[Samba] Getent passwd doesn't show Domain Members

[Timo Dachs-Wegmann]

Dear Support-Team,

i have a problem regarding the function of winbind on a samba4 Active Directory Domain Controller.

I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 -> libnss_winbind.so.
Wbinfo -u and wbinfo -g do work properly.

The strange thing is, that
"getent passwd administrator" gives back this line:
"administrator:*:0:100::/srv/samba/USERS/administrator:/bin/false"
So it seems that winbind is working properly, but getent passwd alone doesn't show the local users (same for getent group).

Can you help me with this?

I tried several tutorials and I read a lot of mails regarding this topic but I didn’t find a good answer to my problem.
I installed it in a lot of different orders (first winbind then samba, first Kerberos then samba and then winbind... etc) after a lot of different instructions.

Samba config:
[global]
workgroup = PROCITEC
realm = PROCITEC.DE
netbios name = SAMBAPRO
server role = active directory domain controller
dns forwarder = 192.168.0.1
idmap_ldb:use rfc2307 = yes
registry shares = yes
template homedir = /srv/samba/%D/%U

I edited the nsswitch.conf:
passwd: compat winbind
group: compat winbind

If you need further information please don’t hesitate to contact me

Kind regards

Timo Dachs-Wegmann




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland penny]

Try adding:

winbind enum users = yes
winbind enum groups = yes

to smb.conf and restart samba.

Rowland

[Timo Dachs-Wegmann]

We already tried this without success...


Kind regards

Timo Dachs-Wegmann
-EDV-

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland penny
Gesendet: Dienstag, 19. Juli 2016 16:30
An: sa...@lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members

[Rowland penny]

It should.

You posted this:

I installed samba4 from the standard debian sources.
Made the domain provisioning and installed Kerberos.
After that I installed winbind and linked the libnss_winbind.so.2 ->
libnss_winbind.so.

When you installed from debian sources, do you mean you installed the
debian packages or that you used them to compile your own ?
If you just installed packages, then you don't need to create the links,
just install libnss-winbind and libpam-winbind

You also say that you installed kerberos, do you mean the client
packages or server packages ?

[Achim Gottinger]

In my debian jessie test environment this does not work with jessies 4.2
packages.
With backported 4.4.5 packages from sid it works.
Also on my production servers the enumeration of groups and users
stopped working after the 4.1-4.2 upgrade (sernet packages). It did not
cause issues there last few month.

achim~

[Timo Dachs-Wegmann]

Okay, i tried to install the server without winbind but with libnss-winbind.

Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users.
This seems to be the same bug as achims.
We are running a Debian 4.8 with samba 4.2 packages...

A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version...

Can I report this bug somewhere or is there a workaround?

Kind regards

Timo Dachs-Wegmann
-EDV-

-------------------------------------
PROCITEC GmbH Rastatter Strasse 41
D-75179 Pforzheim
Fon: +49 7231 15561-29
Fax: +49 7231 15561-11
Mailto: t.we...@procitec.de

Mannheim HRB 504702
Geschäftsführer: Dipl.-Ing. (FH) Dipl.-Inf. (FH) Jens Heyen

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Achim Gottinger
Gesendet: Dienstag, 19. Juli 2016 18:28

[Rowland penny]

On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
> Okay, i tried to install the server without winbind but with libnss-winbind.
>
> Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users.
> This seems to be the same bug as achims.
> We are running a Debian 4.8 with samba 4.2 packages...
>
> A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version...
>
> Can I report this bug somewhere or is there a workaround?

OK, I have installed Samba 4.2.0 using distro packages on Devuan in a VM
and set it up as I would normally do.
From my testing, 'getent passwd' and 'getent group' works, so the
question seems to be, how have you set up your domain member ?

The VM I set up uses a fixed IP and this is the list of packages I
installed:

samba samba-common-bin samba-common samba-libs samba-vfs-modules
samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user

/etc/resolv.conf contains this:

search samdom.example.com
nameserver 192.168.0.5
nameserver 192.168.0.6

The nameservers are my two DCs

/etc/hosts contains this:

127.0.0.1 localhost
192.168.0.8 devtest.samdom.example.com devtest

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

If the computer was using dhcp, the '192.168.0.8' line wouldn't be there.

/etc/krb5.conf contains:

[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true

It doesn't need to contain anything else.

/etc/samba/smb.conf contains this:

[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h

winbind enum users = yes
winbind enum groups = yes

winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes

## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999

domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no

# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map

# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

log file = /usr/local/samba/var/log.%m

[homes]
path = /home/%U
read only = no

/etc/samba/user.map contains this:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

The relevant lines in /etc/nsswitch.conf look like this:

passwd: compat winbind
group: compat winbind

Which leads to this:

root@devtest:~# getent passwd
root:x:0:0:root:/root:/bin/bash
.......
.......

It displays no AD users, but if you run it again

root@devtest:~# getent passwd
root:x:0:0:root:/root:/bin/bash
.......
.......
albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
........
........

It doesn't really matter if 'getent passwd' doesn't display all your
users, as long as it will display individual users:

root@devtest:~# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

Rowland

[Rowland penny]

On 20/07/16 11:49, Achim Gottinger wrote:

> Hi Rowland,
>
> The OP is running in ADDC mode!
>
> achim~
>
>

Ah, missed that, I will go and try again and report back, it should work.

[Achim Gottinger]

Am 20.07.2016 um 11:33 schrieb Rowland penny:

Hi Rowland,

The OP is running in ADDC mode!

achim~

[Rowland penny]

OK, I know what is wrong now, the debian Samba package (version 4.2.10
that is really 4.2.11) is the one that came out after the badlock
patches were released. A few regressions were introduced by the badlock
patches and these have been fixed in later releases. To put it bluntly,
debian needs to release a later version, even more so, when you take
into account that 4.5.0 is nearing release, at which point, the 4.2.x
series will go EOL.

Your choices if you need 'getent passwd' to work (if 'getent passwd
username' isn't enough) are a bit limited, you could use the Sernet
packages (free or paid for), wait until debian releases a later package
or compile Samba yourself.

[Timo Dachs-Wegmann]

Well, thank you for your support.
I guess you can't tell when debian will release new packages?

I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :)

Kind regards

Timo Dachs-Wegmann
-EDV-

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-...@lists.samba.org] Im Auftrag von Rowland penny

Gesendet: Mittwoch, 20. Juli 2016 17:59

An: sa...@lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members

[Rowland penny]

On 21/07/16 07:08, Timo Dachs-Wegmann wrote:
> Well, thank you for your support.
> I guess you can't tell when debian will release new packages?

No, but perhaps Andrew Bartlett can ?

Rowland

>
> I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :)
>
> Kind regards
>
> Timo Dachs-Wegmann
> -EDV-
>
>