samba - Feb 2022 - getent not returning users/groups

I sure hate to put anyone out a bunch of trouble if I've borked something
up, but for the life of me, I can't see anything I've got wrong.
?
---
Can I recap a few things, to make sure I understand things correctly.
?
-If KBR was setup wrong or otherwise screwed up, we wouldn't be able to join
the domain, right?
-Same thing for NTP, right?
?
And there's no way to see if/how the nsslib-winbind is talking to winbind
itself, right. (I assume the lib talks to winbind and pulls the data. So, if the
library is having difficulties, seeing what's going on inside the black box,
would be handy.)
?
Thanks for the help so far.
?
(BTW, when I started down this road, I was on Louis's 4.15.3, and then when
checking and double-checking things (when getent wasn't working), I upgraded
to 4.15.5, in case it matters.)
?
?
-Greg
???
> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote:
>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba wrote:
>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote:
>>>>>> Oh, I see Louis also has those in the repo. Since
I'm using
>>>>>> his
>>>>>> Samba, might as well use his libnss too.
>>>>> You have to use them from the same repo (or to be precise,
the
>>>>> same
>>>>> version).
>>>>>> ?
>>>>>> Now to check and see if I did fail to install the
library.
>>>>>> (But
>>>>>> if I
>>>>>> were a betting man, that's what I'd bet on.) ?
>>>>> If they are not there, or are the wrong version, getent
will
>>>>> not
>>>>> work.
>>>>> Rowland
>>>> ?
>>>> So, here are the packages I installed as part of the Samba
>>>> install
>>>> apt install samba winbind libnss-winbind libpam-winbind ntp
krb5-
>>>> user?
>>>> binutils ldb-tools smbclient libpam-krb5?
>>>> ?
>>>> Am I missing anything that would impact this issue?
>>> No.
>>> You installed the packages.
>>> Configured ntp to use the DC's as time servers (time is within
5
>>> minutes of the DC)
>> ?
>> I had them going to the same ntp servers (ntp pool) as the DC's.
But
>> just to be sure, I've moved them to use the DC's.?
>> (That's probably better, though both should work ok - since
they'll
>> all be synced to the same time, or close enough.)
>> ?
>>> Checked /etc/krb5.conf to see that it is using the dns domain as
>>> the
>>> realm (in uppercase)
>> Yup.
>> ?
>>> Configured /etc/samba/smb.conf
>> Yup, I posted it.
>>> Joined the domain (what does 'sudo net ads testjoin' show
?).
>> Join OK
>> ?
>>> wbinfo works, but getent doesn't
>> Yup
>> ?
>>> Is all that correct ?
>> Pretty much.
>> ?
>>> Rowland
> Then I am lost here.
> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and
> see what happens.
> Rowland



--?
Gregory Sloop, Principal: Sloop Network & Computer Consulting
Voice: 503.251.0452 x121
EMail:?gregs at sloop.net
http://www.sloop.net
---

I've spun up many Ubuntu 20.04 AD clients at this point and have never 
had this problem.

Quick checklist:

  - If you used Louis's repo, then you've obviously done the apt 
configuration

  - /etc/resolv.conf should look like this:

    samba-dc  xxx.xxx.xxx.xxx
    search SAMDOM.example.com

  - acl attr and dnsutils should already be installed on Ubuntu, but check

  - Samba packages to install:
  # apt install samba samba-dsdb-modules samba-vfs-modules winbind 
libpam-winbind libnss-  winbind libpam-krb5 krb5-config krb5-user

  - Set the Kerberos Realm to SAMDOM.EXAMPLE.COM

  - Some additional useful stuff which I don't think is necessary,
    but if you're having issues, can't hurt:
  # apt install ldb-tools smbclient cifs-utils

  - /etc/krb5.conf needs to look like this:

    [libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

  - You don't need to to synchronize time against the DC,
    and on Ubuntu 20.04 the NTP service should be on by default,
    but check:

  # timedatectl

  it should say "NTP service: active" if not:

  # timedatectl set-ntp true

  - but I've noticed Ubuntu will get the time zone wrong sometimes.
    You can check:
  # date +"%Z %z"

  and if it's wrong set it:

