Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

1,243 views
Skip to first unread message

Richard via samba

unread,
Jan 12, 2017, 7:10:03 AM1/12/17
to
I have Samba 4.5.3 working fine as an AD DC and DNS provider.

I now need to set up a group policy on the DC but I am having problems with
the internal sysvol and netlogon shares.

Via the Windows Group Policy Manager snap-in I successfully created a GPO
specifying the DC as the primary time source for all clients, using the
Administrator user

...but my windows domain test client "ignores" the new policy completely and
in the event log on the client I see the following:



The processing of Group Policy failed. Windows attempted to read the file
\\mydomain.com\sysvol\mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB
984F9}\gpt.ini
<file://mydomain.com/sysvol/mydomain.com/Policies/%7b31B2F340-016D-11D2-945F
-00C04FB984F9%7d/gpt.ini> from a domain controller and was not successful.
Group Policy settings may not be applied until this event is resolved. This
issue may be transient and could be caused by one or more of the following:

a) Name Resolution/Network Connectivity to the current domain controller.

b) File Replication Service Latency (a file created on another domain
controller has not replicated to the current domain controller).

c) The Distributed File System (DFS) client has been disabled.





On further investigation on the domain controller itself:



smbclient //localhost/sysvol -UAdministrator -c 'ls'



returns a valid directory listing, but running the same command for any
other valid domain account returns:



Domain=[mydomain] OS=[Windows 6.1] Server=[Samba 4.5.3]

NT_STATUS_ACCESS_DENIED listing \*



.so it appears that normal domain accounts are unable to access the sysvol
share, which would explain the error returned by the windows client. (the
same applies to the netlogon share)



Among other things, I have run:



samba-tool ntacl sysvolreset



but the problem persists.



So it appears there is something wrong with the permissions on these shares
but I am at my wits end trying to correct the issue.



Any help would be greatly appreciated!



Thanks in advance



Richard







--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Ryan Ashley via samba

unread,
Jan 12, 2017, 10:30:03 AM1/12/17
to
I just want to throw my hat into the ring here. I have been having this
problem for two years or more on some domains. Using a sysvolreset does
not work and using sysvolcheck reports no issues, but the gpt.ini claims
to be unreadable according to the event log. However, as a normal or
admin user I can read the log. The "domain computers" group does have
read access to the sysvol. The only fix I have EVER found was to
completely remove Samba and configuration files, rebuild, join as a DC
to the existing domain, and after it syncs up, do the same on the other
DC. If you only have one DC, good luck! I will be following this thread.

Lead IT/IS Specialist
Reach Technology FP, Inc

lingpanda101 via samba

unread,
Jan 12, 2017, 11:10:03 AM1/12/17
to
It looks as if you are trying to modify the default domain policy GPO? I
normally don't touch that policy but create additional ones. What is the
output of

getfacl
/usr/local/samba/var/locks/sysvol/mydomain.com/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/

Can you create a new GPO with your settings and check the permissions again?

--
- James

Richard via samba

unread,
Jan 12, 2017, 11:50:03 AM1/12/17
to
Hi Andrew,

thanks so much for the feedback.

Yes, you're 100% right. I'm new at this and originally changed the default GPO, however subsequently reset the default and created a new GPO. (so this getfacl output is post creation of a new GPO)

The getfacl output is shown here:

# getfacl /usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
# owner: root
# group: 10013
user::rwx
user:root:rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

lingpanda101 via samba

unread,
Jan 12, 2017, 12:20:03 PM1/12/17
to
It looks as if you are using 'idmap_ldb:use rfc2307 = Yes' in your
smb.conf? It also looks as if you have given 'Domain Admins' a GID
number? I have noticed problems in the past if I gave Domain Admins a
GID. I would remove it. It also looks as if you may have given
Administrator a UID? After removing the UID and GID attempt to reset
your sysvol. What is the output of the following before you do though?

wbinfo --gid-info=10013

wbinfo --gid-info=10014

wbinfo --uid-info=3000000

wbinfo --uid-info=3000008

Richard via samba

unread,
Jan 12, 2017, 2:00:03 PM1/12/17
to
Hi James

The output is as follows...

wbinfo --gid-info=10013 => CT\domain admins:x:10013:

wbinfo --gid-info=10014 => CT\domain users:x:10014:

wbinfo --uid-info=3000000 => BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false

wbinfo --uid-info=3000008 => CT\domain admins:*:3000008:3000008::/home/CT/domain admins:/bin/false

Yes I have set "domain admins" to have NIS domain "CT" and GID "10013" - I can remove this no problem

Yes I have set "domain users" to have NIS domain "CT" and GID "10014" - I can remove this no problem

No I haven't set a UID or GID for Administrator

I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this from smb.conf?

