[Samba] getent group empty response

Rowland Penny rowlandpenny at googlemail.com
Thu Sep 18 02:35:00 MDT 2014 

On 18/09/14 09:23, Deniz Eren wrote:
>> On 18/09/14 07:56, Deniz Eren wrote:
>>> * We have two domain controllers, one parent(DOMAIN.COM <http://DOMAIN.COM> <http://domain.com/ <http://domain.com/>>)
> *>>* and one child(CHILD.DOMAIN.COM <http://CHILD.DOMAIN.COM>
> <http://child.domain.com/ <http://child.domain.com/>>). When two
> domain
> *>>* controllers are up "getent group" returns group names correctly. But when
> *>>* child domain controller is down "getent group" returns empty. My samba
> *>>* version is "3.6.22". I have added my smb.conf I couldn't find any
> *>>* parameters affecting this problem. Am I missing something in smb.conf? Or
> *>>* is there a workaround to solve this problem?
> *>>>>>>* smb.conf
> *>>* -------------------------------
> *>>* [global]
> *>>*     netbios name = BUILD2
> *>>*     realm = DOMAIN.COM <http://DOMAIN.COM> <http://domain.com/
> <http://domain.com/>>
> *>>*     workgroup = DOMAIN
> *>>*     security = ads
> *>>*     encrypt passwords = yes
> *>>*     password server = 10.0.0.59
> *>>*     log level = 1
> *>>*     log file = /var/log/samba.log
> *>>*     ldap ssl = no
> *>>*     idmap uid = 10000-20000
> *>>*     idmap gid = 10000-20000
> *>>>>*     winbind separator = /
> *>>*     winbind enum users = yes
> *>>*     winbind enum groups = yes
> *>>*     winbind use default domain = yes
> *>>>>*     domain master = no
> *>>*     local master = no
> *>>*     preferred master = no
> *>>>>*     template shell = /sbin/nologin
> *>>>>*     getwd cache = yes
> *>>*     winbind cache time = 3000
> *>>*     ldap connection timeout = 10
> *>>*     ldap timeout = 120
> *>>* -------------------------------
> *>>>>* This issue is like mine "
> *>>* https://lists.samba.org/archive/samba/2010-June/156813.html
> <https://lists.samba.org/archive/samba/2010-June/156813.html>".
> *>Hi, the smb.conf you have posted seems to be for a client, Just what is
>> it pointed at, an NT4 style PDC, a Samba4 AD DC or what? I think that
>> you are going to have to give us a bit more info.
>>
>> Rowland
> It is pointed to Windows 2008r2 Server serving as AD Domain PDC whose
> name is DOMAIN.COM. Also another Windows2008r2 Server exists with name
> CHILD.DOMAIN.COM which is child domain of DOMAIN.COM.
OK, what confuses people on here is when you refer to a PDC when what 
you really mean is a DC, all DC's are equal (though some can have FSMO 
roles that the others don't have).

I think your problem here is that a trust exists between the two windows 
servers and the child is supplying the info to get 'getent group' to 
work, normally running 'getent group' on a samba client produces no 
results, whilst 'getent group <groupname>' will.

Rowland

More information about the samba mailing list