Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] winbind -u works, getent passwd dont't work
797 views
Skip to first unread message
basti via samba
Jan 30, 2017, 6:10:04 AM1/30/17
to
Hello,
I have upgrade my Samba PDC to Samba AD and join a linux box to the AD.
Using short domain name -- FOO
Joined 'RTR-01' to realm 'foo'
Wbinfo get users
root@rtr-01:~# wbinfo -u | tail -1
FOO\user
getent passwd do not
getent passwd | tail -1
fetchmail:x:108:65534::/var/lib/fetchmail:/bin/false
root@rtr-01:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@rtr-01:~# dpkg -l | grep win
ii libnewt0.52:amd64 0.52.17-1+b1 amd64
Not Erik's Windowing Toolkit - text mode windowing with slang
ii libnss-winbind:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Samba winbind client library
ii libwind0-heimdal:amd64 1.6~rc2+dfsg-9 amd64
Heimdal Kerberos - stringprep implementation
ii winbind 2:4.2.14+dfsg-0+deb8u2 amd64
service to resolve user and group information from Windows NT servers
whats wrong there?
Thanks for any help.
Best regards basti
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I have upgrade my Samba PDC to Samba AD and join a linux box to the AD.
Using short domain name -- FOO
Joined 'RTR-01' to realm 'foo'
Wbinfo get users
root@rtr-01:~# wbinfo -u | tail -1
FOO\user
getent passwd do not
getent passwd | tail -1
fetchmail:x:108:65534::/var/lib/fetchmail:/bin/false
root@rtr-01:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
root@rtr-01:~# dpkg -l | grep win
ii libnewt0.52:amd64 0.52.17-1+b1 amd64
Not Erik's Windowing Toolkit - text mode windowing with slang
ii libnss-winbind:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.2.14+dfsg-0+deb8u2 amd64
Samba winbind client library
ii libwind0-heimdal:amd64 1.6~rc2+dfsg-9 amd64
Heimdal Kerberos - stringprep implementation
ii winbind 2:4.2.14+dfsg-0+deb8u2 amd64
service to resolve user and group information from Windows NT servers
whats wrong there?
Thanks for any help.
Best regards basti
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne via samba
Jan 30, 2017, 6:20:02 AM1/30/17
to
Did you configure PAM ?
basti via samba
Jan 30, 2017, 7:00:03 AM1/30/17
to
Yes i think so.
I run "pam-auth-update"
* Kerberos authentication
* Unix authentication
* Winbind NT/Active Directory authentication
* LDAP Authentication
are checked.
I run "pam-auth-update"
* Kerberos authentication
* Unix authentication
* Winbind NT/Active Directory authentication
* LDAP Authentication
are checked.
L.P.H. van Belle via samba
Jan 30, 2017, 7:00:04 AM1/30/17
to
This is all correct and by design.
Try : getent passwd username
If you running this on a Samba AD DC.
If you want to see if you pam setup is done, run : pam-auth-update
But still you only see the users with : getent passwd username
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens basti via samba
> Verzonden: maandag 30 januari 2017 12:00
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] winbind -u works, getent passwd dont't work
Try : getent passwd username
If you running this on a Samba AD DC.
If you want to see if you pam setup is done, run : pam-auth-update
But still you only see the users with : getent passwd username
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens basti via samba
> Verzonden: maandag 30 januari 2017 12:00
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] winbind -u works, getent passwd dont't work
basti via samba
Jan 30, 2017, 7:30:03 AM1/30/17
to
on the AD DC getent passwd username works
on AD member getent passwd username dones not work
wbinfo works on both
Rowland Penny via samba
Jan 30, 2017, 7:40:03 AM1/30/17
to
On Mon, 30 Jan 2017 13:19:41 +0100
basti via samba <sa...@lists.samba.org> wrote:
>
> on the AD DC getent passwd username works
> on AD member getent passwd username dones not work
>
> wbinfo works on both
>
Please post your smb.conf from the DC and the domain member.
basti via samba <sa...@lists.samba.org> wrote:
>
> on the AD DC getent passwd username works
> on AD member getent passwd username dones not work
>
> wbinfo works on both
>
Rowland
basti via samba
Jan 30, 2017, 8:40:03 AM1/30/17
to
The getent passwd works for now on my ads member, thanks a lot.
I think I have an other problem. ("FOO" is the short domain)
AD DC:
getent passwd | tail -2
FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
vs.
AD Member
FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
UID and GID on AD member is always the same.
My smb.conf on AD member:
root@rtr-01:~# cat /etc/samba/smb.conf
[global]
netbios name = rtr-01
security = ads
workgroup = FOO
realm = FOO
log file = /var/log/samba/%m.log
log level = 2
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = ldap
idmap config * : range = 3000-7999
# fix LDAP connection error
ldap server require strong auth = No
interfaces = lo eth0
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
I think I have an other problem. ("FOO" is the short domain)
AD DC:
getent passwd | tail -2
FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
vs.
AD Member
FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
UID and GID on AD member is always the same.
My smb.conf on AD member:
root@rtr-01:~# cat /etc/samba/smb.conf
[global]
netbios name = rtr-01
security = ads
workgroup = FOO
realm = FOO
log file = /var/log/samba/%m.log
log level = 2
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = ldap
idmap config * : range = 3000-7999
# fix LDAP connection error
ldap server require strong auth = No
interfaces = lo eth0
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 10
client ntlmv2 auth = yes
encrypt passwords = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
Rowland Penny via samba
Jan 30, 2017, 11:20:02 AM1/30/17
to
On Mon, 30 Jan 2017 14:33:03 +0100
basti via samba <sa...@lists.samba.org> wrote:
> The getent passwd works for now on my ads member, thanks a lot.
>
> I think I have an other problem. ("FOO" is the short domain)
Yes, you haven't setup the smb.conf on the domain member correctly ;-)
basti via samba <sa...@lists.samba.org> wrote:
> The getent passwd works for now on my ads member, thanks a lot.
>
> I think I have an other problem. ("FOO" is the short domain)
>
> AD DC:
> getent passwd | tail -2
> FOO\sone:*:2057:513:some one:/home/FOO/sone:/bin/false
> FOO\user:*:2029:513:System User:/home/FOO/user:/bin/false
>
> vs.
> AD Member
>
> FOO\sone:*:4294967295:4294967295:some one:/home/FOO/sone:/bin/false
> FOO\user:*:4294967295:4294967295:System User:/home/FOO/user:/bin/false
>
> UID and GID on AD member is always the same.
>
> My smb.conf on AD member:
>
>
> root@rtr-01:~# cat /etc/samba/smb.conf
> [global]
> netbios name = rtr-01
> security = ads
> workgroup = FOO
> realm = FOO
>
> log file = /var/log/samba/%m.log
> log level = 2
>
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use an read-write-enabled back end, such as tdb.
> idmap config * : backend = ldap
> idmap config * : range = 3000-7999
the 'FOO' domain range at all, also, the range '500-2999' (which appears
to be what you will need to set it to) is very small and gives you
nowhere to store any local Unix users.
>
> # fix LDAP connection error
> ldap server require strong auth = No
Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
0 new messages