Please let me know if I should go ahead and remove the GIDs from "domain admins" and "domain users"

thanks again!

Richard

lingpanda101 via samba

unread,
Jan 12, 2017, 2:10:03 PM1/12/17
to
Just remove the domain admins GID. Afterwords run sysvolreset and post
the getfacl command again on GPO.

Rowland Penny via samba

unread,
Jan 12, 2017, 2:20:03 PM1/12/17
to
On Thu, 12 Jan 2017 20:46:15 +0200
Richard via samba <sa...@lists.samba.org> wrote:

> Hi James
>
> The output is as follows...
>
> wbinfo --gid-info=10013 => CT\domain admins:x:10013:
>
> wbinfo --uid-info=3000008 => CT\domain
> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false

If you remove the gidNumber from Domain Admins, you will find that it
gets the same GID as its UID '3000008'

>
> Yes I have set "domain admins" to have NIS domain "CT" and GID
> "10013" - I can remove this no problem

See above and I would suggest removing the gidNumber, then run 'net
cache flush'

>
> Yes I have set "domain users" to have NIS domain "CT" and GID
> "10014" - I can remove this no problem

No that is OK

>
> No I haven't set a UID or GID for Administrator

Good, you just Administrator into a normal Unix user if you do.

>
> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this
> from smb.conf?

No, you need it

Rowland

lingpanda101 via samba

unread,
Jan 12, 2017, 2:30:03 PM1/12/17
to
On 1/12/2017 2:09 PM, Rowland Penny via samba wrote:
> On Thu, 12 Jan 2017 20:46:15 +0200
> Richard via samba <sa...@lists.samba.org> wrote:
>
>> Hi James
>>
>> The output is as follows...
>>
>> wbinfo --gid-info=10013 => CT\domain admins:x:10013:
>>
>> wbinfo --uid-info=3000008 => CT\domain
>> admins:*:3000008:3000008::/home/CT/domain admins:/bin/false
> If you remove the gidNumber from Domain Admins, you will find that it
> gets the same GID as its UID '3000008'
>
>> Yes I have set "domain admins" to have NIS domain "CT" and GID
>> "10013" - I can remove this no problem
> See above and I would suggest removing the gidNumber, then run 'net
> cache flush'
>
>> Yes I have set "domain users" to have NIS domain "CT" and GID
>> "10014" - I can remove this no problem
> No that is OK
>
>> No I haven't set a UID or GID for Administrator
> Good, you just Administrator into a normal Unix user if you do.
>
>> I do indeed have 'idmap_ldb:use rfc2307 = Yes' - should I remove this
>> from smb.conf?
> No, you need it
>
> Rowland
>

I'm hoping if you remove the domain admins GID and run sysvolreset, it
will put the ownership back to
# file:
usr/local/samba/var/locks/sysvol/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: 3000008
# group: 3000008

Yours currently is

# owner: root
# group: 10013

--
- James

Richard via samba

unread,
Jan 12, 2017, 2:50:03 PM1/12/17
to
Hi Rowland,

I've done the below and retried to log on as a normal user, but sadly:

C:\> gpupdate /force still returns

The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\sysvol\ct.mydomain.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

Also a normal domain user still can't get a listing on sysvol

smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*

but Administrator can fine:

smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
. D 0 Thu Jan 12 20:58:10 2017
.. D 0 Thu Jan 12 21:21:00 2017
ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016

244669724 blocks of size 1024. 235669456 blocks available


Also, I've rerun getfacl and I see that GID 10013 still exists for both group and other, even though I have removed it from "domain admins"

group::rwx
group:10013:rwx
group:10014:r-x
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000010:r-x
default:group::---
default:group:10013:rwx
default:group:10014:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---

so not really sure where to go from here

(btw - I won't keep saying thank you but just to let you know that I really really appreciate all the help you guys are giving on this)

