SAMBA AD: Getent passwd doesn't return domain users

Avery Freeman

Avery Freeman

Update 5/31/2018: Please skip to end of thread for how I solved this on-going problem I had been having for several months

Hi,

I'm new to the thread and fairly new to FreeBSD, plus I'm coming over from FreeNAS, so please bare with me (I understand the animosity). I'll try to include as much relevant info as I can to make this as pain-free as possible:

I have a FreeNAS zpool I've imported into a FreeBSD 11.1-RELEASE VM running on ESXi 6.5. FreeNAS 11u2 was what I was using, which is based on FreeBSD 10.3-STABLE.

I have Windows Server 2016 Core AD with all my user info. FreeNAS was joined to my domain (just a small home network, nothing complicated) and my ZFS volume has file permissions with domain users owning files and directories in their shares.

FreeBSD is has an A-name entry in DNS server and is properly responding, including reverse-lookup. FreeBSD is synchronized with my DC for NTP.

Here's an example of ls currently at /tank/:

Code: 
...
drwxrwxr-x+  21 21105  20513    32 Aug  2 14:24 Avery
drwxrwxr-x+  2 root   wheel     4 Jul 19 14:11 TestShare
drwxrwxr-x+  4 20500  20513     5 Aug  2 14:00 homes
drwxr-xr-x   8 root   wheel     9 Sep 19 18:44 jails
drwxr-xr-x   2 root   1000      5 Jul 19 10:52 samba
...

As you can see, ownership of Avery and homes shares are now uid and gid numbers, rather than the domain users they used to belong to and display, e.g. DOMAIN\user. I'm not sure if that's particularly relevant, but it concerns me.

samba46-4.6.6 has been installed (all packages installed using pkg). My smb4.conf file is extrapolated from my old FreeNAS VM.

Here's where I'm at so far:

I seem to be able to join the domain without issue, e.g. # net ads join -U user@domain%password
I seem to be able to get a kerberos ticket without issue, e.g. # kinit user@domain.com
testparm does not complain about anything in my smb4.conf
I can connect to \\FREENAS and see the shares, but don't seem to be able to connect to \\FREENAS.DOMAIN.COM, which is odd because I used to be able to
# wbinfo -u and wbinfo -g shows me domain users and groups as expected

I cannot access the fileshares with either DOMAIN\user or root - I've tried chown -R root:wheel of /tank/TestShare to test it out
I do not see domain users or groups when using getent passwd or getent group respectively

Let's start with my smb4.conf (I have commented out several lines for testing):

Code: 
[global]
        dos charset = CP437
        multicast dns register = No
        realm = DOMAIN.COM
        server string = FreeBSD Server
        workgroup = DOMAIN
        wins server = dc01.domain.com
        domain master = No
        lm announce = Yes
        local master = No
        preferred master = No
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        client ldap sasl wrapping = plain
        logging = file
        max log size = 51200
        kernel change notify = No
        panic action = /usr/local/libexec/samba/samba-backtrace
        disable spoolss = Yes
        load printers = No
        printcap name = /dev/null
        server min protocol = SMB2
        allow trusted domains = No
        map untrusted to domain = Yes
        map to guest = Bad User
        obey pam restrictions = Yes
        security = ADS
        server role = member server
        deadtime = 15
        hostname lookups = Yes
        max open files = 234812
        template homedir = /tank/homes/%D/%U
        template shell = /bin/sh
        winbind cache time = 7200
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind offline logon = Yes
        winbind refresh tickets = Yes
        dns proxy = No
        idmap config happy: range = 20000-90000000
        idmap config happy: backend = rid
        idmap config *: range = 90000001-100000000
        idmap config * : backend = tdb
        store dos attributes = Yes
        strict locking = No
        directory name cache size = 0
        dos filemode = Yes
        acl allow execute always = Yes
        ea support = Yes
        create mask = 0666
        directory mask = 0777


[Avery]
        path = "/tank/Avery"
        veto files = /.snapshot/.windows/.mac/.zfs/
        read only = No
;        vfs objects = zfs_space zfsacl streams_xattr aio_pthread
;        zfsacl:acesort = dontcare
;        nfs4:chown = true
;        nfs4:acedup = merge
;        nfs4:mode = special


[TestShare]
        path = "/tank/TestShare"
        veto files = /.snapshot/.windows/.mac/.zfs/
        read only = No
;        vfs objects = zfs_space zfsacl streams_xattr aio_pthread
;        zfsacl:acesort = dontcare
;        nfs4:chown = true
;        nfs4:acedup = merge
;        nfs4:mode = special


[homes]
        comment = Home Directories
        path = "/tank/homes/%D/%U"
        veto files = /.snapshot/.windows/.mac/.zfs/
        read only = No
        valid users = %D\%U
        vfs objects = zfs_space zfsacl streams_xattr aio_pthread
        zfsacl:acesort = dontcare
        nfs4:chown = true
        nfs4:acedup = merge
        nfs4:mode = special
Here's my /etc/krb5.conf:
Code: 
[libdefaults]
        default_realm = DOMAIN.COM
[domain_realms]
        .happy.hut = DOMAIN.COM

Here's /etc/pam.d/login:
Code: 
# auth
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so

# account
account         requisite       pam_securetty.so
account         required        pam_nologin.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

# password
password        include         system

Does anyone know what might be going on here? I'd really like to get this working.

