Samba – getent groups shows AD groups, but getent passwd doesn’t show users

active-directorysambawinbind

Attempting to get my fedora linux machine to allow Active Directory logons, but I'm not aple to get past this. I'm trying to reconcile a number of tutorials which seem to give contradictory advice as to a few things, such as setting + or / as winbind separator.

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

http://blog.scottlowe.org/2007/01/15/linux-ad-integration-version-4/

I get about half way done and I never can get my active directory (win2k3) users to show up after getent passwd.

Best Answer

Are you using nsswitch.conf? If so, are the winbind entries in there correctly?

The winbind separator is a bugaboo because of naming conventions. Yes, it can be made to work with a \ instead of +, but there are consequences. (Using \ brings you closer to the old-style NT4 logins, which is what you're after). Frankly, if you only have a single domain, I wouldn't bother with the winbind separator. I would, however, set the default domain that winbind searches in.

Related Solutions

Samba – User in passdb, but getpwnam() fails!

SOLVED!!!!!!!!!!!

I have a script that was starting Samba (NMBD, SMBD) as well as OpenLDAP (SLAPD). It's an RC script that reads configuration data from a file to determine, among other things, which processes are already running or if a dependent process fails to start, etc... Here is a snippet of the relevant part in the script. The last line copies a version of the nsswitch.conf into place that specifies to use LDAP lookups.

while [ $i -lt $MAXPROCS ];
  do
   PID=${PROC[$i]}
   StartProc $PID

   if test $? != 0; then
    echo "!!! Aborting Any Remaining Start-up Processes !!!"
    exit 1
   fi

  i=$(($i+1))
done

 cp /etc/rc.d/pozix/nsswitch.conf.ldap /etc/nsswitch.conf

And upon shutdown I was doing the following; notice I copy a nsswitch.conf file that has "noldap" entries in it.

while [ $i -lt $MAXPROCS ];
do
  PID=${PROC[$i]}
  StopProc $PID
  i=$(($i+1))
done

cp /etc/rc.d/pozix/nsswitch.conf.noldap /etc/nsswitch.conf

It turns out that in the start-up scenario, samba wants the nsswtich.conf content to have the ldap entries there prior to invocation. Here is what I did to fix my issues:

cp /etc/rc.d/pozix/nsswitch.conf.ldap /etc/nsswitch.conf

while [ $i -lt $MAXPROCS ];
  do
   PID=${PROC[$i]}
   StartProc $PID

   if test $? != 0; then
    cp /etc/rc.d/pozix/nsswitch.conf.noldap /etc/nsswitch.conf
    echo "!!! Aborting Any Remaining Start-up Processes !!!"
    exit 1
   fi

  i=$(($i+1))
done

In summary, it appears that how you start SMBD is just as important as when you start it. If you start SMBD when nsswitch.conf has no LDAP entries, you get a version of smbd running linked to nss_ldap.so thinking it should only rely upon /etc/passwd (if that is all that is in the nsswitch.conf file) and changing the nsswitch.conf contents after SMBD is running has no effect.

Hope this helps other system builders....

Ldap – getent passwd fails, getent group works

With regards to getent passwd/shadow its most likely configuration differences in the /etc/switch.conf file. You might be using the following rule, which your client doesn't like.

passwd: compat
shodow: compat

passwd_compat:  ldap
shadow_compat:  ldap

Iv seen this on some of my clients where i needed to change it to the following

passwd: files ldap
shadow: files ldap

( comment out "passwd_compat: ldap" and "shadow_compat: ldap" )

Something you might want to try.

Best Answer

Related Solutions

Samba – User in passdb, but getpwnam() fails!

Ldap – getent passwd fails, getent group works

Related Topic