[Samba] Getent passwd doesn't show Domain Members

Achim Gottinger achim at ag-web.biz
Wed Jul 20 10:49:06 UTC 2016 


Am 20.07.2016 um 11:33 schrieb Rowland penny:
> On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
>> Okay, i tried to install the server without winbind but with 
>> libnss-winbind.
>>
>> Still the same problem. Getent passwd administrator works but the 
>> result of getent passwd only shows local users.
>> This seems to be the same bug as achims.
>> We are running a Debian 4.8 with samba 4.2 packages...
>>
>> A few months ago I installed a test environement for samba with samba 
>> version 4.1.17. There the getent command works perfectly. So I guess 
>> this is a bug in the latest version...
>>
>> Can I report this bug somewhere or is there a workaround?
>
> OK, I have installed Samba 4.2.0 using distro packages on Devuan in a 
> VM and set it up as I would normally do.
> From my testing, 'getent passwd' and 'getent group' works, so the 
> question seems to be, how have you set up your domain member ?
>
> The VM I set up uses a fixed IP and this is the list of packages I 
> installed:
>
> samba samba-common-bin samba-common samba-libs samba-vfs-modules 
> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr 
> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
>
> /etc/resolv.conf contains this:
>
> search samdom.example.com
> nameserver 192.168.0.5
> nameserver 192.168.0.6
>
> The nameservers are my two DCs
>
> /etc/hosts contains this:
>
> 127.0.0.1       localhost
> 192.168.0.8     devtest.samdom.example.com      devtest
>
> # The following lines are desirable for IPv6 capable hosts
> ::1     localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> If the computer was using dhcp, the '192.168.0.8' line wouldn't be there.
>
> /etc/krb5.conf contains:
>
> [libdefaults]
>         default_realm = SAMDOM.EXAMPLE.COM
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>
> It doesn't need to contain anything else.
>
> /etc/samba/smb.conf contains this:
>
> [global]
>     workgroup = SAMDOM
>     security = ADS
>     realm = SAMDOM.EXAMPLE.COM
>
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
>     server string = Samba 4 Client %h
>
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind use default domain = yes
>     winbind expand groups = 4
>     winbind nss info = rfc2307
>     winbind refresh tickets = Yes
>     winbind offline logon = yes
>     winbind normalize names = Yes
>
>     ## map ids outside of domain to tdb files.
>      idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
>
>     domain master = no
>     local master = no
>     preferred master = no
>     os level = 20
>     map to guest = bad user
>     host msdfs = no
>
>     # user Administrator workaround, without it you are unable to set 
> privileges
>     username map = /etc/samba/user.map
>
>     # For ACL support on domain member
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
>     # Share Setting Globally
>     unix extensions = no
>     reset on zero vc = yes
>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>     hide unreadable = yes
>
>     log file = /usr/local/samba/var/log.%m
>
> [homes]
>     path = /home/%U
>     read only = no
>
> /etc/samba/user.map contains this:
>
> !root = SAMDOM\Administrator SAMDOM\administrator Administrator 
> administrator
>
> The relevant lines in /etc/nsswitch.conf look like this:
>
> passwd:         compat winbind
> group:          compat winbind
>
> Which leads to this:
>
> root at devtest:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> .......
> .......
>
> It displays no AD users, but if you run it again
>
> root at devtest:~# getent passwd
> root:x:0:0:root:/root:/bin/bash
> .......
> .......
> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> ........
> ........
>
> It doesn't really matter if 'getent passwd' doesn't display all your 
> users, as long as it will display individual users:
>
> root at devtest:~# getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> Rowland
>
>
Hi Rowland,

The OP is running in ADDC mode!

achim~

More information about the samba mailing list