samba - Dec 2020 - Getent doesn't show AD users/groups

> It is your choice to remain with Samba 4.2.14, it is however extremely
> EOL and insecure, I certainly would not use it in production. We also do
> not recommend using a Samba AD DC as a fileserver, you seem to have
> taken this to extremes. In your case, I would create a new DC, transfer
> all the FSMO roles to this and then turn your existing DC into a Unix
> domain member.
?
?Rowland, thank you very much for your help, but I tried all variants and anyway
couldn?t make it work. Maybe there is some problem in debian 8 libnss ? I don?t
know. In debian 9 everything worked fine. So, I will go another way ? chgrp by
gid + some sh script.
?
However, could you say, why you don?t recommend using a Samba AD DC as a
fileserver.
As I know samba 3 was used primarily as fileserver. Samba 4 is AD DC, but it can
work as fileserver. So, what is the problem?
?
?
--
Best regards, Alex Orlov

> That is absolutely impossible, because there are a lot of things running
> on this server
> and I don?t want to spend weeks trying to make them work in new distro.
> Look, here
> I have a problem with one program that none can solve and there I have 
> dozens of programs.
Now, this is always a problem, if you did keep everything up2date, 
you would not been in this situation now. 
And i know this problem i have 1 of these servers also.

It "should" work fine also as of wheezy. I know my DC's are
running and upgraded from wheezy.. from 4.1.x all the way up to 4.13.x (buster
now)

i had an other good look at the post of yesterday with the debug info. 

/etc/hosts 
127.0.1.1 server0
172.16.0.1 server1.headoffice.example.com server1

you can remove the line 127.0.1.1 thats only if you installed with DHCP. 
and, make sure the old name is not used anywhere else in the system before you
remove it.

/etc/krb5.conf
[libdefaults]
        default_realm = HEADOFFICE.EXAMPLE.COM
        dns_lookup_kdc = yes
        dns_lookup_realm = no
        ticket_lifetime = 24h

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

; for Windows 2008 with AES
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
        permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5

Thats it. ( you can/should remove the 2 des entries there, but test it with and
without.


smb.conf

winbind enum users = yes
winbind enum groups = yes 
Set these to now, just not needed to have yes. 
For testing fine, production set no. 

interfaces = eth0
bind interfaces only = yes

thats wrong. 

interfaces = lo eth0
bind interfaces only = yes

We need lo(calhost) 

rerun : apt-get install libnss-winbind libpam-winbind winbind

now run : pam-auth-update

reboot

test again


The upgrade path. 
Now if want you can upgrade samba upto 4.8.latest of my repo. 
Then, when your there. You can upgrade the full server to Stretch.
>From there stay on 4.8.. 
because now you have a choice..  

If you want to run "vanilla" Debian Buster, just upgrade to Buster
and you end up with samba 4.9.5 

Then you can deside use again my packages, or stay at debian's..

Greetz, 

Louis