[Samba] getent not displaying builtin groups or users

niya levi niyalevi at gmail.com
Thu Nov 3 18:18:56 UTC 2016

> OK, lets start with a DC, if you run getent straight after the
> provision of the DC, you will only get the local Unix users. To
> get anything in AD, you will need to ensure that the libnss_winbind
> links exist, see here:
> https://wiki.samba.org/index.php/Libnss_winbind_Links
> Once the links exist and 'winbind' is added to 'passwd' & 'group'
> lines in /etc/nsswitch.conf , if you then run 'getent passwd
> Administrator', you should get something like this:
> EXAMPLE\administrator:*:0:100::/home/EXAMPLE/administrator:/bin/false
> NOTE: you should only get an output like the above on a DC, never on a
> domain member.
> The relevant part to look at is the numbers ':0:100:' , the first
> ensures that Administrator is mapped to 'root' and '100' is the local
> Unix group 'users' and 'Domain Users' is mapped to this. Both of these
> mappings are done via 'idmap.ldb'
> If you then add a user and run 'getent passwd <username>' , you will
> find that the user will have an UID in the '3000000' range and their
> GID will be '100'
> If you then go to a domain member and setup smb.conf to use the winbind
> 'ad' backend, it will not matter what range you set at this point, you
> will not get any output from getent for AD users. If you use the 'rid'
> backend you should.
> If you want to use the 'ad' backend, you will need to give any users,
> that you want to be visible to Unix, a uidNumber and you must then give
> Domain Users a gidNumber. You must then set the 'idmap config DOMAIN'
> range in smb.conf based on these numbers i.e. if the lowest number is
> 10000 and the highest possible will be 20000, the range would be
> '10000-20000'. The uidNumber & gidNumber attributes are not added
> automatically.
> If you go back to the DC and run 'getent passwd Administrator', you
> should find that the group ID is now '10000' (provided you gave
> Domain Users the gidNumber 10000). At this point, if run 'getent
> passwd <username>' you should get back the uidNumber you set in AD
> and the gidNumber should be what you set for Domain Users, you
> should also get the same result on the DC.
> You do not have to use the '3000000' numbers, you can use any range
> you like.
> If, after adding the uid/gidNumber attributes, you still get the old
> numbers, try running 'net cache flush'.
> If you have followed the above, you should be able to work out how to
> make 'Domain Admins' visible to Unix.
> See here for more info on setting up a domain member:
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
> Finally, you should never add the 'idmap config' lines to a DC smb.conf.
> Rowland

still not quite there,

on the dc's i can use getent and id on the domain users

i am not able to list all the domain users or group only individual
users or groups that i request,

is this how it getent normally works on a domain controller,

i only see examples of getting the full list from a member server

e.g. testing winbindd user/group retrieval on the
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member page ?

this as far as i got to,

using s4bind from the linux costa blanca website
all commands executed on the dc

[root at ashanti dc]# s4bind upgradegroup "Domain Users" 20513
### s4bind ###
Default principal: Administrator at AD.TISSISAT.CO.UK
dn: cn=Domain Users,cn=Users,DC=ad,DC=tissisat,DC=co,DC=uk
changetype: modify
add: objectClass
objectClass: posixGroup
add: gidNumber
gidNumber: 20513
Modified 1 records successfully

[root at ashanti dc]# getent group "Domain Users"
TISSISAT\domain users:x:20513:

[root at ashanti dc]# getent group

[root at ashanti dc]# samba-tool group listmembers "Domain Users"

[root at ashanti dc]# id administrator
uid=0(root) gid=0(root)
[root at ashanti dc]# getent passwd administrator

[root at ashanti dc]# id dns-KHAFU
uid=3000020(TISSISAT\dns-khafu) gid=20513(TISSISAT\domain users)

[root at ashanti dc]# id dns-ashanti
uid=3000021(TISSISAT\dns-ashanti) gid=20513(TISSISAT\domain users)

wbinfo --name-to-sid nfs-mgr
S-1-5-21-3413519446-332335380-2400789411-1105 SID_USER (1)

[root at ashanti dc]# ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
# 0 adds  1 modifies  0 deletes

[root at ashanti dc]# getent passwd nfs-mgr

[root at ashanti dc]# id nfs-mgr
uid=10005(TISSISAT\nfs-mgr) gid=20513(TISSISAT\domain users)

on the member server i changed the range
                idmap config *:backend = tdb
                idmap config *:range = 2000-9999
                idmap config TISSISAT:backend = ad
                idmap config TISSISAT:schema_mode = rfc2307
                idmap config TISSISAT:range = 10000-99999
restarted samba daemons

getent passwd returns only local users and
getent passwd nfs-mgr returns nothing.

i expected to see at least nfs-mgr in the output


More information about the samba mailing list