Richard

PS - I just thought may be worthwhile pasting my smb.conf file here (domain name and forwarder ips changed)

[global]
workgroup = CT
realm = ct.mydomain.com
netbios name = DC1
server role = active directory domain controller

allow dns updates = nonsecure and secure

dns forwarder = 1.2.3.4 10.20.30.40
idmap_ldb:use rfc2307 = yes

ldap server require strong auth = no

[netlogon]
path = /usr/local/samba/var/locks/sysvol/ct.mydomain.com/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


-----Original Message-----
From: samba [mailto:samba-...@lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: 12 January 2017 21:10
To: sa...@lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Richard via samba

unread,
Jan 12, 2017, 3:00:03 PM1/12/17
to
does this look better?

# getfacl /usr/local/samba/var/locks/sysvol/ct.mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/ ct.mydomain.com /Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
# owner: 3000008
# group: 3000008

lingpanda101 via samba

unread,
Jan 12, 2017, 3:00:03 PM1/12/17
to
Did you run 'net cache flush'?

--
- James

Rowland Penny via samba

unread,
Jan 12, 2017, 3:10:02 PM1/12/17
to
Did you run 'net cache flush'

Richard via samba

unread,
Jan 12, 2017, 3:30:03 PM1/12/17
to
Hi

here are the commands in the order I ran them:

root@dc1:~ # systemctl stop samba
root@dc1:~ # net cache flush
root@dc1:~ # samba-tool ntacl sysvolreset
root@dc1:~ # net cache flush
root@dc1:~ # samba-tool ntacl sysvolcheck
root@dc1:~ # systemctl start samba
root@dc1:~ # smbclient //localhost/sysvol -UAdministrator -c 'ls'
Enter Administrator's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
. D 0 Thu Jan 12 22:14:18 2017
.. D 0 Thu Jan 12 22:14:45 2017
ct.mydomain.com D 0 Thu Feb 18 00:16:24 2016

244669724 blocks of size 1024. 235669260 blocks available
root@dc1:~ # smbclient //localhost/sysvol -Urichard.h -c 'ls'
Enter richard.h's password:
Domain=[CT] OS=[Windows 6.1] Server=[Samba 4.5.3]
NT_STATUS_ACCESS_DENIED listing \*
root@dc1:~ #

then on the client:

C:\WINDOWS\system32>gpupdate /force
Updating policy...

Computer policy could not be updated successfully. The following errors were encountered:

The processing of Group Policy failed. Windows attempted to read the file \\ct.mydomain.com\SysVol\ct.mydomain.com\Policies\{073A6C41-BE24-4CA2-8F00-386A9F2D3908}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
User Policy could not be updated successfully. The following errors were encountered:

lingpanda101 via samba

unread,
Jan 12, 2017, 3:40:03 PM1/12/17
to
What is the output of the below now?

getfacl /usr/local/samba/var/locks/sysvol/

You may also need to run

samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix

Richard via samba

unread,
Jan 12, 2017, 3:50:03 PM1/12/17
to
Hi

root@dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes
...some error information...
Checked 3647 objects (2 errors)
root@dc1:~ # samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
Checking 3647 objects
Checked 3647 objects (0 errors)

root@dc1:~ # getfacl /usr/local/samba/var/locks/sysvol/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


gpupdate /force still fails :o(

lingpanda101 via samba

unread,
Jan 12, 2017, 4:00:03 PM1/12/17
to
Progress

What is the output of

'wbinfo -r richard.h'

Richard via samba

unread,
Jan 12, 2017, 4:30:03 PM1/12/17
to
cool!

root@dc1:~ # wbinfo -r richard.h
10001
3000008
10000
10014
10004
10005
3000005
3000009
3000000

Richard via samba

unread,
Jan 12, 2017, 4:40:03 PM1/12/17
to
I'm not sure if of value but here also is the richard.h group information as reported by Windows on the client:

