getent group not working on new domain member

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

getent group not working on new domain member

Samba - General mailing list
I have a troubling circumstance. I've installed a new domain member running Slackware64 14.2.
This computer is practically a clone of another domain member I've had set up and running for
over a year.

Most everything seems to work. I have joined the domain and it does show up as a domain
computer. The domain user can log onto the computer just fine. I can run `wbinfo -u`, `wbinfo
-g` and `getent passwd myuser`. All return the correct information.

What I cannot run is `getent group Domain\ Users`. I get nothing why I try. I can run this w/o
problem on the other domain member. It doesn't seem to be affecting functionality so far, but
the fact that it doesn't return my Domain Users info worrys me that something is broken.

I do have "group: compat windbind" in nsswitch.conf.

Any ideas as to what I should do or where I should look?

--Mark

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
Mark Foley via samba <[hidden email]> wrote:

> I have a troubling circumstance. I've installed a new domain member running Slackware64 14.2.
> This computer is practically a clone of another domain member I've had set up and running for
> over a year.
>
> Most everything seems to work. I have joined the domain and it does show up as a domain
> computer. The domain user can log onto the computer just fine. I can run `wbinfo -u`, `wbinfo
> -g` and `getent passwd myuser`. All return the correct information.
>
> What I cannot run is `getent group Domain\ Users`. I get nothing why I try. I can run this w/o
> problem on the other domain member. It doesn't seem to be affecting functionality so far, but
> the fact that it doesn't return my Domain Users info worrys me that something is broken.
>
> I do have "group: compat windbind" in nsswitch.conf.
>
> Any ideas as to what I should do or where I should look?
>
> --Mark
>

I haven't received any feedback on this yet, but I just ran into a situation where this
group-thing may be affecting. In /etc/cups/cups-files.conf I've set SystemGroup as:

SystemGroup sys root users "domain users"

However, cups does not like this:

# cupsd -t
"/etc/cups/cups-files.conf" contains errors.

I have to remve the "domain users" setting for cups to run. On the other domain member where
`getent group Domain\ Users` works, this cups SystemGroup setting is accepted.

--Mark

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list
what about
https://wiki.samba.org/index.php/Libnss_winbind_Links
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 08 Jul 2017 12:47:13 -0400
Mark Foley via samba <[hidden email]> wrote:

> I have a troubling circumstance. I've installed a new domain member
> running Slackware64 14.2. This computer is practically a clone of
> another domain member I've had set up and running for over a year.
>
> Most everything seems to work. I have joined the domain and it does
> show up as a domain computer. The domain user can log onto the
> computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent
> passwd myuser`. All return the correct information.
>
> What I cannot run is `getent group Domain\ Users`. I get nothing why
> I try. I can run this w/o problem on the other domain member. It
> doesn't seem to be affecting functionality so far, but the fact that
> it doesn't return my Domain Users info worrys me that something is
> broken.
>
> I do have "group: compat windbind" in nsswitch.conf.
>
> Any ideas as to what I should do or where I should look?
>
> --Mark
>

If one Unix domain member works, but another set up exactly the same
doesn't, usually means one of two things. You haven't set up the second
one correctly, or something has changed in Samba.

Can you post your smb.conf and tell us what versions of Samba you are
using on the two machines.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list
 

The only thing that works for me was this:

root@samba:~# getent
passwd|tail
systemd-resolve:x:102:104:systemd
Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd
Bus
Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
ntp:x:106:110::/home/ntp:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false

SAMDOMadministrator:*:0:100::/home/administrator:/bin/false
SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false
SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false
SAMDOMguest:*:3000011:100::/home/guest:/bin/false

root@samba:~#
grep enum /etc/samba/*
/etc/samba/smb.conf:winbind enum users =
yes
/etc/samba/smb.conf:winbind enum groups = yes

On Sat, 08 Jul 2017
12:47:13 -0400, Mark Foley via samba wrote:

