samba - Oct 2018 - getent not showing domain users and groups with winbind but works with sssd

On Wed, 3 Oct 2018 15:16:50 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
> > On Wed, 3 Oct 2018 12:45:11 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi folks,
> >>
> >> I have finally nailed down the problem with the non-functional
> >> getent command when using winbind on a samba member server (AD
> >> domain).
> >>
> >> The problem was the entry
> >>
> >>      idmap config * : range 3000-9999
> > No, it wasn't
> >
> >> I used the instructions in
> >>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >> as a template when setting up the server.
> >>
> >> Changing the line idmap config to
> >>
> >>      idmap config * : range = 16777216-33554431
> > I have no idea why doing that worked for you, all you have done is
> > moved the range.
> >
> >> A change of the wiki page would be in order ;-)
> > Sorry, but that isn't going to happen ;-)
> >
> >> The smb.conf below works well against my Samba AD DC.
> > and this is mine that works on my Centos 7 VM:
> >
> > [global]
> >      workgroup = SAMDOM
> >      security = ADS
> >      realm = SAMDOM.EXAMPLE.COM
> >
> >      dedicated keytab file = /etc/krb5.keytab
> >      kerberos method = secrets and keytab
> >      server string = Samba 4 Client %h
> >
> >      winbind use default domain = yes
> >      winbind expand groups = 4
> >      winbind refresh tickets = Yes
> >      winbind offline logon = yes
> >
> >      ## map ids outside of domain to tdb files.
> >      idmap config *:backend = tdb
> >      idmap config *:range = 3000-9999
> >      ## map ids from the domain  the ranges may not overlap !
> >      idmap config SAMDOM : backend = ad
> >      idmap config SAMDOM : schema_mode = rfc2307
> >      idmap config SAMDOM : unix_nss_info = yes
> >      idmap config SAMDOM : range = 10000-999999
> >      template shell = /bin/bash
> >      template homedir = /home/%U
> >
> >      domain master = no
> >      local master = no
> >      preferred master = no
> >      os level = 20
> >      map to guest = bad user
> >      host msdfs = no
> >
> >      # user Administrator workaround, without it you are unable to
> > set privileges username map = /etc/samba/user.map
> >
> >      # For ACL support on domain member
> >      vfs objects = acl_xattr full_audit
> >      map acl inherit = Yes
> >      store dos attributes = Yes
> >
> >      # Share Setting Globally
> >      unix extensions = no
> >      reset on zero vc = yes
> >      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> >      hide unreadable = yes
> >
> >      # disable printing completely
> >      load printers = no
> >      printing = bsd
> >      printcap name = /dev/null
> >      disable spoolss = yes
> >
> >      # logging
> >      #log level = 10
> >      log level = 0
> >      map untrusted to domain = yes
> >
> > and this is the result:
> >
> > [root at cen1804 ~]# getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> > [root at cen1804 ~]# getent group Domain\ Users
> > domain users:x:10000:rowland,...... long list of users.
> >
> > All I can think of is, you still have sssd installed, I don't.
> > Or something else isn't set up correctly.
> >
> > What do the following commands return:
> >
> > hostname
> > hostname -s
> > hostname -d
> > hostname -f
> > hostname -i
> >
> > What is in /etc/resolv.conf
> > What is in /etc/hosts
> > What is in /etc/krb5.conf
> >
> > Rowland
> >
> Hi Rowland,
> 
> Seems that I forgot to put the IP address of the host in hosts. SSSD
> is not installed. I wiped the previous installation, and installed
> again. I was very careful not to install SSSD. The packages I
> installed were:
> 
> samba samba-common samba-client samba-winbind samba-winbind-clients 
> krb5-workstation authconfig
> 
> When trying to use a Windows computer for administration (Computer 
> management) and connecting to the member server, there is a Windows 
> message that it was not possible to connect (problems with DCOM). 
> However, it's possible to browse the share on the samba member, and 
> create files.
> 
> Still works, after several restarts ;-)
> 
> Best regards,
> 
> Peter
> 
> hostname:    smbtest.samdom.local
> 
> hostname -s: smbtest
> 
> hostname -d:     samdom.local
> 
> hostname -f:    smbtest
> 
> hostname -i:    192.168.6.79
Oh great, the 'hostname' and 'hostname -f' test results are the
wrong
way round. Try opening /etc/hostname in an editor and remove the domain
name i.e. I think you will find it is 'smbtest.samdom.local' make it
just 'smbtest'
> hosts
> ===> 
> 127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6
> 192.168.6.79 smbtest.samdom.local smbtest
> 
Try making /etc/hosts look like this:

