[Samba] Noob question: user moved to a OU dissapear from getent, but groups don't

Rowland Penny rowlandpenny at googlemail.com
Tue Apr 21 11:57:47 MDT 2015

On 21/04/15 18:34, Daniel Carrasco Marín wrote:
> Thanks for your reply.
> I've migrated the domain copying all files in /var/lib/samba and 
> /etc/samba from original domain to new domain, I've edit the smb file 
> to change the "passdb backend" line to match the old server (because 
> original is localhost and give me an error connecting), and then I run 
> this command:
> samba-tool domain classicupgrade --dbdir=/home/user/samba 
> --use-xattrs=yes --realm=casa.red --dns-backend=BIND9_DLZ 
> /home/user/smb.conf

Did you follow the instructions on this wiki page:


> After all the progress i change the bind config file to add the samba 
> file (matching with the Bind Version 9.9).
> When I connect to new domain all users and groups are in "Users" 
> folder, then if i move all groups to new OU "getent group" works 
> perfect, but if i move some users to new OU then it dissapear from 
> "getent passwd". I've done some test and is strange because I've 100 
> users:

getent should show your users where ever they are, in CN=Users or an OU. 
However 'getent group' doesn't show groups, you need to run 'getent 
group groupname'

>   * Later without touch anything it goes back to 100 users.
>   * Later again i've move another user and has changed to ~74 users (i
>     don't remember the exact number).
>   * And now it's back to 100 users and for now is not changing...
> Maybe is a problem of cache, but i don't know why the cache wasn't be 
> updated after all i did. Even i've purged the winbind package and 
> deleted the cache files to install a clean version of winbind and the 
> problem persist...

What version of samba4 are you running, versions before 4.2.0 did not 
run with a separate winbind daemon, from 4.2.0 onwards the same winbindd 
deamon that is used with a 'classic' setup is used, but in all cases, 
you should only start the 'samba' daemon, this will start any other 
required daemons.

> Is an AD, but if I use the smb.conf provided by classicupgrade then 
> getent don't show the AD users/groups (it don't have any info about 
> Winbind). Maybe I should create a hybrid adding only the Winbind entries?
> Anyway, tomorrow i'll try because i've to revert again to the backup 
> image and is late.

I have a feeling that you are using 4.2.0 , if so getent will not 
display any users or groups unless you explicitly ask for one, i.e. 
'getent passwd' will only show local users, but 'getent passwd fred' 
would display the info for 'fred'. I should also point out now you are 
using AD, you shouldn't retain any local users that are also in AD, pick 
one or the other, but don't try and keep both.

> Greetings!!
> 2015-04-21 18:56 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com 
> <mailto:rowlandpenny at googlemail.com>>:
>     On 21/04/15 17:45, Daniel Carrasco Marín wrote:
>         Hi, first of all i'm sorry for my english.
>         I'm triyng to migrate a Samba 3.6 domain to Samba 4 and I've a
>         question
>         about OU and Winbind:
>     How are you trying to migrate the domain ?
>         OU affects to something more besides GPO in AD and Winbind?.
>         Because I've
>         moved all users to an OU and all less one (strangely) have
>         dissapear from
>         "getent passwd" and the other SO tools.
>         If i run "wbinfo -u" all users are showed but I've tried a lot
>         of things
>         like:
>             - Reboot
>             - Restart Winbind and Samba daemons
>             - Stop daemons, clear winbind cache and start daemons again.
>             - Move the users back to "Users" folder and repeat the
>         above steps.
>         But none of above has worked. Finally i've restored the server
>         to an old
>         state to make it work again.
>         I've done something wrong?. I've to configure something to
>         make the winbind
>         read the OU?
>         Now i've moved some disabled users to a new OU and have
>         dissapear from
>         getent, then the problem still there.
>         Here's my samba cfg:
>         [global]
>                  workgroup = CASA
>                  realm = casa.red
>                  netbios name = PDC.CASA.RED
>                  server string = %h server
>                  server role = active directory domain controller
>                  server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>         kdc, drepl,
>         winbind, ntp_signd, kcc, dnsupdate
>                  idmap_ldb:use rfc2307 = yes
>                  preferred master = Yes
>                  domain master = Yes
>                  wins support = Yes
>                  encrypt passwords = yes
>                  # Winbind para mostrar grupos y usuarios del dominio
>         en Linux
>                  winbind nss info = rfc2307
>                  winbind enum users = Yes
>                  winbind enum groups = Yes
>                  winbind use default domain = Yes
>                  winbind refresh tickets = Yes
>                  winbind nested groups = No
>                  winbind separator = +
>                  winbind normalize names = yes
>                  idmap config CASA : backend  = ad
>                  idmap config * : backend = tdb
>                  idmap config * : range =  1000-20000000
>                  # Desactivar Cups en este servidor
>                  printcap name = /etc/printcap
>                  load printers = no
>                  name resolve order = wins hosts lmhosts bcast
>         ¡¡Thanks!!
>     What do you think you have ?
>     An AD DC or a member server ?
>     If it is  an AD DC, please put the smb.conf back to what it was,
>     just after the upgrade (provided you ran the classicupgrade)
>     If it is supposed to be a member server, remove the 'service role'
>     & 'server services' lines.
>     Rowland
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list