> I have a troubling
circumstance. I've installed a new domain member running Slackware64
14.2.
> This computer is practically a clone of another domain member
I've had set up and running for
> over a year.
>
> Most everything
seems to work. I have joined the domain and it does show up as a
domain
> computer. The domain user can log onto the computer just fine.
I can run `wbinfo -u`, `wbinfo
> -g` and `getent passwd myuser`. All
return the correct information.
>
> What I cannot run is `getent group
Domain Users`. I get nothing why I try. I can run this w/o
> problem on
the other domain member. It doesn't seem to be affecting functionality
so far, but
> the fact that it doesn't return my Domain Users info
worrys me that something is broken.
>
> I do have "group: compat
windbind" in nsswitch.conf.
>
> Any ideas as to what I should do or
where I should look?
>
> --Mark

 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
On Sun, 09 Jul 2017 10:53:58 -0300
Guido Lorenzutti via samba <[hidden email]> wrote:

>  
>
> The only thing that works for me was this:
>
> root@samba:~# getent
> passwd|tail
> systemd-resolve:x:102:104:systemd
> Resolver,,,:/run/systemd/resolve:/bin/false
> systemd-bus-proxy:x:103:105:systemd
> Bus
> Proxy,,,:/run/systemd:/bin/false
> _apt:x:104:65534::/nonexistent:/bin/false
> sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
> ntp:x:106:110::/home/ntp:/bin/false
> messagebus:x:107:111::/var/run/dbus:/bin/false
>
> SAMDOMadministrator:*:0:100::/home/administrator:/bin/false
> SAMDOMglorenzutti:*:3000020:100::/home/glorenzutti:/bin/false
> SAMDOMkrbtgt:*:3000021:100::/home/krbtgt:/bin/false
> SAMDOMguest:*:3000011:100::/home/guest:/bin/false
>
> root@samba:~#
> grep enum /etc/samba/*
> /etc/samba/smb.conf:winbind enum users =
> yes
> /etc/samba/smb.conf:winbind enum groups = yes
>

The 'winbind enum' lines are only required if you want getent to
show all the users and groups, you do not NEED to do this

There is no need for the lines and they will slow things down if you
have a lot of users (imagine if you have a 10,000 users, how long will
that take to print to screen ?). If 'getent passwd username' works, this
is sufficient to prove getent works.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent group not working on new domain member

Samba - General mailing list
In reply to this post by Samba - General mailing list
Rowland Penny via samba <[hidden email]> wrote:

> On Sat, 08 Jul 2017 12:47:13 -0400
> Mark Foley via samba <[hidden email]> wrote:
>
> > I have a troubling circumstance. I've installed a new domain member
> > running Slackware64 14.2. This computer is practically a clone of
> > another domain member I've had set up and running for over a year.
> >
> > Most everything seems to work. I have joined the domain and it does
> > show up as a domain computer. The domain user can log onto the
> > computer just fine. I can run `wbinfo -u`, `wbinfo -g` and `getent
> > passwd myuser`. All return the correct information.
> >
> > What I cannot run is `getent group Domain\ Users`. I get nothing why
> > I try. I can run this w/o problem on the other domain member. It
> > doesn't seem to be affecting functionality so far, but the fact that
> > it doesn't return my Domain Users info worrys me that something is
> > broken.
> >
> > I do have "group: compat windbind" in nsswitch.conf.
> >
> > Any ideas as to what I should do or where I should look?
> >
> > --Mark
> >

> If one Unix domain member works, but another set up exactly the same
> doesn't, usually means one of two things. You haven't set up the second
> one correctly, or something has changed in Samba.
>
> Can you post your smb.conf and tell us what versions of Samba you are
> using on the two machines.
>
> Rowland

Both systems: Slackware64 14.2, Samba 4.4.13

Working system kernel 4.4.19
Non-working system kernel 4.4.75

smb.conf, same on both systems:

[global]
        realm = HPRS.LOCAL
        workgroup = HPRS
        usershare allow guests = Yes
        usershare max shares = 10
        security = ADS
        template shell = /bin/bash

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HPRS:backend = ad
  idmap config HPRS:schema_mode = rfc2307
  idmap config HPRS:range = 10000-10099

       winbind enum groups = Yes
        winbind enum users = Yes
        winbind nss info = rfc2307
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes

To ACR ACR's comment about the libnss_winbind.so* links, yes I have those.

THX --Mark

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...