I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem. Quick checklist: - If you used Louis's repo, then you've obviously done the apt configuration - /etc/resolv.conf should look like this: samba-dc xxx.xxx.xxx.xxx search SAMDOM.example.com - acl attr and dnsutils should already be installed on Ubuntu, but check - Samba packages to install: # apt install samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss- winbind libpam-krb5 krb5-config krb5-user - Set the Kerberos Realm to SAMDOM.EXAMPLE.COM - Some additional useful stuff which I don't think is necessary, but if you're having issues, can't hurt: # apt install ldb-tools smbclient cifs-utils - /etc/krb5.conf needs to look like this: [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true - You don't need to to synchronize time against the DC, and on Ubuntu 20.04 the NTP service should be on by default, but check: # timedatectl it should say "NTP service: active" if not: # timedatectl set-ntp true - but I've noticed Ubuntu will get the time zone wrong sometimes. You can check: # date +"%Z %z" and if it's wrong set it: # timedatectl set-timezone America/Chicago (using your time zone, of course; I'm in CST) - Make sure your /etc/hosts file includes this host if you're using static IPs, and get rid of any 127.0.1.1 lines: -- 127.0.1.1 my-samba-client ++ xxx.xxx.xxx.xxx my-samba-client.samdom.example.com my-samba-client - Turn off and disable nmbd: # systemctl disable --now smbd - Configure /etc/samba/smb.conf as per your requirements - Join the domain: # net ads join -U administrator - After joining the domain, you must restart Samba services: # systemctl restart smbd # systemctl restart winbind - Append the winbind entry to /etc/nsswitch.conf: passwd: files systemd winbind group: files systemd winbind That's it: getent should now work. On 2/25/22 16:31, Gregory Sloop via samba wrote:> I sure hate to put anyone out a bunch of trouble if I've borked something up, but for the life of me, I can't see anything I've got wrong. > > --- > Can I recap a few things, to make sure I understand things correctly. > > -If KBR was setup wrong or otherwise screwed up, we wouldn't be able to join the domain, right? > -Same thing for NTP, right? > > And there's no way to see if/how the nsslib-winbind is talking to winbind itself, right. (I assume the lib talks to winbind and pulls the data. So, if the library is having difficulties, seeing what's going on inside the black box, would be handy.) > > Thanks for the help so far. > > (BTW, when I started down this road, I was on Louis's 4.15.3, and then when checking and double-checking things (when getent wasn't working), I upgraded to 4.15.5, in case it matters.) > > > -Greg > > >> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote: > >>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba wrote: > >>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote: > >>>>>>> Oh, I see Louis also has those in the repo. Since I'm using >>>>>>> his >>>>>>> Samba, might as well use his libnss too. > >>>>>> You have to use them from the same repo (or to be precise, the >>>>>> same >>>>>> version). > >>>>>>> >>>>>>> Now to check and see if I did fail to install the library. >>>>>>> (But >>>>>>> if I >>>>>>> were a betting man, that's what I'd bet on.) >>>>>> If they are not there, or are the wrong version, getent will >>>>>> not >>>>>> work. >>>>>> Rowland >>>>> >>>>> So, here are the packages I installed as part of the Samba >>>>> install > >>>>> apt install samba winbind libnss-winbind libpam-winbind ntp krb5- >>>>> user >>>>> binutils ldb-tools smbclient libpam-krb5 >>>>> >>>>> Am I missing anything that would impact this issue? >>>> No. >>>> You installed the packages. >>>> Configured ntp to use the DC's as time servers (time is within 5 >>>> minutes of the DC) >>> >>> I had them going to the same ntp servers (ntp pool) as the DC's. But >>> just to be sure, I've moved them to use the DC's. >>> (That's probably better, though both should work ok - since they'll >>> all be synced to the same time, or close enough.) >>> > >>>> Checked /etc/krb5.conf to see that it is using the dns domain as >>>> the >>>> realm (in uppercase) >>> Yup. >>> > >>>> Configured /etc/samba/smb.conf >>> Yup, I posted it. > >>>> Joined the domain (what does 'sudo net ads testjoin' show ?). >>> Join OK >>> > >>>> wbinfo works, but getent doesn't >>> Yup >>> > >>>> Is all that correct ? >>> Pretty much. >>> > >>>> Rowland > >> Then I am lost here. > >> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and >> see what happens. > >> Rowland > > > > > -- > Gregory Sloop, Principal: Sloop Network & Computer Consulting > Voice: 503.251.0452 x121 > EMail:?gregs at sloop.net > http://www.sloop.net > ---
