[Samba] Getent passwd doesn't show Domain Members

Rowland penny rpenny at samba.org
Wed Jul 20 10:56:12 UTC 2016 

On 20/07/16 11:49, Achim Gottinger wrote:
>
>
> Am 20.07.2016 um 11:33 schrieb Rowland penny:
>> On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
>>> Okay, i tried to install the server without winbind but with 
>>> libnss-winbind.
>>>
>>> Still the same problem. Getent passwd administrator works but the 
>>> result of getent passwd only shows local users.
>>> This seems to be the same bug as achims.
>>> We are running a Debian 4.8 with samba 4.2 packages...
>>>
>>> A few months ago I installed a test environement for samba with 
>>> samba version 4.1.17. There the getent command works perfectly. So I 
>>> guess this is a bug in the latest version...
>>>
>>> Can I report this bug somewhere or is there a workaround?
>>
>> OK, I have installed Samba 4.2.0 using distro packages on Devuan in a 
>> VM and set it up as I would normally do.
>> From my testing, 'getent passwd' and 'getent group' works, so the 
>> question seems to be, how have you set up your domain member ?
>>
>> The VM I set up uses a fixed IP and this is the list of packages I 
>> installed:
>>
>> samba samba-common-bin samba-common samba-libs samba-vfs-modules 
>> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr 
>> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
>>
>> /etc/resolv.conf contains this:
>>
>> search samdom.example.com
>> nameserver 192.168.0.5
>> nameserver 192.168.0.6
>>
>> The nameservers are my two DCs
>>
>> /etc/hosts contains this:
>>
>> 127.0.0.1       localhost
>> 192.168.0.8     devtest.samdom.example.com      devtest
>>
>> # The following lines are desirable for IPv6 capable hosts
>> ::1     localhost ip6-localhost ip6-loopback
>> ff02::1 ip6-allnodes
>> ff02::2 ip6-allrouters
>>
>> If the computer was using dhcp, the '192.168.0.8' line wouldn't be 
>> there.
>>
>> /etc/krb5.conf contains:
>>
>> [libdefaults]
>>         default_realm = SAMDOM.EXAMPLE.COM
>>         dns_lookup_realm = false
>>         dns_lookup_kdc = true
>>
>> It doesn't need to contain anything else.
>>
>> /etc/samba/smb.conf contains this:
>>
>> [global]
>>     workgroup = SAMDOM
>>     security = ADS
>>     realm = SAMDOM.EXAMPLE.COM
>>
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     server string = Samba 4 Client %h
>>
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>     winbind use default domain = yes
>>     winbind expand groups = 4
>>     winbind nss info = rfc2307
>>     winbind refresh tickets = Yes
>>     winbind offline logon = yes
>>     winbind normalize names = Yes
>>
>>     ## map ids outside of domain to tdb files.
>>      idmap config *:backend = tdb
>>     idmap config *:range = 2000-9999
>>     ## map ids from the domain  the ranges may not overlap !
>>     idmap config SAMDOM : backend = ad
>>     idmap config SAMDOM : schema_mode = rfc2307
>>     idmap config SAMDOM : range = 10000-999999
>>
>>     domain master = no
>>     local master = no
>>     preferred master = no
>>     os level = 20
>>     map to guest = bad user
>>     host msdfs = no
>>
>>     # user Administrator workaround, without it you are unable to set 
>> privileges
>>     username map = /etc/samba/user.map
>>
>>     # For ACL support on domain member
>>     vfs objects = acl_xattr
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>
>>     # Share Setting Globally
>>     unix extensions = no
>>     reset on zero vc = yes
>>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>     hide unreadable = yes
>>
>>     log file = /usr/local/samba/var/log.%m
>>
>> [homes]
>>     path = /home/%U
>>     read only = no
>>
>> /etc/samba/user.map contains this:
>>
>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator 
>> administrator
>>
>> The relevant lines in /etc/nsswitch.conf look like this:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> Which leads to this:
>>
>> root at devtest:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> .......
>> .......
>>
>> It displays no AD users, but if you run it again
>>
>> root at devtest:~# getent passwd
>> root:x:0:0:root:/root:/bin/bash
>> .......
>> .......
>> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>> ........
>> ........
>>
>> It doesn't really matter if 'getent passwd' doesn't display all your 
>> users, as long as it will display individual users:
>>
>> root at devtest:~# getent passwd rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> The OP is running in ADDC mode!
>
> achim~
>
>

Ah, missed that, I will go and try again and report back, it should work.

Rowland

More information about the samba mailing list