Thanks!
-Avery
 
Last edited:
Hi, sorry for not responding to your message earlier. Thanks for the recommendation of looking at nsswitch.conf - it's usually the first place I go to when getent isn't behaving correctly regarding domain users or groups.

I forgot I had even written this post, looks like around about 8 months ago. I found it when searching for threads that might pertain to my issue instead of starting another thread.

Well, I'm having the same problem again. This time I am attempting to use ad as my backend rather than rid because I have switched to 2012r2 domain controllers with unix attributes, so I'm using winbind nss info = rfc2307 instead of winbind nss info = template

When using rid as my backend, getent groups displayed a list of both local and domain groups. Now when using ad backend, it doesn't. I would prefer to manage rfc 2307 attributes at the domain level for individual accounts rather than having a blanket template in smb4.conf so I trying to figure out why this isn't working rather than just giving and go back to rid.

Here's my smb4.conf [global] section - I am no longer using anything related to my old FreeNAS install, I wrote this one following the Samba Wiki on how to join a member to a domain:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

By the way, I am using krb5-115 and samba47 from pkg --

Code: 
[global]
        netbios name = FEBMARCH
        security = ADS
        workgroup = WEBTOOL
        realm = WEBTOOL.SPACE
        client use spnego = yes
        client signing = yes
        server signing = yes
        client ntlmv2 auth = yes
        encrypt passwords = yes

        log file = /var/log/samba4/%m.log
        log level = 1

        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        idmap config WEBTOOL : backend = ad
        idmap config WEBTOOL : schema_mode = rfc2307
        idmap config WEBTOOL : range = 10000-999999
        idmap config WEBTOOL : unix_nss_info = yes
        idmap config WEBTOOL : unix_primary_group = yes

        ;winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind offline logon = yes
        winbind nested groups = yes
        winbind refresh tickets = yes
        winbind nss info = rfc2307

        ;winbind nss info = template
        ;template shell = /bin/bash
        ;template homedir = /home/%D/%U

Testparm doesn't complain, I can connect to the VM using Windows clients, etc. everything seems great except my getent groups only returning local groups, which I think will prevent me from granting access/creating restrictions for domain users based on their group profile in FreeBSD, like logging in through su, ssh etc.

My /etc/nsswitch.conf appears to be fine, it's just as recommended for users of winbindd:
Code: 
group: files winbind
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Any ideas what it might be? Thanks!
 
Ok,

So I finally figured out what the problem was reading the Samba wiki about the AD backend type:

https://wiki.samba.org/index.php/Idmap_config_ad

https://wiki.samba.org/index.php/Idmap_config_rid

Basically, the issue wasn't anything with Samba or FreeBSD, but a result of my lack of understanding about how NIS/Unix Attributes work in Active Directory.

Short answer: If you want to set UID/GID in AD, use ad backend but make sure you set UID and GID for all users and groups in AD, otherwise getent passwd and getent group won't work.

tl;dr:
I had been using the rid backend, which I believe may be necessary to get getent to return domain users/groups if not settings NIS attributes in the DC. When I wrote the first question in this thread, I was using Windows Server 2016, which does not have NIS anymore since it was depreciated in 2012 and removed in 2016. rid is easier to configure in some ways since GID and UID are created automatically by Samba, which uses a template for all users configured in smb4.conf and requires the flag winbind nss info = template instead of winbind nss info = rfc2307. ad allows more granular support of users and groups in Active Directory (or Samba AD) using Unix Attributes / rfc 2307 support. Since I had been using Server 2016, I wasn't that familiar with AD's support for Unix Attributes, since it's not available in 2016.

So anyway, I changed to Server 2012r2 domain controllers, and now I have NIS/Unix Attributes, so now I can change the UID and GID for my nix users in Active Directory. The problem was that it GID and UID are not being set by default - so without having any NIS attributes for my groups, when using the ad backend none of the AD users or groups were being retrieved by winbind on my FreeBSD VM.

Long story short (long?), if you have 2012r2+Unix Attributes or Samba domain controllers and you want to use the ad backend, you have to make sure and set the NIS attributes for each user and group in Active Directory, otherwise they will not be available through winbind using getent. If you do not have Unix Attributes/rfc 2307, or you would rather have UID/GID set automatically, and don't mind all user's shell and homedir being the same for everybody, then use rid backend.
 
You must log in or register to reply here.
Back
Top