127.0.0.1 localhost
::1       localhost
192.168.6.79 smbtest.samdom.local smbtest

Now run the 'hostname' tests again

Rowland

On 03.10.2018 15:38, Rowland Penny via samba wrote:
> On Wed, 3 Oct 2018 15:16:50 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
>>> On Wed, 3 Oct 2018 12:45:11 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I have finally nailed down the problem with the non-functional
>>>> getent command when using winbind on a samba member server (AD
>>>> domain).
>>>>
>>>> The problem was the entry
>>>>
>>>>       idmap config * : range 3000-9999
>>> No, it wasn't
>>>
>>>> I used the instructions in
>>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>>>> as a template when setting up the server.
>>>>
>>>> Changing the line idmap config to
>>>>
>>>>       idmap config * : range = 16777216-33554431
>>> I have no idea why doing that worked for you, all you have done is
>>> moved the range.
>>>
>>>> A change of the wiki page would be in order ;-)
>>> Sorry, but that isn't going to happen ;-)
>>>
>>>> The smb.conf below works well against my Samba AD DC.
>>> and this is mine that works on my Centos 7 VM:
>>>
>>> [global]
>>>       workgroup = SAMDOM
>>>       security = ADS
>>>       realm = SAMDOM.EXAMPLE.COM
>>>
>>>       dedicated keytab file = /etc/krb5.keytab
>>>       kerberos method = secrets and keytab
>>>       server string = Samba 4 Client %h
>>>
>>>       winbind use default domain = yes
>>>       winbind expand groups = 4
>>>       winbind refresh tickets = Yes
>>>       winbind offline logon = yes
>>>
>>>       ## map ids outside of domain to tdb files.
>>>       idmap config *:backend = tdb
>>>       idmap config *:range = 3000-9999
>>>       ## map ids from the domain  the ranges may not overlap !
>>>       idmap config SAMDOM : backend = ad
>>>       idmap config SAMDOM : schema_mode = rfc2307
>>>       idmap config SAMDOM : unix_nss_info = yes
>>>       idmap config SAMDOM : range = 10000-999999
>>>       template shell = /bin/bash
>>>       template homedir = /home/%U
>>>
>>>       domain master = no
>>>       local master = no
>>>       preferred master = no
>>>       os level = 20
>>>       map to guest = bad user
>>>       host msdfs = no
>>>
>>>       # user Administrator workaround, without it you are unable to
>>> set privileges username map = /etc/samba/user.map
>>>
>>>       # For ACL support on domain member
>>>       vfs objects = acl_xattr full_audit
>>>       map acl inherit = Yes
>>>       store dos attributes = Yes
>>>
>>>       # Share Setting Globally
>>>       unix extensions = no
>>>       reset on zero vc = yes
>>>       veto files =
/.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>       hide unreadable = yes
>>>
>>>       # disable printing completely
>>>       load printers = no
>>>       printing = bsd
>>>       printcap name = /dev/null
>>>       disable spoolss = yes
>>>
>>>       # logging
>>>       #log level = 10
>>>       log level = 0
>>>       map untrusted to domain = yes
>>>
>>> and this is the result:
>>>
>>> [root at cen1804 ~]# getent passwd rowland
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>> [root at cen1804 ~]# getent group Domain\ Users
>>> domain users:x:10000:rowland,...... long list of users.
>>>
>>> All I can think of is, you still have sssd installed, I don't.
>>> Or something else isn't set up correctly.
>>>
>>> What do the following commands return:
>>>
>>> hostname
>>> hostname -s
>>> hostname -d
>>> hostname -f
>>> hostname -i
>>>
>>> What is in /etc/resolv.conf
>>> What is in /etc/hosts
>>> What is in /etc/krb5.conf
>>>
>>> Rowland
>>>
>> Hi Rowland,
>>
>> Seems that I forgot to put the IP address of the host in hosts. SSSD
>> is not installed. I wiped the previous installation, and installed
>> again. I was very careful not to install SSSD. The packages I
>> installed were:
>>
>> samba samba-common samba-client samba-winbind samba-winbind-clients
>> krb5-workstation authconfig
>>
>> When trying to use a Windows computer for administration (Computer
>> management) and connecting to the member server, there is a Windows
>> message that it was not possible to connect (problems with DCOM).
>> However, it's possible to browse the share on the samba member, and
>> create files.
>>
>> Still works, after several restarts ;-)
>>
>> Best regards,
>>
>> Peter
>>
>> hostname:    smbtest.samdom.local
>>
>> hostname -s: smbtest
>>
>> hostname -d:     samdom.local
>>
>> hostname -f:    smbtest
>>
>> hostname -i:    192.168.6.79
> Oh great, the 'hostname' and 'hostname -f' test results are
the wrong
> way round. Try opening /etc/hostname in an editor and remove the domain
> name i.e. I think you will find it is 'smbtest.samdom.local' make
it
> just 'smbtest'
>
>> hosts
>> ===>>
>> 127.0.0.1   localhost localhost.localdomain localhost4
>> localhost4.localdomain4
>> ::1         localhost localhost.localdomain localhost6
>> localhost6.localdomain6
>> 192.168.6.79 smbtest.samdom.local smbtest
>>
> Try making /etc/hosts look like this:
>
> 127.0.0.1 localhost
> ::1       localhost
> 192.168.6.79 smbtest.samdom.local smbtest
>
> Now run the 'hostname' tests again
>
> Rowland
>    
>
>
Hi Rowland,