Thanks! ?> I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem.? Yeah, that's totally what I thought too. (I've spun up DC's on 20.04, no problem, but no member servers, and this is only the second one I've used Louis' packages for...not that I think that's the problem, just that it's new to me.) ? <...your steps...> ? I've done all that, I think, but I will kill all the local sambs DB's etc, and try again as close to scratch as I can. (This isn't a VM - it's a bare metal box that's giong to become a file-server, plus I'm using the storage on this box for other things too, so it's semi-production, so that also increases hassle/difficulty. If I break the box, it's going to break other things too...) Probably something stupid, but like I've said, for the life of me, I can't find/see it. :) ? I might not get this done till Monday, but we'll see. ? Thanks again! ? -Greg ?> I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem.> Quick checklist:> ? - If you used Louis's repo, then you've obviously done the apt configuration> ? - /etc/resolv.conf should look like this:> ? ? samba-dc ?xxx.xxx.xxx.xxx > ? ? search SAMDOM.example.com> ? - acl attr and dnsutils should already be installed on Ubuntu, but check> ? - Samba packages to install: > ? # apt install samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss- ?winbind libpam-krb5 krb5-config krb5-user> ? - Set the Kerberos Realm to SAMDOM.EXAMPLE.COM> ? - Some additional useful stuff which I don't think is necessary, > ? ? but if you're having issues, can't hurt: > ? # apt install ldb-tools smbclient cifs-utils> ? - /etc/krb5.conf needs to look like this:> ? ? [libdefaults] > ? ? default_realm = SAMDOM.EXAMPLE.COM > ? ? dns_lookup_realm = false > ? ? dns_lookup_kdc = true> ? - You don't need to to synchronize time against the DC, > ? ? and on Ubuntu 20.04 the NTP service should be on by default, > ? ? but check:> ? # timedatectl> ? it should say "NTP service: active" if not:> ? # timedatectl set-ntp true> ? - but I've noticed Ubuntu will get the time zone wrong sometimes. > ? ? You can check: > ? # date +"%Z %z"> ? and if it's wrong set it:> ? # timedatectl set-timezone America/Chicago> ? (using your time zone, of course; I'm in CST)> ? - Make sure your /etc/hosts file includes this host if you're using > ? ? static IPs, and get rid of any ?127.0.1.1 lines:> ? -- 127.0.1.1 my-samba-client > ? ++ xxx.xxx.xxx.xxx my-samba-client.samdom.example.com my-samba-client> ? - Turn off and disable nmbd: > ? # systemctl disable --now smbd> ? - Configure /etc/samba/smb.conf as per your requirements> ? - Join the domain: > ? # net ads join -U administrator> ? - After joining the domain, you must restart Samba services: > ? # systemctl restart smbd > ? # systemctl restart winbind> ? - Append the ?winbind entry to /etc/nsswitch.conf: > ? ? passwd: files systemd winbind > ? ? group: ?files systemd winbind> That's it: getent should now work.> On 2/25/22 16:31, Gregory Sloop via samba wrote:>> I sure hate to put anyone out a bunch of trouble if I've borked something up, but for the life of me, I can't see anything I've got wrong.? >>> --->> Can I recap a few things, to make sure I understand things correctly.? >>> -If KBR was setup wrong or otherwise screwed up, we wouldn't be able to join the domain, right?