C:\WINDOWS\system32>whoami /groups

GROUP INFORMATION
-----------------

Group Name Type SID Attributes
========================================= ================ ============================================ ===============================================================
CT\osDirector Group S-1-5-21-962076006-582617201-2751578557-1107 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Performance Log Users Alias S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
CT\Domain Admins Group S-1-5-21-962076006-582617201-2751578557-512 Mandatory group, Enabled by default, Enabled group
CT\Denied RODC Password Replication Group Alias S-1-5-21-962076006-582617201-2751578557-572 Mandatory group, Enabled by default, Enabled group
CT\osDevelopment Group S-1-5-21-962076006-582617201-2751578557-1110 Mandatory group, Enabled by default, Enabled group
CT\osSecurity Group S-1-5-21-962076006-582617201-2751578557-1111 Mandatory group, Enabled by default, Enabled group
CT\osVPN Group S-1-5-21-962076006-582617201-2751578557-1112 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288

Richard via samba

unread,
Jan 13, 2017, 2:10:03 AM1/13/17
to
Also, I'm not sure whether this has any relevance to the problem but I did at one point try to set up a secondary AD server but was struggling to get it going so demoted it using "Demote an Offline Domain Controller" from this page

https://wiki.samba.org/index.php/Demote_a_Samba_AD_DC

I also went through the "Verifying the Demotion" checks on this page and all looked fine

Jonathan Hunter via samba

unread,
Jan 14, 2017, 12:20:02 PM1/14/17
to
Hi All,

Trying to avoid making this into a "Me too" response :) but this is
the single largest issue I have with Samba at the moment, I've
struggled with this for literally years, both before I switched to
rfc2307 (which did help in many areas) and since switching. I am
following this thread with great interest, in the hope that I can get
my GPOs working, too.

Currently I've hit a different issue (Samba bug ID 12363) that has
stopped me from being able to debug this further; but suffice to say -
I feel your pain.

I am particularly interested in the interaction between giving 'Domain
Users' its own GID, and having GPOs stored in sysvol on the DCs, which
is historically the place that has the most trouble with user mappings
etc. (that is why I initially switched to rfc2307, and subsequently
demoted my main file server from being a DC, also)

If we don't give built-in groups their own UID/GID though, then how do
we ensure consistency between multiple DCs and also member
fileservers? This is probably the area of samba I'm least expert on
(uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..)

Cheers,

Jonathan
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein

Rowland Penny via samba

unread,
Jan 14, 2017, 1:10:03 PM1/14/17
to
On Sat, 14 Jan 2017 17:09:47 +0000
Jonathan Hunter via samba <sa...@lists.samba.org> wrote:

> Hi All,
>
> Trying to avoid making this into a "Me too" response :) but this is
> the single largest issue I have with Samba at the moment, I've
> struggled with this for literally years, both before I switched to
> rfc2307 (which did help in many areas) and since switching. I am
> following this thread with great interest, in the hope that I can get
> my GPOs working, too.
>
> Currently I've hit a different issue (Samba bug ID 12363) that has
> stopped me from being able to debug this further; but suffice to say -
> I feel your pain.
>
> I am particularly interested in the interaction between giving 'Domain
> Users' its own GID, and having GPOs stored in sysvol on the DCs, which
> is historically the place that has the most trouble with user mappings
> etc. (that is why I initially switched to rfc2307, and subsequently
> demoted my main file server from being a DC, also)

If you only have Samba AD DCs and Windows clients, you do not need to
give any group a gidNumber. It is only when you throw Unix domain
members in to the mix AND use the winbind 'ad' backend, that you need
to give Domain Users a gidNumber.

>
> If we don't give built-in groups their own UID/GID though, then how do
> we ensure consistency between multiple DCs and also member
> fileservers? This is probably the area of samba I'm least expert on
> (uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..)
>

Samba AD DCs use idmap.ldb to store the mappings between SIDs and
xidNumbers, the numbers are always in the '3000000' range. They are
also allocated on a first come basis, when a user or group first
contacts a Samba DC it is allocated the next xidNumber, this is why
you are not sure to get the same ID number on every DC. This is not a
problem however, as each DC knows the xidNumber for the the group. So
if you rsync sysvol between DCs and then run sysvolrest, the correct
xidNumber for that DC will be set. You can also copy idmap.ldb between
DCs as well, but I don't see the point.

