[Samba] getent group is not working

Rowland Penny rowlandpenny at googlemail.com
Wed Aug 27 12:57:49 MDT 2014 

On 27/08/14 19:39, Eduardo Sotomayor wrote:
> getent group is not working in an opensuse 13.1 member server for an active directory samba 4 domain
> wbinfo -u, wbinfo -g, wbinfo -t and getent passwd | grep SIENIC are working, these are my configuration files and the output of the commands.
>
> Note: the domain controller has samba installed from source (4.1.11), the member server has the distro packages installed (4.1.0)
>
>
>
> blue25:/home/SIENIC/administrator # wbinfo -u
> SIENIC\administrator
> SIENIC\dns-server01
> SIENIC\krbtgt
> SIENIC\guest
>
> blue25:/home/SIENIC/administrator # wbinfo -g
> SIENIC\allowed rodc password replication group
> SIENIC\enterprise read-only domain controllers
> SIENIC\denied rodc password replication group
> SIENIC\read-only domain controllers
> SIENIC\group policy creator owners
> SIENIC\ras and ias servers
> SIENIC\domain controllers
> SIENIC\enterprise admins
> SIENIC\domain computers
> SIENIC\cert publishers
> SIENIC\dnsupdateproxy
> SIENIC\domain admins
> SIENIC\domain guests
> SIENIC\schema admins
> SIENIC\domain users
> SIENIC\dnsadmins
>
> blue25:/home/SIENIC/administrator # wbinfo -t
> checking the trust secret for domain SIENIC via RPC calls succeeded
>
> blue25:/home/SIENIC/administrator # getent passwd | grep SIENIC
> SIENIC\administrator:*:10000:10004:Administrator:/home/SIENIC/administrator:/bin/bash
> SIENIC\dns-server01:*:10001:10004:dns-server01:/home/SIENIC/dns-server01:/bin/bash
> SIENIC\krbtgt:*:10002:10004:krbtgt:/home/SIENIC/krbtgt:/bin/bash
> SIENIC\guest:*:10003:10011:Guest:/home/SIENIC/guest:/bin/bash
>
> blue25:/home/SIENIC/administrator # getent group | grep SIENIC
>
> blue25:/home/SIENIC/administrator # getent group
>
>
> /etc/nsswitch.conf
>
>
> #
> # /etc/nsswitch.conf
> #
> # An example Name Service Switch config file. This file should be
> # sorted with the most-used services at the beginning.
> #
> # The entry '[NOTFOUND=return]' means that the search for an
> # entry should stop if the search in the previous entry turned
> # up nothing. Note that if the search failed due to some other reason
> # (like no NIS server responding) then the search continues with the
> # next entry.
> #
> # Legal entries are:
> #
> #       compat                  Use compatibility setup
> #       nisplus                 Use NIS+ (NIS version 3)
> #       nis                     Use NIS (NIS version 2), also called YP
> #       dns                     Use DNS (Domain Name Service)
> #       files                   Use the local files
> #       [NOTFOUND=return]       Stop searching if not found so far
> #
> # For more information, please read the nsswitch.conf.5 manual page.
> #
>
> # passwd: files nis
> # shadow: files nis
> # group:  files nis
>
> passwd:    compat winbind
> group:    compat winbind
>
> hosts:    files mdns_minimal [NOTFOUND=return] dns
> networks:    files dns
>
> services:    files
> protocols:    files
> rpc:    files
> ethers:    files
> netmasks:    files
> netgroup:    files nis
> publickey:    files
>
> bootparams:    files
> automount:    files nis
> aliases:    files
>
>
> /etc/krb5
>
> [libdefaults]
>      default_realm = SIENIC.SITE
>      clockskew = 300
> #    default_realm = EXAMPLE.COM
>
> [realms]
> SIENIC.SITE = {
>      kdc = server01.sienic.site
>      default_domain = sienic.site
>      admin_server = server01.sienic.site
> }
> #    EXAMPLE.COM = {
> #                kdc = kerberos.example.com
> #        admin_server = kerberos.example.com
> #    }
>
> [logging]
>      kdc = FILE:/var/log/krb5/krb5kdc.log
>      admin_server = FILE:/var/log/krb5/kadmind.log
>      default = SYSLOG:NOTICE:DAEMON
> [domain_realm]
>      .sienic.site = SIENIC.SITE
> [appdefaults]
> pam = {
>      ticket_lifetime = 1d
>      renew_lifetime = 1d
>      forwardable = true
>      proxiable = false
>      minimum_uid = 1
> }
>
>
> /etc/samba/smb.conf
>
>
> [global]
>      workgroup = SIENIC
>      passdb backend = tdbsam
>      printing = cups
>      printcap name = cups
>      printcap cache time = 750
>      cups options = raw
>      map to guest = Bad User
>      include = /etc/samba/dhcp.conf
>      logon path = \\%L\profiles\.msprofile
>      logon home = \\%L\%U\.9xprofile
>      logon drive = P:
>      usershare allow guests = No
>      #idmap gid = 10000-20000
>      #idmap uid = 10000-20000
>      kerberos method = secrets and keytab
>      realm = SIENIC.SITE
>      security = ADS
>      template homedir = /home/%D/%U
>      template shell = /bin/bash
>      usershare max shares = 100
>      winbind offline logon = yes
>      winbind refresh tickets = yes
>      vfs objects = acl_xattr
>      map acl inherit = yes
>      store dos attributes = yes
>      idmap config *:range = 50000-60000
>      idmap config SIENIC:backend = ad
>      idmap config SIENIC:schema_mode = rfc2307
>      idmap config SIENIC:range = 10000-20000
>      winbind enum users = yes
>      winbind enum groups = yes
>
>
> thanks
>
>   		 	   		
Hi, does 'getent group Domain\ Users' produce a result ? I think that 
you will find it does. Welcome to the wonderful world of Samba ;-)

'getent group' will only display the groups if you give all the groups 
in AD a gidNumber, but 'getent group <groupname>' will display the info 
for the group if it has a gidNumber.

Rowland

More information about the samba mailing list