[Samba] Noob question: user moved to a OU dissapear from getent, but groups don't

Daniel Carrasco Marín danielmadrid19 at gmail.com
Tue Apr 21 13:53:19 MDT 2015


Thanks to both for answers.

I'm using the latest version of wheezy-backports (Version 4.1.17-Debian)
and in this server i don't need to map the AD users to linux tools (i'm
doing tests before change anything in production servers), but i'm planing
to use a File Server and a Print Server in separated machines and I need to
have access to AD users. If I disable winbind entries on that servers then
all OS tools like getent, chown, setfacl... cannot use the AD users (i've
done some test and I've got a non existent user/group error), and I need
it, then: can i use Winbind without problems in client machines?

>>>>>>          netbios name = PDC.CASA.RED

>>> netbios name = PDC
>>> Dots are not allowed in host names.

Ok, good to know it. Was copied from the old samba domain.

>>>          winbind normalize names = yes
Why this entrie can be problematic? it changes the spaces in names for
underscores, usefull with Cups (i can't add a group with spaces to allowed
groups). I've curiosity.

For now I know that I've to change the netbios name in smb.conf before the
classic upgrade (the old server netbios is wrong), I've to delete some tdb
files, and I've to leave the smb.conf without change anything after the
upgrade.

Tomorrow i'll do some test and i'll report here how it was.

Thanks again to both and greetings!!


2015-04-21 20:08 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:

> Greetings, Daniel Carrasco Marín!
>
> > I've migrated the domain copying all files in /var/lib/samba and
> /etc/samba
> > from original domain to new domain, I've edit the smb file to change the
> > "passdb backend" line to match the old server (because original is
> > localhost and give me an error connecting), and then I run this command:
>
> > samba-tool domain classicupgrade --dbdir=/home/user/samba
> --use-xattrs=yes
> > --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf
>
> > After all the progress i change the bind config file to add the samba
> file
> > (matching with the Bind Version 9.9).
>
> > When I connect to new domain all users and groups are in "Users" folder,
> > then if i move all groups to new OU "getent group" works perfect, but if
> i
> > move some users to new OU then it dissapear from "getent passwd". I've
> done
> > some test and is strange because I've 100 users:
>
> >    - I've moved some users and have dissapear from getent (88 users).
> >    - Later i've move some other users and the result was 94 users.
> >    - Later without touch anything it goes back to 100 users.
> >    - Later again i've move another user and has changed to ~74 users (i
> >    don't remember the exact number).
> >    - And now it's back to 100 users and for now is not changing...
>
> If you rely on "getent passwd" enumerating whole winbind userlist...
> I have news for you - you shouldn't. Depends on the winbind configuration,
> it
> may or may not list users, and do so in a very lean manner.
> If you REALLY want to know if certain users are accessible to the system,
> specify user name or uid as a filter.
>
> > Maybe is a problem of cache, but i don't know why the cache wasn't be
> > updated after all i did. Even i've purged the winbind package and deleted
> > the cache files to install a clean version of winbind and the problem
> > persist...
>
> > Is an AD, but if I use the smb.conf provided by classicupgrade then
> getent
> > don't show the AD users/groups (it don't have any info about Winbind).
> > Maybe I should create a hybrid adding only the Winbind entries?
> > Anyway, tomorrow i'll try because i've to revert again to the backup
> image
> > and is late.
>
> As has been said, place your smb.conf back to where it was, and don't
> touch it
> unless you know what you are doing.
> A number of issues apparent even for my untrained eye.
>
> >>> Here's my samba cfg:
> >>>
> >>> [global]
> >>>          workgroup = CASA
> >>>          realm = casa.red
>
> Realm in all caps.
>
>
>
> >>>          winbind nested groups = No
> >>>          winbind separator = +
> >>>          winbind normalize names = yes
>
> These will bite you. Soon.
>
> >>>
> >>>          idmap config CASA : backend  = ad
> >>>          idmap config * : backend = tdb
> >>>          idmap config * : range =  1000-20000000
>
> Where's idmap range for CASA ?
>
> >>>
> >>>          # Desactivar Cups en este servidor
> >>>          printcap name = /etc/printcap
> >>>          load printers = no
>
> printcap name = /dev/null
> printing = BSD
>
>
> --
> With best regards,
> Andrey Repin
> Tuesday, April 21, 2015 21:01:29
>
> Sorry for my terrible english...


More information about the samba mailing list