The only way to get consistent IDs for the users and groups that matter,
is to use the winbind 'ad' backend. This means giving users a unique
UidNumber and Domain Users a gidNumber. These numbers will be used on
DCs instead of the xidNumbers and on Unix domain members provided that
the 'idmap config' lines are set up correctly.
This is what I use on domain members:

idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999

The '*' range is for the well known SIDs (Domain Admins,
Administrators etc)
The 'SAMDOM' range is for the DOMAIN users & groups that you create and
Domain Users.

It doesn't really matter what ID the well known SIDs get, as long as the
Unix machine knows which SID the ID belongs to.

Hope this help, but feel free to ask questions.

Richard via samba

unread,
Jan 15, 2017, 1:40:03 PM1/15/17
to
I remain baffled as to why richard.h cannot access the sysvol share.

Permissions all seem ok from what I can see and I'm not sure why this should be any different from normal AD share behaviour (our other shares are working fine for domain users)

I would really appreciate it if someone could let me know whether the sysvol has become corrupt in some way and I am wasting my time even trying to sort this out.

thanks

Rowland Penny via samba

unread,
Jan 15, 2017, 2:10:02 PM1/15/17
to
On Sun, 15 Jan 2017 20:30:25 +0200
Richard via samba <sa...@lists.samba.org> wrote:

> I remain baffled as to why richard.h cannot access the sysvol share.
>
> Permissions all seem ok from what I can see and I'm not sure why this
> should be any different from normal AD share behaviour (our other
> shares are working fine for domain users)
>
> I would really appreciate it if someone could let me know whether the
> sysvol has become corrupt in some way and I am wasting my time even
> trying to sort this out.
>
> thanks
>

I have thought about this and notice that you gave 'Domain Admins' a
gidNumber (which you have now removed), but 'getfacl' only showed the
number not the group name. This makes me wonder if you have set up the
libnss_winbind links etc. If you haven't, or don't know what I mean,
see here:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Richard via samba

unread,
Jan 15, 2017, 4:30:02 PM1/15/17
to
Hi Rowland,

100% ! I hadn't set up the libnss_winbind links.

I have now done this using:

# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
# ldconfig

When I test as follows all looks good:

root@dc1:~ # wbinfo --ping-dc
checking the NETLOGON for domain[CT] dc connection to "dc1.ct.mydomain.com" succeeded

but for some reason I don’t understand "getent" still doesn't work when executed on the DC

root@dc1:~ # getent passwd richard.h
root@dc1:~ #

If I do the same on one of the domain members it works fine...

root@office1:~ # getent passwd richard.h
richard.h:*:10010:10001::/home/ richard.h:/bin/bash


I'm pretty sure I'm doing the same pam / nsswitch setup on the DC as I did on the domain members (not sure whether relevant but the domain members are running standard CentOS 7 Samba 4.4.4 packages)

do you possibly have any idea why getent isn't working on the domain controller?

thanks!


-----Original Message-----
From: samba [mailto:samba-...@lists.samba.org] On Behalf Of Rowland Penny via samba
Sent: 15 January 2017 21:05
To: sa...@lists.samba.org
Subject: Re: [Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Rowland Penny via samba

unread,
Jan 15, 2017, 5:10:04 PM1/15/17
to
On Sun, 15 Jan 2017 22:52:03 +0200
Check PAM, see here:

https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

Jonathan Hunter via samba

unread,
Jan 15, 2017, 7:50:02 PM1/15/17
to
Thank you Rowland, that was indeed a good explanation and helped me
get further along with this.

I realised that my DCs didn't have winbind correctly configured
(either in nsswitch.conf or via nss winbind links), which explains
some of the issues I was having :) so many thanks for your prompting
here. It has helped, even though I'm separately still stuck with bug
12363 for the moment.

(I've also updated the wiki page for libnss/winbind by adding debian
on raspberry pi - might hopefully help someone in the future)

On 14 January 2017 at 18:04, Rowland Penny via samba
--
"If we knew what it was we were doing, it would not be called
research, would it?"
- Albert Einstein

0 new messages