Discussion:
[Samba] Getent passwd doesn't show Domain Members
Timo Dachs-Wegmann
2016-07-19 12:28:50 UTC
Permalink
Dear Support-Team,

i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller.

I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so.
Wbinfo -u and wbinfo -g do work properly.

The strange thing is, that
"getent passwd administrator" gives back this line:
"administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false"
So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group).

Can you help me with this?

I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem.
I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions.

Samba config:
[global]
workgroup = PROCITEC
realm = PROCITEC.DE
netbios name = SAMBAPRO
server role = active directory domain controller
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
registry shares = yes
template homedir = /srv/samba/%D/%U

I edited the nsswitch.conf:
passwd: compat winbind
group: compat winbind

If you need further information please don’t hesitate to contact me

Kind regards

Timo Dachs-Wegmann
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Timo Dachs-Wegmann
2016-07-19 14:55:25 UTC
Permalink
We already tried this without success...


Kind regards

Timo Dachs-Wegmann
-EDV-

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-***@lists.samba.org] Im Auftrag von Rowland penny
Gesendet: Dienstag, 19. Juli 2016 16:30
An: ***@lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members
Post by Timo Dachs-Wegmann
Dear Support-Team,
i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller.
I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so.
Wbinfo -u and wbinfo -g do work properly.
The strange thing is, that
"administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false"
So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group).
Can you help me with this?
I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem.
I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions.
[global]
workgroup = PROCITEC
realm = PROCITEC.DE
netbios name = SAMBAPRO
server role = active directory domain controller
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
registry shares = yes
template homedir = /srv/samba/%D/%U
passwd: compat winbind
group: compat winbind
If you need further information please don’t hesitate to contact me
Kind regards
Timo Dachs-Wegmann
Try adding:

winbind enum users = yes
winbind enum groups = yes

to smb.conf and restart samba.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-19 16:28:10 UTC
Permalink
Post by Timo Dachs-Wegmann
We already tried this without success...
Kind regards
Timo Dachs-Wegmann
-EDV-
-----Ursprüngliche Nachricht-----
Gesendet: Dienstag, 19. Juli 2016 16:30
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members
Post by Timo Dachs-Wegmann
Dear Support-Team,
i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller.
I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so.
Wbinfo -u and wbinfo -g do work properly.
The strange thing is, that
"administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false"
So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group).
Can you help me with this?
I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem.
I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions.
[global]
workgroup = PROCITEC
realm = PROCITEC.DE
netbios name = SAMBAPRO
server role = active directory domain controller
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
registry shares = yes
template homedir = /srv/samba/%D/%U
passwd: compat winbind
group: compat winbind
If you need further information please don’t hesitate to contact me
Kind regards
Timo Dachs-Wegmann
winbind enum users = yes
winbind enum groups = yes
to smb.conf and restart samba.
Rowland
In my debian jessie test environment this does not work with jessies 4.2
packages.
With backported 4.4.5 packages from sid it works.
Also on my production servers the enumeration of groups and users
stopped working after the 4.1-4.2 upgrade (sernet packages). It did not
cause issues there last few month.

achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Timo Dachs-Wegmann
2016-07-20 07:22:14 UTC
Permalink
Okay, i tried to install the server without winbind but with libnss-winbind.

Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users.
This seems to be the same bug as achims.
We are running a Debian 4.8 with samba 4.2 packages...

A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version...

Can I report this bug somewhere or is there a workaround?

Kind regards

Timo Dachs-Wegmann
-EDV-


-------------------------------------
PROCITEC GmbH Rastatter Strasse 41
D-75179 Pforzheim
Fon: +49 7231 15561-29
Fax: +49 7231 15561-11
Mailto: ***@procitec.de

Mannheim HRB 504702
Geschäftsführer: Dipl.-Ing. (FH) Dipl.-Inf. (FH) Jens Heyen

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-***@lists.samba.org] Im Auftrag von Achim Gottinger
Gesendet: Dienstag, 19. Juli 2016 18:28
An: ***@lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members
Post by Timo Dachs-Wegmann
We already tried this without success...
Kind regards
Timo Dachs-Wegmann
-EDV-
-----Ursprüngliche Nachricht-----
Rowland penny
Gesendet: Dienstag, 19. Juli 2016 16:30
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members
Post by Timo Dachs-Wegmann
Dear Support-Team,
i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller.
I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so.
Wbinfo -u and wbinfo -g do work properly.
The strange thing is, that
"administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false"
So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group).
Can you help me with this?
I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem.
I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions.
[global]
workgroup = PROCITEC
realm = PROCITEC.DE
netbios name = SAMBAPRO
server role = active directory domain controller
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
registry shares = yes
template homedir = /srv/samba/%D/%U
passwd: compat winbind
group: compat winbind
If you need further information please don’t hesitate to contact me
Kind regards
Timo Dachs-Wegmann
winbind enum users = yes
winbind enum groups = yes
to smb.conf and restart samba.
Rowland
In my debian jessie test environment this does not work with jessies 4.2 packages.
With backported 4.4.5 packages from sid it works.
Also on my production servers the enumeration of groups and users stopped working after the 4.1-4.2 upgrade (sernet packages). It did not cause issues there last few month.

