[Samba] Noob question: user moved to a OU dissapear from getent, but groups don't

Andrey Repin anrdaemon at yandex.ru
Tue Apr 21 12:08:06 MDT 2015

Greetings, Daniel Carrasco Marín!

> I've migrated the domain copying all files in /var/lib/samba and /etc/samba
> from original domain to new domain, I've edit the smb file to change the
> "passdb backend" line to match the old server (because original is
> localhost and give me an error connecting), and then I run this command:

> samba-tool domain classicupgrade --dbdir=/home/user/samba --use-xattrs=yes
> --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf

> After all the progress i change the bind config file to add the samba file
> (matching with the Bind Version 9.9).

> When I connect to new domain all users and groups are in "Users" folder,
> then if i move all groups to new OU "getent group" works perfect, but if i
> move some users to new OU then it dissapear from "getent passwd". I've done
> some test and is strange because I've 100 users:

>    - I've moved some users and have dissapear from getent (88 users).
>    - Later i've move some other users and the result was 94 users.
>    - Later without touch anything it goes back to 100 users.
>    - Later again i've move another user and has changed to ~74 users (i
>    don't remember the exact number).
>    - And now it's back to 100 users and for now is not changing...

If you rely on "getent passwd" enumerating whole winbind userlist...
I have news for you - you shouldn't. Depends on the winbind configuration, it
may or may not list users, and do so in a very lean manner.
If you REALLY want to know if certain users are accessible to the system,
specify user name or uid as a filter.

> Maybe is a problem of cache, but i don't know why the cache wasn't be
> updated after all i did. Even i've purged the winbind package and deleted
> the cache files to install a clean version of winbind and the problem
> persist...

> Is an AD, but if I use the smb.conf provided by classicupgrade then getent
> don't show the AD users/groups (it don't have any info about Winbind).
> Maybe I should create a hybrid adding only the Winbind entries?
> Anyway, tomorrow i'll try because i've to revert again to the backup image
> and is late.

As has been said, place your smb.conf back to where it was, and don't touch it
unless you know what you are doing.
A number of issues apparent even for my untrained eye.

>>> Here's my samba cfg:
>>> [global]
>>>          workgroup = CASA
>>>          realm = casa.red

Realm in all caps.

>>>          netbios name = PDC.CASA.RED

netbios name = PDC
Dots are not allowed in host names.

>>>          winbind nested groups = No
>>>          winbind separator = +
>>>          winbind normalize names = yes

These will bite you. Soon.

>>>          idmap config CASA : backend  = ad
>>>          idmap config * : backend = tdb
>>>          idmap config * : range =  1000-20000000

Where's idmap range for CASA ?

>>>          # Desactivar Cups en este servidor
>>>          printcap name = /etc/printcap
>>>          load printers = no

printcap name = /dev/null
printing = BSD

With best regards,
Andrey Repin
Tuesday, April 21, 2015 21:01:29

Sorry for my terrible english...

More information about the samba mailing list