Gary Dale
2023-Apr-26 17:27 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 2023-04-26 11:34, Rowland Penny via samba wrote:> > > On 26/04/2023 16:24, Gary Dale via samba wrote: >>> >> >> Further to above, I tried the testing it suggested and got this: >> root at transponder:~# wbinfo -g >> domain controllers >> domain computers >> group policy creator owners >> dnsadmins >> denied rodc password replication group >> protected users >> schema admins >> read-only domain controllers >> enterprise admins >> allowed rodc password replication group >> domain admins >> ras and ias servers >> enterprise read-only domain controllers >> dnsupdateproxy >> cert publishers >> domain guests >> domain users >> root at transponder:~# wbinfo -u >> krbtgt >> gary >> guest >> administrator >> >> which clearly are from the domain - I don't have a local user named >> "gary", for example. However the getent tests only show the local >> users, which is also what I get when I use it to find domain users - >> it fails to find them. >> >> > > Have you been running commands such as 'getent passwd' and 'getent > group' and not getting any domain users or groups ? > If so, this is by design, try something like 'getent passwd gary' > > Rowland >No. I am running the tests suggested by the various Samba wiki pages. I can do a getent passwd <local account> on my workstation and on my file & print server but I can't do a getent passwd <domain account> except on my DC. I explicitly showed that in the message before the one you replied to. I also showed how I can't do a login to a domain account except on the DC. This failure to get domain account information seems likely to be at the heart of the problems I'm having.
Rowland Penny
2023-Apr-26 17:54 UTC
[Samba] DNS problems (still) with Linux domain members - using Samba's internal DNS backend
On 26/04/2023 18:27, Gary Dale via samba wrote:> No. I am running the tests suggested by the various Samba wiki pages. I > can do a getent passwd <local account> on my workstation and on my file > & print server but I can't do a getent passwd <domain account> except on > my DC. I explicitly showed that in the message before the one you > replied to. I also showed how I can't do a login to a domain account > except on the DC. > > This failure to get domain account information seems likely to be at the > heart of the problems I'm having. > >So you are running 'getent passwd gary' and getting no output, this is usually caused by libpam-winbind and libnss-winbind not being installed, or /etc/nsswitch.conf not being configured correctly, the relevant lines from mine look like this: passwd: files winbind group: files winbind Or pam-auth-update is configured correctly, again these are the lines from mine: [*] Unix authentication [*] Winbind NT/Active Directory authentication [*] Register user sessions in the systemd control group ... [*] Create home directory on login Or you are using the 'ad' idmap backend on a Unix domain member and haven't added a uidNumber attribute to the users and added a gidNumber attribute to the Domain Users group. The numbers you use in these attributes have to be unique, though you can use the same range for users and groups, that is 'gary' could have the ID 10000 and Domain Users could also the same ID 10000. Whatever numbers you use, the Domain idmap config line in smb.conf must enclose those numbers e.g. idmap config DOMAIN : range = 10000-999999 You may have done all of these, if so I will have another think. Rowland