[Samba] Getent passwd doesn't show Domain Members
Achim Gottinger
achim at ag-web.biz
Wed Jul 20 10:49:06 UTC 2016
Am 20.07.2016 um 11:33 schrieb Rowland penny:
> On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
>> Okay, i tried to install the server without winbind but with
>> libnss-winbind.
>>
>> Still the same problem. Getent passwd administrator works but the
>> result of getent passwd only shows local users.
>> This seems to be the same bug as achims.
>> We are running a Debian 4.8 with samba 4.2 packages...
>>
>> A few months ago I installed a test environement for samba with samba
>> version 4.1.17. There the getent command works perfectly. So I guess
>> this is a bug in the latest version...
>>
>> Can I report this bug somewhere or is there a workaround?
>
> OK, I have installed Samba 4.2.0 using distro packages on Devuan in a
> VM and set it up as I would normally do.
> From my testing, 'getent passwd' and 'getent group' works, so the
> question seems to be, how have you set up your domain member ?
>
> The VM I set up uses a fixed IP and this is the list of packages I
> installed:
>
> samba samba-common-bin samba-common samba-libs samba-vfs-modules
> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
>
> /etc/resolv.conf contains this:
>
> search samdom.example.com
> nameserver 192.168.0.5
> nameserver 192.168.0.6
>
> The nameservers are my two DCs
>
> /etc/hosts contains this:
>
> 127.0.0.1 localhost
> 192.168.0.8 devtest.samdom.example.com devtest
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> If the computer was using dhcp, the '192.168.0.8' line wouldn't be there.
>
> /etc/krb5.conf contains:
>
> [libdefaults]
> default_realm = SAMDOM.EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> It doesn't need to contain anything else.
>
> /etc/samba/smb.conf contains this:
>
> [global]
> workgroup = SAMDOM
> security = ADS
> realm = SAMDOM.EXAMPLE.COM
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> server string = Samba 4 Client %h
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind offline logon = yes
> winbind normalize names = Yes
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config SAMDOM : backend = ad
> idmap config SAMDOM : schema_mode = rfc2307
> idmap config SAMDOM : range = 10000-999999
>
> domain master = no
> local master = no
> preferred master = no
> os level = 20
> map to guest = bad user
> host msdfs = no
>
> # user Administrator workaround, without it you are unable to set
> privileges
> username map = /etc/samba/user.map
>
> # For ACL support on domain member
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
>
> # Share Setting Globally
> unix extensions = no
> reset on zero vc = yes
> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> hide unreadable = yes
>
> log file = /usr/local/samba/var/log.%m
>
> [homes]
> path = /home/%U
> read only = no
>
> /etc/samba/user.map contains this:
>
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
> administrator
>
> The relevant lines in /etc/nsswitch.conf look like this:
>
> passwd: compat winbind
> group: compat winbind
>
> Which leads to this:
>
> root at devtest:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> .......
> .......
>
> It displays no AD users, but if you run it again
>
> root at devtest:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> .......
> .......
> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> ........
> ........
>
> It doesn't really matter if 'getent passwd' doesn't display all your
> users, as long as it will display individual users:
>
> root at devtest:~# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Rowland
>
>
Hi Rowland,
The OP is running in ADDC mode!
achim~
More information about the samba
mailing list