[Samba] Getent passwd doesn't show Domain Members

Timo Dachs-Wegmann t.wegmann at procitec.de
Thu Jul 21 06:08:07 UTC 2016 

Well, thank you for your support. 
I guess you can't tell when debian will release new packages?

I think we'll work with the 4.2.10 (4.2.11) packages until debian releases the new version :)

Kind regards

Timo Dachs-Wegmann
-EDV- 

-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Rowland penny
Gesendet: Mittwoch, 20. Juli 2016 17:59
An: samba at lists.samba.org
Betreff: Re: [Samba] Getent passwd doesn't show Domain Members

On 20/07/16 11:56, Rowland penny wrote:
> On 20/07/16 11:49, Achim Gottinger wrote:
>>
>>
>> Am 20.07.2016 um 11:33 schrieb Rowland penny:
>>> On 20/07/16 08:22, Timo Dachs-Wegmann wrote:
>>>> Okay, i tried to install the server without winbind but with 
>>>> libnss-winbind.
>>>>
>>>> Still the same problem. Getent passwd administrator works but the 
>>>> result of getent passwd only shows local users.
>>>> This seems to be the same bug as achims.
>>>> We are running a Debian 4.8 with samba 4.2 packages...
>>>>
>>>> A few months ago I installed a test environement for samba with 
>>>> samba version 4.1.17. There the getent command works perfectly. So 
>>>> I guess this is a bug in the latest version...
>>>>
>>>> Can I report this bug somewhere or is there a workaround?
>>>
>>> OK, I have installed Samba 4.2.0 using distro packages on Devuan in 
>>> a VM and set it up as I would normally do.
>>> From my testing, 'getent passwd' and 'getent group' works, so the 
>>> question seems to be, how have you set up your domain member ?
>>>
>>> The VM I set up uses a fixed IP and this is the list of packages I
>>> installed:
>>>
>>> samba samba-common-bin samba-common samba-libs samba-vfs-modules 
>>> samba-dsdb-modules libwbclient0 libsmbclient winbind acl attr 
>>> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user
>>>
>>> /etc/resolv.conf contains this:
>>>
>>> search samdom.example.com
>>> nameserver 192.168.0.5
>>> nameserver 192.168.0.6
>>>
>>> The nameservers are my two DCs
>>>
>>> /etc/hosts contains this:
>>>
>>> 127.0.0.1       localhost
>>> 192.168.0.8     devtest.samdom.example.com      devtest
>>>
>>> # The following lines are desirable for IPv6 capable hosts
>>> ::1     localhost ip6-localhost ip6-loopback
>>> ff02::1 ip6-allnodes
>>> ff02::2 ip6-allrouters
>>>
>>> If the computer was using dhcp, the '192.168.0.8' line wouldn't be 
>>> there.
>>>
>>> /etc/krb5.conf contains:
>>>
>>> [libdefaults]
>>>         default_realm = SAMDOM.EXAMPLE.COM
>>>         dns_lookup_realm = false
>>>         dns_lookup_kdc = true
>>>
>>> It doesn't need to contain anything else.
>>>
>>> /etc/samba/smb.conf contains this:
>>>
>>> [global]
>>>     workgroup = SAMDOM
>>>     security = ADS
>>>     realm = SAMDOM.EXAMPLE.COM
>>>
>>>     dedicated keytab file = /etc/krb5.keytab
>>>     kerberos method = secrets and keytab
>>>     server string = Samba 4 Client %h
>>>
>>>     winbind enum users = yes
>>>     winbind enum groups = yes
>>>     winbind use default domain = yes
>>>     winbind expand groups = 4
>>>     winbind nss info = rfc2307
>>>     winbind refresh tickets = Yes
>>>     winbind offline logon = yes
>>>     winbind normalize names = Yes
>>>
>>>     ## map ids outside of domain to tdb files.
>>>      idmap config *:backend = tdb
>>>     idmap config *:range = 2000-9999
>>>     ## map ids from the domain  the ranges may not overlap !
>>>     idmap config SAMDOM : backend = ad
>>>     idmap config SAMDOM : schema_mode = rfc2307
>>>     idmap config SAMDOM : range = 10000-999999
>>>
>>>     domain master = no
>>>     local master = no
>>>     preferred master = no
>>>     os level = 20
>>>     map to guest = bad user
>>>     host msdfs = no
>>>
>>>     # user Administrator workaround, without it you are unable to 
>>> set privileges
>>>     username map = /etc/samba/user.map
>>>
>>>     # For ACL support on domain member
>>>     vfs objects = acl_xattr
>>>     map acl inherit = Yes
>>>     store dos attributes = Yes
>>>
>>>     # Share Setting Globally
>>>     unix extensions = no
>>>     reset on zero vc = yes
>>>     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>>     hide unreadable = yes
>>>
>>>     log file = /usr/local/samba/var/log.%m
>>>
>>> [homes]
>>>     path = /home/%U
>>>     read only = no
>>>
>>> /etc/samba/user.map contains this:
>>>
>>> !root = SAMDOM\Administrator SAMDOM\administrator Administrator 
>>> administrator
>>>
>>> The relevant lines in /etc/nsswitch.conf look like this:
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>>
>>> Which leads to this:
>>>
>>> root at devtest:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> .......
>>> .......
>>>
>>> It displays no AD users, but if you run it again
>>>
>>> root at devtest:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> .......
>>> .......
>>> albert:*:10004:10000:Albert Tatlock:/home/albert:/bin/false 
>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash ........
>>> ........
>>>
>>> It doesn't really matter if 'getent passwd' doesn't display all your 
>>> users, as long as it will display individual users:
>>>
>>> root at devtest:~# getent passwd rowland rowland:*:10000:10000:Rowland 
>>> Penny:/home/rowland:/bin/bash
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> The OP is running in ADDC mode!
>>
>> achim~
>>
>>
>
> Ah, missed that, I will go and try again and report back, it should work.
>
> Rowland
>
>

OK, I know what is wrong now, the debian Samba package (version 4.2.10 that is really 4.2.11) is the one that came out after the badlock patches were released. A few regressions were introduced by the badlock patches and these have been fixed in later releases. To put it bluntly, debian needs to release a later version, even more so, when you take into account that 4.5.0 is nearing release, at which point, the 4.2.x series will go EOL.

Your choices if you need 'getent passwd' to work (if 'getent passwd username' isn't enough) are a bit limited, you could use the Sernet packages (free or paid for), wait until debian releases a later package or compile Samba yourself.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list