[Samba] getent not displaying builtin groups or users

niya levi niyalevi at gmail.com
Thu Nov 3 18:18:56 UTC 2016 

>
> OK, lets start with a DC, if you run getent straight after the
> provision of the DC, you will only get the local Unix users. To
> get anything in AD, you will need to ensure that the libnss_winbind
> links exist, see here:
>
> https://wiki.samba.org/index.php/Libnss_winbind_Links
>
> Once the links exist and 'winbind' is added to 'passwd' & 'group'
> lines in /etc/nsswitch.conf , if you then run 'getent passwd
> Administrator', you should get something like this:
>
> EXAMPLE\administrator:*:0:100::/home/EXAMPLE/administrator:/bin/false
>
> NOTE: you should only get an output like the above on a DC, never on a
> domain member.
>
> The relevant part to look at is the numbers ':0:100:' , the first
> ensures that Administrator is mapped to 'root' and '100' is the local
> Unix group 'users' and 'Domain Users' is mapped to this. Both of these
> mappings are done via 'idmap.ldb'
>
> If you then add a user and run 'getent passwd <username>' , you will
> find that the user will have an UID in the '3000000' range and their
> GID will be '100'
>
> If you then go to a domain member and setup smb.conf to use the winbind
> 'ad' backend, it will not matter what range you set at this point, you
> will not get any output from getent for AD users. If you use the 'rid'
> backend you should.
>
> If you want to use the 'ad' backend, you will need to give any users,
> that you want to be visible to Unix, a uidNumber and you must then give
> Domain Users a gidNumber. You must then set the 'idmap config DOMAIN'
> range in smb.conf based on these numbers i.e. if the lowest number is
> 10000 and the highest possible will be 20000, the range would be
> '10000-20000'. The uidNumber & gidNumber attributes are not added
> automatically.
>
> If you go back to the DC and run 'getent passwd Administrator', you
> should find that the group ID is now '10000' (provided you gave
> Domain Users the gidNumber 10000). At this point, if run 'getent
> passwd <username>' you should get back the uidNumber you set in AD
> and the gidNumber should be what you set for Domain Users, you
> should also get the same result on the DC.
>
> You do not have to use the '3000000' numbers, you can use any range
> you like.
>
> If, after adding the uid/gidNumber attributes, you still get the old
> numbers, try running 'net cache flush'.
>
> If you have followed the above, you should be able to work out how to
> make 'Domain Admins' visible to Unix.
>
> See here for more info on setting up a domain member:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Finally, you should never add the 'idmap config' lines to a DC smb.conf.
>
> Rowland
>
>

still not quite there,

on the dc's i can use getent and id on the domain users

i am not able to list all the domain users or group only individual
users or groups that i request,

is this how it getent normally works on a domain controller,

i only see examples of getting the full list from a member server

e.g. testing winbindd user/group retrieval on the
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member page ?

this as far as i got to,

using s4bind from the linux costa blanca website
all commands executed on the dc

[root at ashanti dc]# s4bind upgradegroup "Domain Users" 20513
### s4bind ###
Default principal: Administrator at AD.TISSISAT.CO.UK
dn: cn=Domain Users,cn=Users,DC=ad,DC=tissisat,DC=co,DC=uk
changetype: modify
add: objectClass
objectClass: posixGroup
-
add: gidNumber
gidNumber: 20513
Modified 1 records successfully
Done


[root at ashanti dc]# getent group "Domain Users"
TISSISAT\domain users:x:20513:

[root at ashanti dc]# getent group
root:x:0:root
bin:x:1:root,bin,daemon
~
~
named:x:40:
ntp:x:87:
ldap:x:439:
avahi:x:84:

[root at ashanti dc]# samba-tool group listmembers "Domain Users"
Administrator
nfs-mgr
dns-KHAFU
dns-ashanti
krbtgt
dhcpd-mgr
 

[root at ashanti dc]# id administrator
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
[root at ashanti dc]# getent passwd administrator
TISSISAT\administrator:*:0:20513::/home/TISSISAT/administrator:/bin/false

[root at ashanti dc]# id dns-KHAFU
uid=3000020(TISSISAT\dns-khafu) gid=20513(TISSISAT\domain users)
groups=20513(TISSISAT\domain
users),3000020(TISSISAT\dns-khafu),3000009(BUILTIN\users)

[root at ashanti dc]# id dns-ashanti
uid=3000021(TISSISAT\dns-ashanti) gid=20513(TISSISAT\domain users)
groups=20513(TISSISAT\domain
users),3000021(TISSISAT\dns-ashanti),3000009(BUILTIN\users)

wbinfo --name-to-sid nfs-mgr
S-1-5-21-3413519446-332335380-2400789411-1105 SID_USER (1)

[root at ashanti dc]# ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
objectsid=S-1-5-21-3413519446-332335380-2400789411-1105
# 0 adds  1 modifies  0 deletes

[root at ashanti dc]# getent passwd nfs-mgr
TISSISAT\nfs-mgr:*:10005:20513::/home/TISSISAT/nfs-mgr:/bin/false

[root at ashanti dc]# id nfs-mgr
uid=10005(TISSISAT\nfs-mgr) gid=20513(TISSISAT\domain users)
groups=20513(TISSISAT\domain
users),10005(TISSISAT\nfs-mgr),3000009(BUILTIN\users)

on the member server i changed the range
                idmap config *:backend = tdb
                idmap config *:range = 2000-9999
                idmap config TISSISAT:backend = ad
                idmap config TISSISAT:schema_mode = rfc2307
                idmap config TISSISAT:range = 10000-99999
restarted samba daemons

getent passwd returns only local users and
getent passwd nfs-mgr returns nothing.

i expected to see at least nfs-mgr in the output

shadrock

More information about the samba mailing list