[Samba] Getent passwd doesn't show Domain Members
Rowland penny
rpenny at samba.org
Wed Jul 20 09:33:19 UTC 2016
On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
> Okay, i tried to install the server without winbind but with libnss-winbind.
>
> Still the same problem. Getent passwd administrator works but the result of getent passwd only shows local users.
> This seems to be the same bug as achims.
> We are running a Debian 4.8 with samba 4.2 packages...
>
> A few months ago I installed a test environement for samba with samba version 4.1.17. There the getent command works perfectly. So I guess this is a bug in the latest version...
>
> Can I report this bug somewhere or is there a workaround?
OK, I have installed Samba 4.2.0 using distro packages on Devuan in a VM
and set it up as I would normally do.
From my testing, 'getent passwd' and 'getent group' works, so the
question seems to be, how have you set up your domain member ?
The VM I set up uses a fixed IP and this is the list of packages I
installed:
samba samba-common-bin samba-common samba-libs samba-vfs-modules
samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
/etc/resolv.conf contains this:
search samdom.example.com
nameserver 192.168.0.5
nameserver 192.168.0.6
The nameservers are my two DCs
/etc/hosts contains this:
127.0.0.1 localhost
192.168.0.8 devtest.samdom.example.com devtest
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
If the computer was using dhcp, the '192.168.0.8' line wouldn't be there.
/etc/krb5.conf contains:
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
It doesn't need to contain anything else.
/etc/samba/smb.conf contains this:
[global]
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
server string = Samba 4 Client %h
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind expand groups = 4
winbind nss info = rfc2307
winbind refresh tickets = Yes
winbind offline logon = yes
winbind normalize names = Yes
## map ids outside of domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the ranges may not overlap !
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 10000-999999
domain master = no
local master = no
preferred master = no
os level = 20
map to guest = bad user
host msdfs = no
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
# Share Setting Globally
unix extensions = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
log file = /usr/local/samba/var/log.%m
[homes]
path = /home/%U
read only = no
/etc/samba/user.map contains this:
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
The relevant lines in /etc/nsswitch.conf look like this:
passwd: compat winbind
group: compat winbind
Which leads to this:
root at devtest:~# getent passwd
root:x:0:0:root:/root:/bin/bash
.......
.......
It displays no AD users, but if you run it again
root at devtest:~# getent passwd
root:x:0:0:root:/root:/bin/bash
.......
.......
albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
........
........
It doesn't really matter if 'getent passwd' doesn't display all your
users, as long as it will display individual users:
root at devtest:~# getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
Rowland
More information about the samba
mailing list