[Samba] getent only displays local users & groups

Rowland Penny rpenny at samba.org
Thu Nov 24 08:17:02 UTC 2016 

On Thu, 24 Nov 2016 14:08:18 +1100
Henry via samba <samba at lists.samba.org> wrote:

> I have read numerous posts regarding this issue without finding a
> resolution. I have a fresh Samba AD DC & a Samba Member server. the
> member server has been setup using idmap config ad
> 
> wbinfo -u & wbinfo -g both work and list the domain users & groups
> getent passwd & getent group both only display the local member server
> users and groups
> 
> From what I have read I understand getent passwd & getent group should
> display the domain users & groups. "getent passwd administrator"
> returns nothing
> 
> Any help would be greatly appreciated...
> 
> 
> 
> root at ares:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     workgroup = SAMDOM
>     realm = INT.SAMDOM.COM.AU
>     netbios name = ARES
>     server role = active directory domain controller
>     dns forwarder = 192.168.1.254
>     idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/int.samdom.com.au/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> 
> 
> root at aphrodite:/# cat /etc/samba/smb.conf
> [global]
>        security = ADS
>        workgroup = SAMDOM
>        realm = INT.SAMDOM.COM.AU
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
> 
>        # Default idmap config used for BUILTIN and local windows
> accounts/groups idmap config *:backend = tdb
>        idmap config *:range = 2000-9999
> 
>        # idmap config for domain SAMDOM
>        idmap config SAMDOM:backend = ad
>        idmap config SAMDOM:schema_mode = rfc2307
>        idmap config SAMDOM:range = 10000-99999
> 
>        # Use settings from AD for login shell and home directory
>        winbind nss info = rfc2307
> 
> 
> 
> root at aphrodite:/# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
> 
> #passwd:         compat
> passwd:         files winbind
> #group:          compat
> group:          files winbind
> shadow:         compat
> gshadow:        files
> 
> hosts:          files dns
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup:       nis
> 

It sounds likely you have made the same assumption that a lot a of
people make, you assume that by adding the 'idmap config' lines to
smb.conf, you will get users & groups shown by 'getent'.
It's not that simple, you need to give your users a 'uidNumber'
attribute containing a unique number inside the range '10000-99999'.
You will also need to give 'Domain Users' a 'gidNumber' containing a
number inside the same range.
Do not give Administrator a 'uidNumber', use a user.map instead,add
this to smb.conf on the domain member:

username map = /etc/samba/user.map

Then create /etc/samba/user.map containing this:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

Restart Samba and Administrator will now be mapped to the Unix user
'root'

Rowland

More information about the samba mailing list