I changed the hosts file, and now the hostname and hostname -f returns 
the same string (smbtest.samdom.local).

It seems to be on a good way now. What still does not work is the 
security tab for the share itself. When I get to the security tab as 
Administrator, it behaves like I haven't got permission. When trying to 
set/change ownership of the share, Windows shows an error message. That 
must wait until Friday, as I'm off tomorrow.

Thanks for you help so far.

Peter

On Wed, 3 Oct 2018 16:57:07 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> On 03.10.2018 15:38, Rowland Penny via samba wrote:
> > On Wed, 3 Oct 2018 15:16:50 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> On 10/3/18 1:09 PM, Rowland Penny via samba wrote:
> >>> On Wed, 3 Oct 2018 12:45:11 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>> Hi folks,
> >>>>
> >>>> I have finally nailed down the problem with the
non-functional
> >>>> getent command when using winbind on a samba member server
(AD
> >>>> domain).
> >>>>
> >>>> The problem was the entry
> >>>>
> >>>>       idmap config * : range 3000-9999
> >>> No, it wasn't
> >>>
> >>>> I used the instructions in
> >>>>
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >>>> as a template when setting up the server.
> >>>>
> >>>> Changing the line idmap config to
> >>>>
> >>>>       idmap config * : range = 16777216-33554431
> >>> I have no idea why doing that worked for you, all you have
done is
> >>> moved the range.
> >>>
> >>>> A change of the wiki page would be in order ;-)
> >>> Sorry, but that isn't going to happen ;-)
> >>>
> >>>> The smb.conf below works well against my Samba AD DC.
> >>> and this is mine that works on my Centos 7 VM:
> >>>
> >>> [global]
> >>>       workgroup = SAMDOM
> >>>       security = ADS
> >>>       realm = SAMDOM.EXAMPLE.COM
> >>>
> >>>       dedicated keytab file = /etc/krb5.keytab
> >>>       kerberos method = secrets and keytab
> >>>       server string = Samba 4 Client %h
> >>>
> >>>       winbind use default domain = yes
> >>>       winbind expand groups = 4
> >>>       winbind refresh tickets = Yes
> >>>       winbind offline logon = yes
> >>>
> >>>       ## map ids outside of domain to tdb files.
> >>>       idmap config *:backend = tdb
> >>>       idmap config *:range = 3000-9999
> >>>       ## map ids from the domain  the ranges may not overlap !
> >>>       idmap config SAMDOM : backend = ad
> >>>       idmap config SAMDOM : schema_mode = rfc2307
> >>>       idmap config SAMDOM : unix_nss_info = yes
> >>>       idmap config SAMDOM : range = 10000-999999
> >>>       template shell = /bin/bash
> >>>       template homedir = /home/%U
> >>>
> >>>       domain master = no
> >>>       local master = no
> >>>       preferred master = no
> >>>       os level = 20
> >>>       map to guest = bad user
> >>>       host msdfs = no
> >>>
> >>>       # user Administrator workaround, without it you are
unable
> >>> to set privileges username map = /etc/samba/user.map
> >>>
> >>>       # For ACL support on domain member
> >>>       vfs objects = acl_xattr full_audit
> >>>       map acl inherit = Yes
> >>>       store dos attributes = Yes
> >>>
> >>>       # Share Setting Globally
> >>>       unix extensions = no
> >>>       reset on zero vc = yes
> >>>       veto files
> >>> = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide
> >>> unreadable = yes
> >>>
> >>>       # disable printing completely