>> -Same thing for NTP, right?? >>> And there's no way to see if/how the nsslib-winbind is talking to winbind itself, right. (I assume the lib talks to winbind and pulls the data. So, if the library is having difficulties, seeing what's going on inside the black box, would be handy.) ? >>> Thanks for the help so far. ? >>> (BTW, when I started down this road, I was on Louis's 4.15.3, and then when checking and double-checking things (when getent wasn't working), I upgraded to 4.15.5, in case it matters.) ? >>> ? > -Greg>> ? ? > >> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote:>>>>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba wrote:>>>>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote:>>>>>>>>> Oh, I see Louis also has those in the repo. Since I'm using>>>>>>>> his >>>>>>>> Samba, might as well use his libnss too. >>>>>>>> You have to use them from the same repo (or to be precise, the >>>>>>> same >>>>>>> version).? >>>>>>>>>>>>>>>> Now to check and see if I did fail to install the library.>>>>>>>> (But >>>>>>>> if I >>>>>>>> were a betting man, that's what I'd bet on.) >>>>>>> If they are not there, or are the wrong version, getent will >>>>>>> not >>>>>>> work. >>>>>>> Rowland? >>>>>>>>>>> So, here are the packages I installed as part of the Samba>>>>>> install>>>>>>> apt install samba winbind libnss-winbind libpam-winbind ntp krb5- >>>>>> user >>>>>> binutils ldb-tools smbclient libpam-krb5? >>>>>>>>>>> Am I missing anything that would impact this issue?>>>>> No. >>>>> You installed the packages. >>>>> Configured ntp to use the DC's as time servers (time is within 5 >>>>> minutes of the DC)? >>>>>>> I had them going to the same ntp servers (ntp pool) as the DC's. But>>>> just to be sure, I've moved them to use the DC's. >>>> (That's probably better, though both should work ok - since they'll >>>> all be synced to the same time, or close enough.)? >>>>> >>>> Checked /etc/krb5.conf to see that it is using the dns domain as>>>>> the >>>>> realm (in uppercase) >>>> Yup.? >>>>> >>>> Configured /etc/samba/smb.conf>>>> Yup, I posted it.>>>>>> Joined the domain (what does 'sudo net ads testjoin' show ?). >>>> Join OK? >>>>> >>>> wbinfo works, but getent doesn't>>>> Yup? >>>>> >>>> Is all that correct ?>>>> Pretty much.? >>>>> >>>> Rowland>>>> Then I am lost here. >>>> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and >>> see what happens.>>>> Rowland-- >>>>>>> Gregory Sloop, Principal: Sloop Network & Computer Consulting>> Voice: 503.251.0452 x121 >> EMail:?gregs at sloop.net >> http://www.sloop.net >> -----? Gregory Sloop, Principal: Sloop Network & Computer Consulting Voice: 503.251.0452 x121 EMail:?gregs at sloop.net http://www.sloop.net ---
Sheesh. ? I should have run testparm - because the smb.conf was bombing around the idmap. ? I don't recall if I actually posted my idmap range - but there was a typo. "idmap config * : range 3000-7999"?is what I had. It should have been idmap config * : range = 3000-7999 ? [Notice the missing equals sign? I sure didn't!] ? Once that was fixed, the full smb.conf loaded and now getent works. ? Sheesh. All you can do is laugh, I guess. ? All that for the want of an equals sign, and failing to run testparm. ? Rowland, putting a note to run testparm in the wiki might be helpful to other unfortunate souls like myself, sometime in the future.? It might keep list queries down some too. :)? ? Special thanks to Rowland and Patrick ? -Greg ???> I've spun up many Ubuntu 20.04 AD clients at this point and have never had this problem.> Quick checklist:> ? - If you used Louis's repo, then you've obviously done the apt configuration> ? - /etc/resolv.conf should look like this:> ? ? samba-dc ?xxx.xxx.xxx.xxx > ? ? search SAMDOM.example.com> ? - acl attr and dnsutils should already be installed on Ubuntu, but check> ? - Samba packages to install: > ? # apt install samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss- ?winbind libpam-krb5 krb5-config krb5-user> ? - Set the Kerberos Realm to SAMDOM.EXAMPLE.COM> ? - Some additional useful stuff which I don't think is necessary, > ? ? but if you're having issues, can't hurt: > ? # apt install ldb-tools smbclient cifs-utils> ? - /etc/krb5.conf needs to look like this:> ? ? [libdefaults] > ? ? default_realm = SAMDOM.EXAMPLE.COM > ? ? dns_lookup_realm = false > ? ? dns_lookup_kdc = true> ? - You