On 10/13/21 08:48, Rowland Penny via samba wrote:> On Wed, 2021-10-13 at 08:23 -0500, K.R. Foley wrote: >> On 2021-10-13 08:19, Rowland Penny via samba wrote: >>> On Wed, 2021-10-13 at 08:08 -0500, K. R. Foley via samba wrote: >>>> On 10/13/21 1:38 AM, J?rgen Echter wrote: >>>>> Hi, >>>>> >>>>> Am Mittwoch, Oktober 13, 2021 05:10 CEST, schrieb "K. R. Foley >>>>> via >>>>> samba" <samba at lists.samba.org>: >>>>>> Hi, >>>>>> >>>>>> Should "getent passwd SAMDOM\\demo01" work from a Linux AD >>>>>> member? >>>>>> >>>>>> >>>>>> AD server running on CentOS Linux 7 >>>>>> >>>>>> Samba 4.11.13 built from source >>>>>> >>>>>> >>>>>> Member server running on CentOS Linux 7 >>>>>> >>>>>> Samba 4.11.13 built from source >>>>>> >>>>>> Configured following >>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. >>>>>> >>>>>> Joined using "# net ads join -U administrator" without >>>>>> issue. >>>>>> >>>>>> "# wbinfo --ping-dc" works and reports the domain info >>>>>> correctly. >>>>>> >>>>>> "getent passwd <local user>" works fine >>>>>> >>>>>> "getent passwd SAMDOM\\<domain user>" returns nothing. >>>>>> >>>>>> "getent group SAMDOM\\Domain Users" returns nothing. >>>>>> >>>>>> >>>>>> Should this work? Any help troubleshooting this would be >>>>>> appreciated. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> kr >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and >>>>>> read >>>>>> the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> maybe you missed something here: >>>>> >>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch >>>> >>>> Thanks for your reply. I have configured nsswitch.conf. See >>>> below: >>>> >>>> #passwd: files sss winbind >>>> passwd: files winbind >>>> shadow: files sss >>>> #group: files sss winbind >>>> group: files winbind >>>> >>>> Thanks, >>> >>> Are you using sssd on the computer as well ? >>> >>> Rowland >>> >> >> I think it does by default on CentOS. As you can see above I tried >> it >> with/without sss in nsswitch.conf. Could this be causing a problem? >> >> > > Sorry, but as this always leads to a massive discussion (I know very > little about sssd and believe it shouldn't be used with Samba), I > cannot continue to help you whilst you use sssd. >What id mapping are you using in smb.conf? Usually when I have this problem it's because the host has dropped out of the domain due to an expired Kerberos ticket.> Rowland > > >
On 13-10-2021 15:56, Patrick Goetz via samba wrote:> > > On 10/13/21 08:48, Rowland Penny via samba wrote: >> On Wed, 2021-10-13 at 08:23 -0500, K.R. Foley wrote: >>> On 2021-10-13 08:19, Rowland Penny via samba wrote: >>>> On Wed, 2021-10-13 at 08:08 -0500, K. R. Foley via samba wrote: >>>>> On 10/13/21 1:38 AM, J?rgen Echter wrote: >>>>>> Hi, >>>>>> >>>>>> Am Mittwoch, Oktober 13, 2021 05:10 CEST, schrieb "K. R. Foley >>>>>> via >>>>>> samba" <samba at lists.samba.org>: >>>>>>> Hi, >>>>>>> >>>>>>> Should "getent passwd SAMDOM\\demo01" work from a Linux AD >>>>>>> member? >>>>>>> >>>>>>> >>>>>>> AD server running on CentOS Linux 7 >>>>>>> >>>>>>> Samba 4.11.13 built from source >>>>>>> >>>>>>> >>>>>>> Member server running on CentOS Linux 7 >>>>>>> >>>>>>> Samba 4.11.13 built from source >>>>>>> >>>>>>> Configured following >>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. >>>>>>> >>>>>>> >>>>>>> Joined? using "# net ads join -U administrator" without >>>>>>> issue. >>>>>>> >>>>>>> "# wbinfo --ping-dc" works and reports the domain info >>>>>>> correctly. >>>>>>> >>>>>>> "getent passwd <local user>" works fine >>>>>>> >>>>>>> "getent passwd SAMDOM\\<domain user>" returns nothing. >>>>>>> >>>>>>> "getent group SAMDOM\\Domain Users" returns nothing. >>>>>>> >>>>>>> >>>>>>> Should? this work? Any help troubleshooting this would be >>>>>>> appreciated. