Hi all, I've been reading and it seems like ad backend has many features that I'd like to use. However, despite browsing many forums and docs, I am still unable to get domain users list using `getent passwd` while using `ad backend`. If I change backend to tdb, then I can get usernames on the clients. Authentication works fine too when using `tdb backend`. I think the only issue is with the mapping part. Otherwise the domain is working pretty fine. All boxes are running Debian Stretch. ==================================================Server's smb.conf ==================================================# Global parameters [global] netbios name = DC1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM dns forwarder = 10.0.5.200 server role = active directory domain controller idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes template shell = /bin/bash [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ==================================================Client's smb.conf ==================================================[global] netbios name = client1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM security = ADS kerberos method = secrets and keytab winbind trusted domains only = no winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nss info = rfc2307 # FOR Samba-share `getent` testing # password server = dc1.samdom.example.com # client signing = auto # server signing = auto idmap config * : backend = tdb idmap config * : range = 10000-20000 idmap config SAMDOM : backend = ad idmap config SAMDOM : range = 21000-200000 ------------------------------------------------------------------------- **With ad backend:** 1. wbinfo -u lists all domain users 2. `getent passwd` doesn't list domain users **WIth tdb backend:** 1. wbinfo -u lists all domain users 2. `getent passwd` also lists all domain users Just by commenting out the `idmap config SAMDOM` lines in the client's smb.conf, all other things start working such as `getent passwd`, authentication, etc. I tried adding multiple Unix groups and users following instructions on Samba Wiki, but the result it always the same. I've been trying to sort it out for a couple of weeks and its now driving me insane. Any help would be appreciated! Kind regards, Harp
Did you assing uid/gid's to the user/groups? https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU C And test with getent passwd username You can change these settings to no, for testing its ok, but it only slows down you server. # For member and DC, set to no.> winbind enum users = yes > winbind enum groups = yes# member only If you use :> kerberos method = secrets and keytabThen also set : dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes Besides that the configs look ok. Can you show /etc/nsswitch.conf I expect it to be good, just to be sure. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Harpoon via samba > Verzonden: donderdag 24 januari 2019 9:57 > Aan: samba at lists.samba.org > Onderwerp: [Samba] `getent passwd` not working with ad backend > > Hi all, > I've been reading and it seems like ad backend has many > features that I'd like to use. However, despite browsing many > forums and docs, I am still unable to get domain users list > using `getent passwd` while using `ad backend`. If I change > backend to tdb, then I can get usernames on the clients. > Authentication works fine too when using `tdb backend`. I > think the only issue is with the mapping part. Otherwise the > domain is working pretty fine. > > All boxes are running Debian Stretch. > > ==================================================> Server's smb.conf > ==================================================> # Global parameters > [global] > netbios name = DC1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 10.0.5.200 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > winbind enum users = yes > winbind enum groups = yes > template shell = /bin/bash > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ==================================================> Client's smb.conf > ==================================================> [global] > netbios name = client1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > security = ADS > kerberos method = secrets and keytab > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nss info = rfc2307 > # FOR Samba-share `getent` testing > # password server = dc1.samdom.example.com > # client signing = auto > # server signing = auto > > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > > idmap config SAMDOM : backend = ad > idmap config SAMDOM : range = 21000-200000 > -------------------------------------------------------------- > ----------- > > **With ad backend:** > 1. wbinfo -u lists all domain users > 2. `getent passwd` doesn't list domain users > > **WIth tdb backend:** > 1. wbinfo -u lists all domain users > 2. `getent passwd` also lists all