[Samba] Discrepancies in getent passwd
Rowland Penny
rowlandpenny at googlemail.com
Thu Oct 23 10:53:10 MDT 2014
On 23/10/14 17:20, John Lewis wrote:
> Let me try again
>
> dictator at keep:~$ sudo cat /etc/nslcd.conf
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://192.168.2.2:389
>
> # The search base that will be used for all queries.
> base dc=d,dc=oflameo,dc=com
>
> # Some seting for AD
> pagesize 1000
> referrals off
>
> # Filters (only required if your accounts doesn't have
> objectClass=posixAccount
> # and your groups haven't objectClass=posixGroup. This objectClasses
> won't be added
> # by ADUC. So they won't be there automatically!)
> filter passwd (objectClass=user)
> filter group (objectClass=group)
>
> # Attribut mappings (depending on your nslcd version, some might not be
> # necessary or can cause errors and can/must be removed)
> map passwd uid sAMAccountName
> map passwd uidNumber uidNumber
> map passwd loginShell loginShell
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> map group member member
>
> # Kerberos
> #sasl_mech GSSAPI
> #sasl_realm D.OFLAMEO.COM
> #krb5_ccname /tmp/nslcd.tkt
>
> # The LDAP protocol version to use.
> #ldap_version 3
>
> # LDAP bind (Account in AD that is used from nslcd to bind to the directory)
> binddn cn=ldap-connect,cn=Users,dc=d,dc=oflameo,dc=com
> bindpw [redacted]
>
> # The DN used for password modifications by root.
> #rootpwmoddn cn=admin,cn=Users,dc=d,dc=oflameo,dc=com
>
> # SSL options
> #ssl off
> #tls_reqcert never
>
> # The search scope.
> #scope sub
>
> dictator at drakeburner:~$ sudo cat /etc/nslcd.conf
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://127.0.0.1:389
>
> # The search base that will be used for all queries.
> base dc=d,dc=oflameo,dc=com
>
> # Some seting for AD
> pagesize 1000
> referrals off
>
> # Filters (only required if your accounts doesn't have
> objectClass=posixAccount
> # and your groups haven't objectClass=posixGroup. This objectClasses
> won't be added
> # by ADUC. So they won't be there automatically!)
> filter passwd (objectClass=user)
> filter group (objectClass=group)
>
> # Attribut mappings (depending on your nslcd version, some might not be
> # necessary or can cause errors and can/must be removed)
> map passwd uid sAMAccountName
> map passwd uidNumber uidNumber
> map passwd loginShell loginShell
> map passwd homeDirectory unixHomeDirectory
> map passwd gecos displayName
> map passwd gidNumber primaryGroupID
> map group member member
>
> # Kerberos
> #sasl_mech GSSAPI
> #sasl_realm D.OFLAMEO.COM
> #krb5_ccname /tmp/nslcd.tkt
>
> # The LDAP protocol version to use.
> #ldap_version 3
>
> # LDAP bind (Account in AD that is used from nslcd to bind to the directory)
> binddn cn=ldap-connect,cn=Users,dc=d,dc=oflameo,dc=com
> bindpw [redacted]
>
> # The DN used for password modifications by root.
> #rootpwmoddn cn=administrator,cn=Users,dc=d,dc=oflameo,dc=com
>
> # SSL options
> #ssl off
> #tls_reqcert never
>
> # The search scope.
> #scope sub
>
>
> dictator at keep:~$ getent passwd | grep ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
> dictator at keep:~$ getent passwd ldap-connect
> ldap-connect:*:10000:513:::/bin/sh
>
> dictator at drakeburner:~$ getent passwd | grep ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
> dictator at drakeburner:~$ getent passwd ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
>
> Everything works right on the samba ad dc server drakeburner.
>
Ah, I see what you are getting at, but I don't understand it, If I run
similar commands on my DC & a client, I get this:
testuser at ThinkPad ~ $ getent passwd | grep testuser
testuser:*:10000:10000:Test User:/home/testuser:/bin/bash
testuser at ThinkPad ~ $ getent passwd testuser
testuser:*:10000:10000:Test User:/home/testuser:/bin/bash
root at dc01:~# getent passwd | grep testuser
EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/bash
root at dc01:~# getent passwd testuser
EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/bash
As you can see I get the same login shell, I use winbind with the ad
backend on the client, with the line 'template shell = /bin/bash' in
smb.conf on the DC.
it is very strange that 'getent passwd ldap-connect' produces a
different result to 'getent passwd | grep ldap-connect', in theory they
should both give the same answer. What does 'getent passwd' on 'keep'
produce 'ldap-connect' wise, does it show
'ldap-connect:*:10000:513:::/usr/sbin/nologin'
or
'ldap-connect:*:10000:513:::/bin/sh'
Rowland
More information about the samba
mailing list