don't need to to synchronize time against the DC, > ? ? and on Ubuntu 20.04 the NTP service should be on by default, > ? ? but check:> ? # timedatectl> ? it should say "NTP service: active" if not:> ? # timedatectl set-ntp true> ? - but I've noticed Ubuntu will get the time zone wrong sometimes. > ? ? You can check: > ? # date +"%Z %z"> ? and if it's wrong set it:> ? # timedatectl set-timezone America/Chicago> ? (using your time zone, of course; I'm in CST)> ? - Make sure your /etc/hosts file includes this host if you're using > ? ? static IPs, and get rid of any ?127.0.1.1 lines:> ? -- 127.0.1.1 my-samba-client > ? ++ xxx.xxx.xxx.xxx my-samba-client.samdom.example.com my-samba-client> ? - Turn off and disable nmbd: > ? # systemctl disable --now smbd> ? - Configure /etc/samba/smb.conf as per your requirements> ? - Join the domain: > ? # net ads join -U administrator> ? - After joining the domain, you must restart Samba services: > ? # systemctl restart smbd > ? # systemctl restart winbind> ? - Append the ?winbind entry to /etc/nsswitch.conf: > ? ? passwd: files systemd winbind > ? ? group: ?files systemd winbind> That's it: getent should now work.> On 2/25/22 16:31, Gregory Sloop via samba wrote:>> I sure hate to put anyone out a bunch of trouble if I've borked something up, but for the life of me, I can't see anything I've got wrong.? >>> --->> Can I recap a few things, to make sure I understand things correctly.? >>> -If KBR was setup wrong or otherwise screwed up, we wouldn't be able to join the domain, right?>> -Same thing for NTP, right?? >>> And there's no way to see if/how the nsslib-winbind is talking to winbind itself, right. (I assume the lib talks to winbind and pulls the data. So, if the library is having difficulties, seeing what's going on inside the black box, would be handy.) ? >>> Thanks for the help so far. ? >>> (BTW, when I started down this road, I was on Louis's 4.15.3, and then when checking and double-checking things (when getent wasn't working), I upgraded to 4.15.5, in case it matters.) ? >>> ? > -Greg>> ? ? > >> On Fri, 2022-02-25 at 13:34 -0800, Gregory Sloop wrote:>>>>>> On Fri, 2022-02-25 at 11:28 -0800, Gregory Sloop via samba wrote:>>>>>>>> On Fri, 2022-02-25 at 08:20 -0800, Gregory Sloop wrote:>>>>>>>>> Oh, I see Louis also has those in the repo. Since I'm using>>>>>>>> his >>>>>>>> Samba, might as well use his libnss too. >>>>>>>> You have to use them from the same repo (or to be precise, the >>>>>>> same >>>>>>> version).? >>>>>>>>>>>>>>>> Now to check and see if I did fail to install the library.>>>>>>>> (But >>>>>>>> if I >>>>>>>> were a betting man, that's what I'd bet on.) >>>>>>> If they are not there, or are the wrong version, getent will >>>>>>> not >>>>>>> work. >>>>>>> Rowland? >>>>>>>>>>> So, here are the packages I installed as part of the Samba>>>>>> install>>>>>>> apt install samba winbind libnss-winbind libpam-winbind ntp krb5- >>>>>> user >>>>>> binutils ldb-tools smbclient libpam-krb5? >>>>>>>>>>> Am I missing anything that would impact this issue?>>>>> No. >>>>> You installed the packages. >>>>> Configured ntp to use the DC's as time servers (time is within 5 >>>>> minutes of the DC)? >>>>>>> I had them going to the same ntp servers (ntp pool) as the DC's. But>>>> just to be sure, I've moved them to use the DC's. >>>> (That's probably better, though both should work ok - since they'll >>>> all be synced to the same time, or close enough.)? >>>>> >>>> Checked /etc/krb5.conf to see that it is using the dns domain as>>>>> the >>>>> realm (in uppercase) >>>> Yup.? >>>>> >>>> Configured /etc/samba/smb.conf>>>> Yup, I posted it.>>>>>> Joined the domain (what does 'sudo net ads testjoin' show ?). >>>> Join OK? >>>>> >>>> wbinfo works, but getent doesn't>>>> Yup? >>>>> >>>> Is all that correct ?>>>> Pretty much.? >>>>> >>>> Rowland>>>> Then I am lost here. >>>> I will setup Ubuntu 20.04 in a VM (this will have to be tomorrow) and >>> see what happens.>>>> Rowland-- >>>>>>> Gregory Sloop, Principal: Sloop Network & Computer Consulting>> Voice: 503.251.0452 x121 >> EMail:?gregs at sloop.net >> http://www.sloop.net >> ---