domain users > > Just by commenting out the `idmap config SAMDOM` lines in the > client's smb.conf, all other things start working such as > `getent passwd`, authentication, etc. > > I tried adding multiple Unix groups and users following > instructions on Samba Wiki, but the result it always the > same. I've been trying to sort it out for a couple of weeks > and its now driving me insane. > Any help would be appreciated! > > Kind regards, > Harp > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 24 Jan 2019 08:57:21 +0000 Harpoon via samba <samba at lists.samba.org> wrote:> Hi all, > I've been reading and it seems like ad backend has many features that > I'd like to use. However, despite browsing many forums and docs, I am > still unable to get domain users list using `getent passwd` while > using `ad backend`. If I change backend to tdb, then I can get > usernames on the clients. Authentication works fine too when using > `tdb backend`. I think the only issue is with the mapping part. > Otherwise the domain is working pretty fine. > > All boxes are running Debian Stretch. > > ==================================================> Server's smb.conf > ==================================================> # Global parameters > [global] > netbios name = DC1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > dns forwarder = 10.0.5.200 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > winbind enum users = yes > winbind enum groups = yes > template shell = /bin/bash > > [netlogon] > path = /var/lib/samba/sysvol/samdom.example.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ==================================================> Client's smb.conf > ==================================================> [global] > netbios name = client1 > realm = SAMDOM.EXAMPLE.COM > workgroup = SAMDOM > security = ADS > kerberos method = secrets and keytab > winbind trusted domains only = no > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind nss info = rfc2307 > # FOR Samba-share `getent` testing > # password server = dc1.samdom.example.com > # client signing = auto > # server signing = auto > > idmap config * : backend = tdb > idmap config * : range = 10000-20000 > > idmap config SAMDOM : backend = ad > idmap config SAMDOM : range = 21000-200000 > ------------------------------------------------------------------------- > > **With ad backend:** > 1. wbinfo -u lists all domain users > 2. `getent passwd` doesn't list domain users > > **WIth tdb backend:** > 1. wbinfo -u lists all domain users > 2. `getent passwd` also lists all domain users > > Just by commenting out the `idmap config SAMDOM` lines in the > client's smb.conf, all other things start working such as `getent > passwd`, authentication, etc. > > I tried adding multiple Unix groups and users following instructions > on Samba Wiki, but the result it always the same. I've been trying to > sort it out for a couple of weeks and its now driving me insane. Any > help would be appreciated! > > Kind regards, > Harp'wbinfo' goes direct to AD, it bypasses the underlying OS. It also totally ignores anything to do with Unix, just because it shows the users in AD, doesn't mean anything to Unix. With your smb.conf, it looks like something is wrong/missing, probably the required uidNumber & gidNumber attributes. Does 'Domain Users' have a gidNumber attribute containing a number inside the '21000-200000' range ? Do the users you want/need to be Unix users have a uidNumber attribute containing a unique number inside the '21000-200000' range ? Do not confuse the '3000000' numbers found on a DC with uidNumbers or gidNumbers Rowland
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 24, 2019 9:33 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 24 Jan 2019 08:57:21 +0000 > Harpoon via samba samba at lists.samba.org wrote: > > > Hi all, > > I've been reading and it seems like ad backend has many features that > > I'd like to use. However, despite browsing many forums and docs, I am > > still unable to get domain users list using `getent passwd` while > > using `ad backend`. If I change backend to tdb, then I can get > > usernames on the clients. Authentication works fine too when using > > `tdb backend`. I think the only issue is with the mapping part. > > Otherwise the domain is working pretty fine. > > All boxes are running Debian Stretch. > > > > ==================================================> > Server's smb.conf > > > > =====================================================================> > > > Global parameters > > > > =================> > > > [global] > > netbios name = DC1 > > realm = SAMDOM.EXAMPLE.COM > > workgroup = SAMDOM > > dns forwarder = 10.0.5.200 > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > winbind enum users = yes > > winbind enum groups = yes > > template shell = /bin/bash > > [netlogon] > > path = /var/lib/samba/sysvol/samdom.example.com/scripts > > read only = No > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > ==================================================> > Client's smb.conf > > > > =====================================================================> > > > [global] > > netbios name = client1 > > realm = SAMDOM.EXAMPLE.COM > > workgroup = SAMDOM > > security = ADS > > kerberos method = secrets and keytab > > winbind trusted domains only = no > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > winbind nss info = rfc2307 > > > > FOR Samba-share `getent` testing > > > > ================================> > > > password server = dc1.samdom.example.com > > > > ========================================> > > > client signing = auto > > > > =====================> > > > server signing = auto > > > > =====================> > > > idmap config * : backend = tdb > > idmap config * : range = 10000-20000 > > > > idmap config SAMDOM : backend = ad > > idmap config SAMDOM : range = 21000-200000 > > > > ------------------------------------------------------------------------------ > > > > With ad backend: > > > > 1. wbinfo -u lists all domain users > > 2. `getent passwd` doesn't list domain users > > > > WIth tdb backend: > > > > 1. wbinfo -u lists all domain users > > 2. `getent passwd` also lists all domain users > > > > Just by commenting out the `idmap config SAMDOM` lines in the > > client's smb.conf, all other things start working such as `getent passwd`, authentication, etc. > > I tried adding multiple Unix groups and users following instructions > > on Samba Wiki, but the result it always the same. I've been trying to > > sort it out for a couple of weeks and its now driving me insane. Any > > help would be appreciated! > > Kind regards, > > Harp > > 'wbinfo' goes direct to AD, it bypasses the underlying OS. It also > totally ignores anything to do with Unix, just because it shows the > users in AD, doesn't mean anything to Unix.That was indeed my understanding. Thanks for confirmation!> With your smb.conf, it looks like something is wrong/missing, probably > the required uidNumber & gidNumber attributes.I did add uidNumber and gidNumber during creation of new groups and users.> Does 'Domain Users' have a gidNumber attribute containing a number > inside the '21000-200000' range ?That was part of the problem. The 'Domain Users' group has GID 12000 (set by following https://techblog.devlat.eu/2017/02/04/gid-of-the-domain-users-resetting-to-100-with-a-samba-ad-dc/ guide). So I modified client's smb.conf as: [global] netbios name = client1 realm = SAMDOM.EXAMPLE.COM workgroup = SAMDOM security = ADS kerberos method = secrets and keytab winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nss info = rfc2307 idmap config * : backend = tdb idmap config * : range = 100-200 idmap config SAMDOM : backend = ad idmap config SAMDOM : range = 300-50000 Should it work? There's still no domain users displayed by `getent passwd` but `getent group` is now showing SOME of the domain groups. With the previous smb.conf, `getent group` too was only listing local groups. With the updated backend changes, some domain groups are now visible but 'Domain Users' group is still not being listed.> Do the users you want/need to be Unix users have a uidNumber attribute > containing a unique number inside the '21000-200000' range ?The user uids were in 10000-20000 range mostly. So I updated the client's smb.conf as mentioned above.> Do not confuse the '3000000' numbers found on a DC with uidNumbers or gidNumbersIt seems I got some googling to do. I'm sorry for noobish mistakes but I started working on-and-off with samba a month ago. And most of my knowledge is based on skimming wiki and forum posts. Thanks for the help! Kind regards, Harp --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------> > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
> Did you assing uid/gid's to the user/groups?> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU> CI added uid/gid to the new users and groups. I dont have access to ADUC so can't check atm. Here's how I added new group: `samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM` Here's how I added new user: `samba-tool user create user23 --unix-home=/home/%U --uid-number=14800 --login-shell=/bin/bash --gid-number=16000 --nis-domain SAMDOM` On the DC, I checked the new user: root at DC1 # getent passwd user23 SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash But I noticed that although I set the gid of user23 to be 16000, the gid reported by `getent passwd user23` is 12000 (gid of Domain Users). A little digging in the sam.ldb file says that the primaryGroupID is still 513. Could this be causing any problem? ========================== user23 entry from sam.ldb ========================= #record 25 dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: user23 