >>> printing = bsd > >>> printcap name = /dev/null > >>> disable spoolss = yes > >>> > >>> # logging > >>> #log level = 10 > >>> log level = 0 > >>> map untrusted to domain = yes > >>> > >>> and this is the result: > >>> > >>> [root at cen1804 ~]# getent passwd rowland > >>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > >>> [root at cen1804 ~]# getent group Domain\ Users > >>> domain users:x:10000:rowland,...... long list of users. > >>> > >>> All I can think of is, you still have sssd installed, I don't. > >>> Or something else isn't set up correctly. > >>> > >>> What do the following commands return: > >>> > >>> hostname > >>> hostname -s > >>> hostname -d > >>> hostname -f > >>> hostname -i > >>> > >>> What is in /etc/resolv.conf > >>> What is in /etc/hosts > >>> What is in /etc/krb5.conf > >>> > >>> Rowland > >>> > >> Hi Rowland, > >> > >> Seems that I forgot to put the IP address of the host in hosts. > >> SSSD is not installed. I wiped the previous installation, and > >> installed again. I was very careful not to install SSSD. The > >> packages I installed were: > >> > >> samba samba-common samba-client samba-winbind samba-winbind-clients > >> krb5-workstation authconfig > >> > >> When trying to use a Windows computer for administration (Computer > >> management) and connecting to the member server, there is a Windows > >> message that it was not possible to connect (problems with DCOM). > >> However, it's possible to browse the share on the samba member, and > >> create files. > >> > >> Still works, after several restarts ;-) > >> > >> Best regards, > >> > >> Peter > >> > >> hostname: smbtest.samdom.local > >> > >> hostname -s: smbtest > >> > >> hostname -d: samdom.local > >> > >> hostname -f: smbtest > >> > >> hostname -i: 192.168.6.79 > > Oh great, the 'hostname' and 'hostname -f' test results are the > > wrong way round. Try opening /etc/hostname in an editor and remove > > the domain name i.e. I think you will find it is > > 'smbtest.samdom.local' make it just 'smbtest' > > > >> hosts > >> ===> >> > >> 127.0.0.1 localhost localhost.localdomain localhost4 > >> localhost4.localdomain4 > >> ::1 localhost localhost.localdomain localhost6 > >> localhost6.localdomain6 > >> 192.168.6.79 smbtest.samdom.local smbtest > >> > > Try making /etc/hosts look like this: > > > > 127.0.0.1 localhost > > ::1 localhost > > 192.168.6.79 smbtest.samdom.local smbtest > > > > Now run the 'hostname' tests again > > > > Rowland > > > > > > > Hi Rowland, > > I changed the hosts file, and now the hostname and hostname -f > returns the same string (smbtest.samdom.local).They shouldn't, did you also check if /etc/hostname contains just the short hostname 'smbtest' ? If you did, then reboot.> > It seems to be on a good way now. What still does not work is the > security tab for the share itself. When I get to the security tab as > Administrator, it behaves like I haven't got permission. When trying > to set/change ownership of the share, Windows shows an error message. > That must wait until Friday, as I'm off tomorrow. >In my smb.conf there is this line: username map = /etc/samba/user.map Which contains this line: !root = SAMDOM\Administrator SAMDOM\administrator Administrator administrator With that, Administrator gets mapped to the Unix 'root' user and 'root' can do anything on Unix. Rowland
Possibly Parallel Threads
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd
- getent not showing domain users and groups with winbind but works with sssd