LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   AD Authentication - wbinfo Works, getent Doesn't work, Can't Login (https://www.linuxquestions.org/questions/linux-server-73/ad-authentication-wbinfo-works-getent-doesnt-work-cant-login-885090/)

amarriner 06-07-2011 09:06 PM

AD Authentication - wbinfo Works, getent Doesn't work, Can't Login
 
Hi all,
I'm trying to bring up a RHEL5.6 server and have SSH users authenticate against Windows 2008r2 AD. As I noted in the subject, I can retrieve AD information using both wbinfo -u and wbinfo -g. All kerberos tests seem to run fine, but when I try getent passwd or group I only see local information, nothing from AD. I also cannot SSH in as an AD user, but I think I should be able to get getent working before I worry about that?

I turned up the log level on samba to 10, but about the only issue I can see at the moment is in /var/log/samba/winbindd.log
[2011/06/07 22:03:32.896639, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22
[2011/06/07 22:03:32.896736, 2] winbindd/winbindd.c:819(winbind_client_request_read)
Could not read client request from fd 22: Input/output error

Anything I might be able to try would be greatly appreciated. Thanks!

I currently have installed:
samba3x.x86_64 3.5.4-0.70.el5_6.1
samba3x-client.x86_64 3.5.4-0.70.el5_6.1
samba3x-common.x86_64 3.5.4-0.70.el5_6.1
samba3x-winbind.x86_64 3.5.4-0.70.el5_6.1

/etc/nsswitch.conf (partial):
passwd: files winbind
shadow: files winbind
group: files winbind

/etc/samba/smb.conf (partial):
workgroup = MYDOMAIN
password server = 10.1.60.10
encrypt passwords = Yes
realm = MYDOMAIN.COM
security = ADS
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes

hunter3740 06-30-2011 03:59 PM

when wbinfo -u (wbinfo -g) works, but getent passwd (getent group) doesn't
 
My Debian v5 (aka Lenny) file server was that way (even after successfully joining the domain and like you, wbinfo commands showed AD users and groups); went back into the samba config file and uncommented the winbind enum lines (note: comments stated "was the default behavior" but now not because "it might induce performance issues in large organizations", as was in my case); stopped winbind, restarted samba, started winbind, and poof (okay, took a few moments to get the results), getent showed ids for the various groups and users!

sudo pico /etc/samba/smb.conf
uncomment (i.e. remove the leading semi-colon):
winbind enum users = yes
winbind enum groups = yes
Ctrl (aka control) and "x", "y", Enter
sudo /etc/init.d/winbind stop
sudo /etc/init.d/samba restart
sudo /etc/init.d/winbind start
getent group



But wait, you seem to show that your enum lines are uncommented; wonder if you have a firewall issue (e.g. for me, I use iptables, so something like "sudo iptables -A INPUT -p udp -j LOG --log-prefix "UDP DROP:" before "sudo iptables -A INPUT -p udp -j DROP" and then "dmesg" after trying the getent commands to see if dropped traffic is getting logged). I also left my "shadow: compat" in my /etc/nsswitch.conf, and I "sudo ln -s /lib/libnss_winbind.so.2 /lib/libnss_winbind.so" just in case. Hope this helps.

hunter3740 09-29-2016 09:45 AM

note for smb and winbind 4 (deb 8)
 
you'll need to add "winbind expand groups = 1" to your /etc/samba/smb.conf (if you want to see members of a group with "getent group namehere")
also, idmap lines have changed their syntax:
idmap config *:backend = rid
idmap config *:range = 10000-1000000

and because I'm part of large org:
winbind enum users = no
winbind enum groups = no


and I noticed haste makes waste in my previous restarting of smb and winbind services, should be stop smb, restart winbind, start samba:
sudo /etc/init.d/samba stop; sudo /etc/init.d/winbind restart; sudo /etc/init.d/samba start


All times are GMT -5. The time now is 03:32 AM.