不返回域组的getent组

Question

我希望允许Windows用户访问我的Ubuntu (16.04.1)上的文件共享。

我遵循了本教程：Samba与Ubuntu12.04上的登录共享

我跟着每一步走。解决了一些问题后，我发现我需要安装libnss-winbind & libpam-winbind。在安装了最后的软件包后，我重新做了pam-auth-update。

当我kinit一个用户时，我得到一个有效的itcket，

wbinfo -u工作，

wbinfo -g工作，

getent passwd返回本地和AD用户，

，但getent group只返回本地组.

当我想要chgrp -R 'Domain Users' /sharing/的时候，我得到：chgrp: invalid group: ‘Domain Users’

krb5.conf =

[libdefaults]
  ticket_lifetime = 24h
  default_realm = EXAMPLE.LOCAL
  forwardable = true

[realms]
  EXAMPLE.LOCAL = {
    kdc = 192.168.254.3
    default_domain = EXAMPLE.LOCAL
  }

[domain_realm]
  .example.local = EXAMPLE.LOCAL
  example.local = EXAMPLE.LOCAL

[kdc]
  profile = /etc/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log

smb.conf =

[global]
    # No .tld
    workgroup = EXAMPLE
    # Active Directory System
    security = ads
    # With .tld
    realm = EXAMPLE.LOCAL
    # Just a member server
    domain master = no
    local master = no
    preferred master = no
    # Disable printing error log messages when CUPS is not installed.
    printcap name = /etc/printcap
    load printers = no
    # Works both in samba 3.2 and 3.6.
    idmap backend = tdb
    idmap uid = 10000-99999
    idmap gid = 10000-99999
    # no .tld
    idmap config EXAMPLE:backend = rid
    idmap config EXAMPLE:range = 10000-99999
    winbind enum users = yes
    winbind enum groups = yes
    # This way users log in with username instead of username@example.org
    winbind use default domain = yes
    # Inherit groups in groups
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true
    # Becomes /home/example/username
    template homedir = /home/%D/%U
    # No shell access
    template shell = /bin/false
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/samba.log
    log level = 2

[Dropbox]
    comment = Daily Emptied Dropbox
    path = /sharing/test
    valid users = "@EXAMPLE\Domain Users"
    force group = "domain users"
    writable = yes
    read only = no
    force create mode = 0660
    create mask = 0777
    directory mask = 0777
    force directory mode = 0770
    access based share enum = yes
    hide unreadable = yes

nsswitch.conf=

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind
group:          files windind
shadow:         files windind
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

(用compat代替files进行测试，结果相同)

我怎样才能让广告组工作？

Answer 1

您需要安装libnss-winbind libpam-winbind。它在您的系统中建立了一些链接，通过winbind强制执行。为我工作过16桑巴4.3.11

Answer 2

我发布这篇文章是为了帮助那些可能和我有同样问题的人：

• getent组@什么也不返回
• 基于广告组的登录无效
• 基于个人用户的登录正在工作。

经过多次故障排除后，我发现由systemd解析提供的/etc/rupv.conf与sssd和AD组登录不兼容。Sssd允许用户在单独添加时使用sudo领域允许@，但不允许使用sudo领域允许-g @。

在/etcv/rupv.conf中，将120.0.0.53替换为网络中的域控制器In。您可能需要应用netplan，并且可以重新启动sssd以获得良好的效果。在此之后，基于组的AD登录开始工作，我对此进行了多次测试，并且修复是一致的。

本