[Samba] wbinfo work getent passwd does

[Rowland penny]

On 21/04/2021 14:10, basti via samba wrote:
>
>
> On 14.04.21 15:24, Rowland penny via samba wrote:
>> On 14/04/2021 14:05, basti via samba wrote:
>>>
>>>
>>> yes the uid=100 is seen on AD DC.
>>> On an dc in an other domain upgrade from nt4 it looks like:
>>> gid=30000(BUILTIN\users) groups=30000(BUILTIN\users)
>>
>>
>> I would suggest you remove that gidNumber from 'dn: 
>> CN=Users,CN=Builtin,.......'
>>
>>>
>>> sorry my greylister delay your message.
>>> yes all users has:
>>>
>>> - uidNumber
>>> - gidNumber
>>
>>
>> Yes, but are they in the range you set in smb.conf for the DOMAIN ?
>>
>>>
>>>>
>>>> You could try changing these lines:
>>>>
>>>>    idmap config SAMDM:backend = ad
>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>    idmap config SAMDOM:range = 7000-20000
>>>> For these:
>>>>
>>>>    idmap config SAMDM:backend = rid
>>>>    idmap config SAMDOM:range = 7000-20000
>>>>
>>>> Restart Samba and see if 'getent passwd A_USERNAME' works, replace 
>>>> A_USERNAME with a valid AD user.
>>>
>>> for now it works, I do not understand what was the problem before. 
>>
>>
>> If it works with the 'rid' backend, then your range for the 'ad' 
>> backend does not match the uidNumber & gidNumber attributes in AD.
>>
>> Rowland
>>
>>
>>
>>
>
> getent passwd does not work anymore:
> wbinfo show domain users.
>
> on dc:
>
> dc1:~# getent passwd user1
> NET\user1:*:7101:100::/home/NET/user1:/bin/false


Lets start by trying to find out where that '100' is coming from, a 
similar command on my DC produces:

SAMDOM\rowland:*:10000:10000::/home/SAMDOM/rowland:/bin/false

The second '10000' is the uidNumber for Domain Users.

Can you run the following two commands on your DC and post the output 
(sanitised if required).

ldbsearch -H ldap://$(hostname -s) 
'(&(objectCategory=person)(objectClass=user)(sAMAccountName=user1))' -P

ldbsearch -H ldap://$(hostname -s) '(&(objectCategory=group)(cn=Domain 
Users))' -P

Rowland