instanceType: 4 whenCreated: 20190124131800.0Z whenChanged: 20190124131800.0Z uSNCreated: 3945 name: user23 objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-671610647-2237101781-313523630-1131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: user23 sAMAccountType: 805306368 userPrincipalName: user23 at samdom.example.com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om uidNumber: 14800 gidNumber: 16000 loginShell: /bin/bash unixHomeDirectory: /home/%U msSFU30NisDomain: SAMDOM msSFU30Name: user23 unixUserPassword: ABCD!efgh12345$67890 pwdLastSet: 131928094807802460 userAccountControl: 512 uSNChanged: 3948 distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com> And test with> getent passwd usernameNo output with this command too.> You can change these settings to no, for testing its ok,> but it only slows down you server.> For member and DC, set to no.I set it only for testing. I'll disable it once I move it to production.> ============================= >> > winbind enum users = yes> > winbind enum groups = yes>> member onlyOkay.> =========== > If you use :>> > kerberos method = secrets and keytab>> Then also set :> dedicated keytab file = /etc/krb5.keytab> renew the kerberos ticket> ========================= > winbind refresh tickets = yesNoted.> Besides that the configs look ok.> Can you show /etc/nsswitch.conf= nsswitch.conf ============= #/etc/nsswitch.conf = #Example configuration of GNU Name Service Switch functionality. passwd: compat winbind group: compat winbind shadow: compat gshadow: files hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Thanks for your help! Regards, Harp
On Thu, 24 Jan 2019 10:03:19 +0000 Harpoon via samba <samba at lists.samba.org> wrote:> > Did you assing uid/gid's to the user/groups? > > > https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU > > > C > > I added uid/gid to the new users and groups. I dont have access to > ADUC so can't check atm. > > Here's how I added new group: > > `samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`If you want to use a group other than Domain Users as the users Unix primary group, you will need to use a Samba version >= 4.6.0 See here for latest Debian packages: http://apt.van-belle.nl/ You MUST give Domain Users a gidNumber attribute containing a number inside the '21000-200000' (this is the range you have set in smb.conf)> > Here's how I added new user: > > `samba-tool user create user23 --unix-home=/home/%U > --uid-number=14800 --login-shell=/bin/bash --gid-number=16000 > --nis-domain SAMDOM`They will NEVER be shown by getent because they are outside the range you have set in smb.conf> > On the DC, I checked the new user: > > root at DC1 # getent passwd user23 > > SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash > > But I noticed that although I set the gid of user23 to be 16000, the > gid reported by `getent passwd user23` is 12000 (gid of Domain > Users).Ah, so you have set a gidNumber on Domain Users, pity it is out side the range you have set for the domain in smb.conf>A little digging in the sam.ldb file says that the > primaryGroupID is still 513. Could this be causing any problem?No, because every domain users primary group is '513' (Domain Users), as I said, you need Samba >= 4.6.0 to have a Unix primary group that isn't Domain Users.> > ==========================> > user23 entry from sam.ldb > > =========================> > #record 25 > dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: user23 > instanceType: 4 > whenCreated: 20190124131800.0Z > whenChanged: 20190124131800.0Z > uSNCreated: 3945 > name: user23 > objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > primaryGroupID: 513 > objectSid: S-1-5-21-671610647-2237101781-313523630-1131 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: user23 > sAMAccountType: 805306368 > userPrincipalName: user23 at samdom.example.com > objectCategory: > CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om > uidNumber: 14800 > gidNumber: 16000 > loginShell: /bin/bash > unixHomeDirectory: /home/%U > msSFU30NisDomain: SAMDOM > msSFU30Name: user23 > unixUserPassword: ABCD!efgh12345$67890 > pwdLastSet: 131928094807802460 > userAccountControl: 512 > uSNChanged: 3948 > distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com > > > And test with > > > getent passwd username > > No output with this command too.Well, you wouldn't. It is fairly simple, with your Samba version (probably 4.5.12) Domain Users MUST have a gidNumber attribute and your users MUST have a uidNumber attribute and ALL these numbers must be inside the domain range you set in smb.conf (21000-200000 in your case). If the gidNumber for Domain Users isn't inside the range, ALL your users will be ignored by Unix. If any users have a uidNumber outside the range, they will be ignored, even if the gidNumber attribute for Domain Users is correct. Rowland