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> kr >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and >>>>>>> read >>>>>>> the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> maybe you missed something here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch >>>>>> >>>>> >>>>> Thanks for your reply. I have configured nsswitch.conf. See >>>>> below: >>>>> >>>>> #passwd:???? files sss winbind >>>>> passwd:???? files winbind >>>>> shadow:???? files sss >>>>> #group:????? files sss winbind >>>>> group:????? files winbind >>>>> >>>>> Thanks, >>>> >>>> Are you using sssd on the computer as well ? >>>> >>>> Rowland >>>> >>> >>> I think it does by default on CentOS. As you can see above I tried >>> it >>> with/without sss in nsswitch.conf. Could this be causing a problem? >>> >>> >> >> Sorry, but as this always leads to a massive discussion (I know very >> little about sssd and believe it shouldn't be used with Samba), I >> cannot continue to help you whilst you use sssd. >> > > What id mapping are you using in smb.conf?? Usually when I have this > problem it's because the host has dropped out of the domain due to an > expired Kerberos ticket. > > > >> Rowland >> >> >> >I have not come across a use case where you use both sssd and winbind in /etc/nsswitch.conf, either of the two should do the job (use the same in pam for login if you have that configured). Since you are already using winbind (wbinfo), I would drop the sssd entries for now. Just for the test I would enable enumerations in /etc/samba/smb.conf and then just run getent passwd and getent group to see if you get domain users/groups at all and in what form (with or without domain name prefixed). - Kees
On 10/13/21 8:56 AM, Patrick Goetz via samba wrote:> > > On 10/13/21 08:48, Rowland Penny via samba wrote: >> On Wed, 2021-10-13 at 08:23 -0500, K.R. Foley wrote: >>> On 2021-10-13 08:19, Rowland Penny via samba wrote: >>>> On Wed, 2021-10-13 at 08:08 -0500, K. R. Foley via samba wrote: >>>>> On 10/13/21 1:38 AM, J?rgen Echter wrote: >>>>>> Hi, >>>>>> >>>>>> Am Mittwoch, Oktober 13, 2021 05:10 CEST, schrieb "K. R. Foley >>>>>> via >>>>>> samba" <samba at lists.samba.org>: >>>>>>> Hi, >>>>>>> >>>>>>> Should "getent passwd SAMDOM\\demo01" work from a Linux AD >>>>>>> member? >>>>>>> >>>>>>> >>>>>>> AD server running on CentOS Linux 7 >>>>>>> >>>>>>> Samba 4.11.13 built from source >>>>>>> >>>>>>> >>>>>>> Member server running on CentOS Linux 7 >>>>>>> >>>>>>> Samba 4.11.13 built from source >>>>>>> >>>>>>> Configured following >>>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member. >>>>>>> >>>>>>> >>>>>>> Joined? using "# net ads join -U administrator" without >>>>>>> issue. >>>>>>> >>>>>>> "# wbinfo --ping-dc" works and reports the domain info >>>>>>> correctly. >>>>>>> >>>>>>> "getent passwd <local user>" works fine >>>>>>> >>>>>>> "getent passwd SAMDOM\\<domain user>" returns nothing. >>>>>>> >>>>>>> "getent group SAMDOM\\Domain Users" returns nothing. >>>>>>> >>>>>>> >>>>>>> Should? this work? Any help troubleshooting this would be >>>>>>> appreciated. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> kr >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and >>>>>>> read >>>>>>> the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> maybe you missed something here: >>>>>> >>>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Configuring_the_Name_Service_Switch >>>>>> >>>>> >>>>> Thanks for your reply. I have configured nsswitch.conf. See >>>>> below: >>>>> >>>>> #passwd:???? files sss winbind >>>>> passwd:???? files winbind >>>>> shadow:???? files sss >>>>> #group:????? files sss winbind >>>>> group:????? files winbind >>>>> >>>>> Thanks, >>>> >>>> Are you using sssd on the computer as well ? >>>> >>>> Rowland >>>> >>> >>> I think it does by default on CentOS. As you can see above I tried >>> it >>> with/without sss in nsswitch.conf. Could this be causing a problem? >>> >>> >> >> Sorry, but as this always leads to a massive discussion (I know very >> little about sssd and believe it shouldn't be used with Samba), I >> cannot continue to help you whilst you use sssd. >> > > What id mapping are you using in smb.conf?? Usually when I have this > problem it's because the host has dropped out of the domain due to an > expired Kerberos ticket. > >??????? idmap_ldb:use rfc2307 = yes ??????? smb encrypt = enabled ??????? #log level = 10 ??????? winbind enum groups = yes ??????? winbind enum users = yes