[Samba] Discrepancies in getent passwd

Rowland Penny rowlandpenny at googlemail.com
Thu Oct 23 10:53:10 MDT 2014 

On 23/10/14 17:20, John Lewis wrote:
> Let me try again
>
> dictator at keep:~$ sudo cat /etc/nslcd.conf
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://192.168.2.2:389
>
> # The search base that will be used for all queries.
> base dc=d,dc=oflameo,dc=com
>
> # Some seting for AD
> pagesize 1000
> referrals off
>
> # Filters (only required if your accounts doesn't have
> objectClass=posixAccount
> # and your groups haven't objectClass=posixGroup. This objectClasses
> won't be added
> # by ADUC. So they won't be there automatically!)
> filter  passwd  (objectClass=user)
> filter  group   (objectClass=group)
>
> # Attribut mappings (depending on your nslcd version, some might not be
> # necessary or can cause errors and can/must be removed)
> map     passwd  uid                sAMAccountName
> map     passwd  uidNumber          uidNumber
> map     passwd  loginShell         loginShell
> map     passwd  homeDirectory      unixHomeDirectory
> map     passwd  gecos              displayName
> map     passwd  gidNumber          primaryGroupID
> map     group   member             member
>
> # Kerberos
> #sasl_mech GSSAPI
> #sasl_realm D.OFLAMEO.COM
> #krb5_ccname /tmp/nslcd.tkt
>
> # The LDAP protocol version to use.
> #ldap_version 3
>
> # LDAP bind (Account in AD that is used from nslcd to bind to the directory)
> binddn cn=ldap-connect,cn=Users,dc=d,dc=oflameo,dc=com
> bindpw [redacted]
>
> # The DN used for password modifications by root.
> #rootpwmoddn cn=admin,cn=Users,dc=d,dc=oflameo,dc=com
>
> # SSL options
> #ssl off
> #tls_reqcert never
>
> # The search scope.
> #scope sub
>
> dictator at drakeburner:~$ sudo cat /etc/nslcd.conf
> # /etc/nslcd.conf
> # nslcd configuration file. See nslcd.conf(5)
> # for details.
>
> # The user and group nslcd should run as.
> uid nslcd
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
> uri ldap://127.0.0.1:389
>
> # The search base that will be used for all queries.
> base dc=d,dc=oflameo,dc=com
>
> # Some seting for AD
> pagesize 1000
> referrals off
>
> # Filters (only required if your accounts doesn't have
> objectClass=posixAccount
> # and your groups haven't objectClass=posixGroup. This objectClasses
> won't be added
> # by ADUC. So they won't be there automatically!)
> filter  passwd  (objectClass=user)
> filter  group   (objectClass=group)
>
> # Attribut mappings (depending on your nslcd version, some might not be
> # necessary or can cause errors and can/must be removed)
> map     passwd  uid                sAMAccountName
> map     passwd  uidNumber          uidNumber
> map     passwd  loginShell         loginShell
> map     passwd  homeDirectory      unixHomeDirectory
> map     passwd  gecos              displayName
> map     passwd  gidNumber          primaryGroupID
> map     group   member             member
>
> # Kerberos
> #sasl_mech GSSAPI
> #sasl_realm D.OFLAMEO.COM
> #krb5_ccname /tmp/nslcd.tkt
>
> # The LDAP protocol version to use.
> #ldap_version 3
>
> # LDAP bind (Account in AD that is used from nslcd to bind to the directory)
> binddn cn=ldap-connect,cn=Users,dc=d,dc=oflameo,dc=com
> bindpw [redacted]
>
> # The DN used for password modifications by root.
> #rootpwmoddn cn=administrator,cn=Users,dc=d,dc=oflameo,dc=com
>
> # SSL options
> #ssl off
> #tls_reqcert never
>
> # The search scope.
> #scope sub
>
>
> dictator at keep:~$ getent passwd | grep ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
> dictator at keep:~$ getent passwd ldap-connect
> ldap-connect:*:10000:513:::/bin/sh
>
> dictator at drakeburner:~$ getent passwd | grep ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
> dictator at drakeburner:~$ getent passwd ldap-connect
> ldap-connect:*:10000:513:::/usr/sbin/nologin
>
> Everything works right on the samba ad dc server drakeburner.
>
Ah, I see what you are getting at, but I don't understand it, If I run 
similar commands on my DC & a client, I get this:

testuser at ThinkPad ~ $ getent passwd | grep testuser
testuser:*:10000:10000:Test User:/home/testuser:/bin/bash
testuser at ThinkPad ~ $ getent passwd testuser
testuser:*:10000:10000:Test User:/home/testuser:/bin/bash

root at dc01:~# getent passwd | grep testuser
EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/bash
root at dc01:~# getent passwd testuser
EXAMPLE\testuser:*:10000:10000:Test User:/home/EXAMPLE/testuser:/bin/bash

As you can see I get the same login shell, I use winbind with the ad 
backend on the client, with the line 'template shell = /bin/bash' in 
smb.conf on the DC.

it is very strange that 'getent passwd ldap-connect' produces a 
different result to 'getent passwd | grep ldap-connect', in theory they 
should both give the same answer. What does 'getent passwd' on 'keep' 
produce 'ldap-connect' wise, does it show
'ldap-connect:*:10000:513:::/usr/sbin/nologin'
or
'ldap-connect:*:10000:513:::/bin/sh'

Rowland

More information about the samba mailing list