> >>>       load printers = no
> >>>       printing = bsd
> >>>       printcap name = /dev/null
> >>>       disable spoolss = yes
> >>>
> >>>       # logging
> >>>       #log level = 10
> >>>       log level = 0
> >>>       map untrusted to domain = yes
> >>>
> >>> and this is the result:
> >>>
> >>> [root at cen1804 ~]# getent passwd rowland
> >>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>> [root at cen1804 ~]# getent group Domain\ Users
> >>> domain users:x:10000:rowland,...... long list of users.
> >>>
> >>> All I can think of is, you still have sssd installed, I
don't.
> >>> Or something else isn't set up correctly.
> >>>
> >>> What do the following commands return:
> >>>
> >>> hostname
> >>> hostname -s
> >>> hostname -d
> >>> hostname -f
> >>> hostname -i
> >>>
> >>> What is in /etc/resolv.conf
> >>> What is in /etc/hosts
> >>> What is in /etc/krb5.conf
> >>>
> >>> Rowland
> >>>
> >> Hi Rowland,
> >>
> >> Seems that I forgot to put the IP address of the host in hosts.
> >> SSSD is not installed. I wiped the previous installation, and
> >> installed again. I was very careful not to install SSSD. The
> >> packages I installed were:
> >>
> >> samba samba-common samba-client samba-winbind
samba-winbind-clients
> >> krb5-workstation authconfig
> >>
> >> When trying to use a Windows computer for administration (Computer
> >> management) and connecting to the member server, there is a
Windows
> >> message that it was not possible to connect (problems with DCOM).
> >> However, it's possible to browse the share on the samba
member, and
> >> create files.
> >>
> >> Still works, after several restarts ;-)
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >> hostname:    smbtest.samdom.local
> >>
> >> hostname -s: smbtest
> >>
> >> hostname -d:     samdom.local
> >>
> >> hostname -f:    smbtest
> >>
> >> hostname -i:    192.168.6.79
> > Oh great, the 'hostname' and 'hostname -f' test
results are the
> > wrong way round. Try opening /etc/hostname in an editor and remove
> > the domain name i.e. I think you will find it is
> > 'smbtest.samdom.local' make it just 'smbtest'
> >
> >> hosts
> >> ===> >>
> >> 127.0.0.1   localhost localhost.localdomain localhost4
> >> localhost4.localdomain4
> >> ::1         localhost localhost.localdomain localhost6
> >> localhost6.localdomain6
> >> 192.168.6.79 smbtest.samdom.local smbtest
> >>
> > Try making /etc/hosts look like this:
> >
> > 127.0.0.1 localhost
> > ::1       localhost
> > 192.168.6.79 smbtest.samdom.local smbtest
> >
> > Now run the 'hostname' tests again
> >
> > Rowland
> >    
> >
> >
> Hi Rowland,
> 
> I changed the hosts file, and now the hostname and hostname -f
> returns the same string (smbtest.samdom.local).
They shouldn't, did you also check if /etc/hostname contains just the
short hostname 'smbtest' ?
If you did, then reboot.
> 
> It seems to be on a good way now. What still does not work is the 
> security tab for the share itself. When I get to the security tab as 
> Administrator, it behaves like I haven't got permission. When trying
> to set/change ownership of the share, Windows shows an error message.
> That must wait until Friday, as I'm off tomorrow.
> 
In my smb.conf there is this line:

username map = /etc/samba/user.map

Which contains this line:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

With that, Administrator gets mapped to the Unix 'root' user and
'root'
can do anything on Unix.

Rowland