achim~


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-20 10:49:06 UTC
Permalink
Post by Timo Dachs-Wegmann
Okay, i tried to install the server without winbind but with
libnss-winbind.
Still the same problem. Getent passwd administrator works but the
result of getent passwd only shows local users.
This seems to be the same bug as achims.
We are running a Debian 4.8 with samba 4.2 packages...
A few months ago I installed a test environement for samba with samba
version 4.1.17. There the getent command works perfectly. So I guess
this is a bug in the latest version...
Can I report this bug somewhere or is there a workaround?
OK, I have installed Samba 4.2.0 using distro packages on Devuan in a
VM and set it up as I would normally do.
From my testing, 'getent passwd' and 'getent group' works, so the
question seems to be, how have you set up your domain member ?
The VM I set up uses a fixed IP and this is the list of packages I
samba samba-common-bin samba-common samba-libs samba-vfs-modules
samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
search samdom.example.com
nameserver 192.168.0.5
nameserver 192.168.0.6
The nameservers are my two DCs
127.0.0.1 localhost
192.168.0.8 devtest.samdom.example.com devtest
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
If the computer was using dhcp, the '192.168.0.8' line wouldn't be there.
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
It doesn't need to contain anything else.
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
log file = /usr/local/samba/var/log.%m
[homes]
path = /home/%U
read only = no
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
passwd: compat winbind
group: compat winbind
root:x:0:0:root:/root:/bin/bash
.......
.......
It displays no AD users, but if you run it again
root:x:0:0:root:/root:/bin/bash
.......
.......
albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
........
........
It doesn't really matter if 'getent passwd' doesn't display all your
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Rowland
Hi Rowland,

The OP is running in ADDC mode!

achim~
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Timo Dachs-Wegmann
2016-07-21 06:08:07 UTC
Permalink
Well, thank you for your support.
I guess you can't tell when debian will release new packages?

I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :)

Kind regards

Timo Dachs-Wegmann
-EDV-

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-***@lists.samba.org] Im Auftrag von Rowland penny
Gesendet: Mittwoch, 20. Juli 2016 17:59
An: ***@lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members
Post by Achim Gottinger
Post by Timo Dachs-Wegmann
Okay, i tried to install the server without winbind but with
libnss-winbind.
Still the same problem. Getent passwd administrator works but the
result of getent passwd only shows local users.
This seems to be the same bug as achims.
We are running a Debian 4.8 with samba 4.2 packages...
A few months ago I installed a test environement for samba with
samba version 4.1.17. There the getent command works perfectly. So
I guess this is a bug in the latest version...
Can I report this bug somewhere or is there a workaround?
OK, I have installed Samba 4.2.0 using distro packages on Devuan in
a VM and set it up as I would normally do.
From my testing, 'getent passwd' and 'getent group' works, so the
question seems to be, how have you set up your domain member ?
The VM I set up uses a fixed IP and this is the list of packages I
samba samba-common-bin samba-common samba-libs samba-vfs-modules
samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
search samdom.example.com
nameserver 192.168.0.5
nameserver 192.168.0.6
The nameservers are my two DCs
127.0.0.1 localhost
192.168.0.8 devtest.samdom.example.com devtest
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
If the computer was using dhcp, the '192.168.0.8' line wouldn't be
there.
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
It doesn't need to contain anything else.
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to
set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
log file = /usr/local/samba/var/log.%m
[homes]
path = /home/%U
read only = no
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
passwd: compat winbind
group: compat winbind
root:x:0:0:root:/root:/bin/bash
.......
.......
It displays no AD users, but if you run it again
root:x:0:0:root:/root:/bin/bash
.......
.......
albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash ........
........
It doesn't really matter if 'getent passwd' doesn't display all your
Penny:/home/rowland:/bin/bash
Rowland
Hi Rowland,
The OP is running in ADDC mode!
achim~
Ah, missed that, I will go and try again and report back, it should work.
Rowland
OK, I know what is wrong now, the debian Samba package (version 4.2.10 that is really 4.2.11) is the one that came out after the badlock patches were released. A few regressions were introduced by the badlock patches and these have been fixed in later releases. To put it bluntly, debian needs to release a later version, even more so, when you take into account that 4.5.0 is nearing release, at which point, the 4.2.x series will go EOL.

Your choices if you need 'getent passwd' to work (if 'getent passwd username' isn't enough) are a bit limited, you could use the Sernet packages (free or paid for), wait until debian releases a later package or compile Samba yourself.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...