  # timedatectl set-timezone America/Chicago

  (using your time zone, of course; I'm in CST)

  - Make sure your /etc/hosts file includes this host if you're using
    static IPs, and get rid of any  127.0.1.1 lines:

  -- 127.0.1.1 my-samba-client
  ++ xxx.xxx.xxx.xxx my-samba-client.samdom.example.com my-samba-client

  - Turn off and disable nmbd:
  # systemctl disable --now smbd

  - Configure /etc/samba/smb.conf as per your requirements

  - Join the domain:
  # net ads join -U administrator

  - After joining the domain, you must restart Samba services:
  # systemctl restart smbd
  # systemctl restart winbind

  - Append the  winbind entry to /etc/nsswitch.conf:
    passwd: files systemd winbind
    group:  files systemd winbind


That's it: getent should now work.


On 2/25/22 16:31, Gregory Sloop via samba wrote:
> I sure hate to put anyone out a bunch of trouble if I've borked
something up, but for the life of me, I can't see anything I've got
wrong.
>   
> ---
> Can I recap a few things, to make sure I understand things correctly.
>   
> -If KBR was setup wrong or otherwise screwed up, we wouldn't be able to
join the domain, right?
> -Same thing for NTP, right?
>   
> And there's no way to see if/how the nsslib-winbind is talking to
winbind itself, right. (I assume the lib talks to winbind and pulls the data.
So, if the library is having difficulties, seeing what's going on inside the
black box, would be handy.)
>   
> Thanks for the help so far.
>   
> (BTW, when I started down this road, I was on Louis's 4.15.3, and then
when checking and double-checking things (when getent wasn't working), I
upgraded to 4.15.5, in case it matters.)
>   
>   
> -Greg
>     
> 
>> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote:
> 
>>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba
wrote:
> 
>>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote:
> 
>>>>>>> Oh, I see Louis also has those in the repo. Since
I'm using
>>>>>>> his
>>>>>>> Samba, might as well use his libnss too.
> 
>>>>>> You have to use them from the same repo (or to be
precise, the
>>>>>> same
>>>>>> version).
> 
>>>>>>>   
>>>>>>> Now to check and see if I did fail to install the
library.
>>>>>>> (But
>>>>>>> if I
>>>>>>> were a betting man, that's what I'd bet
on.)
>>>>>> If they are not there, or are the wrong version, getent
will
>>>>>> not
>>>>>> work.
>>>>>> Rowland
>>>>>   
>>>>> So, here are the packages I installed as part of the Samba
>>>>> install
> 
>>>>> apt install samba winbind libnss-winbind libpam-winbind ntp
krb5-
>>>>> user
>>>>> binutils ldb-tools smbclient libpam-krb5
>>>>>   
>>>>> Am I missing anything that would impact this issue?
>>>> No.
>>>> You installed the packages.
>>>> Configured ntp to use the DC's as time servers (time is
within 5
>>>> minutes of the DC)
>>>   
>>> I had them going to the same ntp servers (ntp pool) as the
DC's. But
>>> just to be sure, I've moved them to use the DC's.
>>> (That's probably better, though both should work ok - since
they'll
>>> all be synced to the same time, or close enough.)
>>>   
> 
>>>> Checked /etc/krb5.conf to see that it is using the dns domain
as
>>>> the
>>>> realm (in uppercase)
>>> Yup.
>>>   
> 
>>>> Configured /etc/samba/smb.conf
>>> Yup, I posted it.
> 
>>>> Joined the domain (what does 'sudo net ads testjoin'
show ?).
>>> Join OK
>>>   
> 
>>>> wbinfo works, but getent doesn't
>>> Yup
>>>   
> 
>>>> Is all that correct ?
>>> Pretty much.
>>>   
> 
>>>> Rowland
> 
>> Then I am lost here.
> 
>> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and
>> see what happens.
> 
>> Rowland
> 
> 
> 
> 
> -- 
> Gregory Sloop, Principal: Sloop Network & Computer Consulting
> Voice: 503.251.0452 x121
> EMail:?gregs at sloop.net
> http://www.sloop.net
> ---