[Samba] Getent passwd doesn't show Domain Members
Rowland penny
rpenny at samba.org
Wed Jul 20 10:56:12 UTC 2016
On 20/07/16 11:49, Achim Gottinger wrote:
>
>
> Am 20.07.2016 um 11:33 schrieb Rowland penny:
>> On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
>>> Okay, i tried to install the server without winbind but with
>>> libnss-winbind.
>>>
>>> Still the same problem. Getent passwd administrator works but the
>>> result of getent passwd only shows local users.
>>> This seems to be the same bug as achims.
>>> We are running a Debian 4.8 with samba 4.2 packages...
>>>
>>> A few months ago I installed a test environement for samba with
>>> samba version 4.1.17. There the getent command works perfectly. So I
>>> guess this is a bug in the latest version...
>>>
>>> Can I report this bug somewhere or is there a workaround?
>>
>> OK, I have installed Samba 4.2.0 using distro packages on Devuan in a
>> VM and set it up as I would normally do.
>> From my testing, 'getent passwd' and 'getent group' works, so the
>> question seems to be, how have you set up your domain member ?
>>
>> The VM I set up uses a fixed IP and this is the list of packages I
>> installed:
>>
>> samba samba-common-bin samba-common samba-libs samba-vfs-modules
>> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr
>> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
>>
>> /etc/resolv.conf contains this:
>>
>> search samdom.example.com
>> nameserver 192.168.0.5
>> nameserver 192.168.0.6
>>
>> The nameservers are my two DCs
>>
>> /etc/hosts contains this:
>>
>> 127.0.0.1 localhost
>> 192.168.0.8 devtest.samdom.example.com devtest
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1 localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> If the computer was using dhcp, the '192.168.0.8' line wouldn't be
>> there.
>>
>> /etc/krb5.conf contains:
>>
>> [libdefaults]
>> default_realm = SAMDOM.EXAMPLE.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> It doesn't need to contain anything else.
>>
>> /etc/samba/smb.conf contains this:
>>
>> [global]
>> workgroup = SAMDOM
>> security = ADS
>> realm = SAMDOM.EXAMPLE.COM
>>
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> server string = Samba 4 Client %h
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind offline logon = yes
>> winbind normalize names = Yes
>>
>> ## map ids outside of domain to tdb files.
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> ## map ids from the domain the ranges may not overlap !
>> idmap config SAMDOM : backend = ad
>> idmap config SAMDOM : schema_mode = rfc2307
>> idmap config SAMDOM : range = 10000-999999
>>
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 20
>> map to guest = bad user
>> host msdfs = no
>>
>> # user Administrator workaround, without it you are unable to set
>> privileges
>> username map = /etc/samba/user.map
>>
>> # For ACL support on domain member
>> vfs objects = acl_xattr
>> map acl inherit = Yes
>> store dos attributes = Yes
>>
>> # Share Setting Globally
>> unix extensions = no
>> reset on zero vc = yes
>> veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>> hide unreadable = yes
>>
>> log file = /usr/local/samba/var/log.%m
>>
>> [homes]
>> path = /home/%U
>> read only = no
>>
>> /etc/samba/user.map contains this:
>>
>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator
>> administrator
>>
>> The relevant lines in /etc/nsswitch.conf look like this:
>>
>> passwd: compat winbind
>> group: compat winbind
>>
>> Which leads to this:
>>
>> root at devtest:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> .......
>> .......
>>
>> It displays no AD users, but if you run it again
>>
>> root at devtest:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> .......
>> .......
>> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>> ........
>> ........
>>
>> It doesn't really matter if 'getent passwd' doesn't display all your
>> users, as long as it will display individual users:
>>
>> root at devtest:~# getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> The OP is running in ADDC mode!
>
> achim~
>
>
Ah, missed that, I will go and try again and report back, it should work.
Rowland
More information about the samba
mailing list