[Samba] getent only displays local users & groups
Rowland Penny
rpenny at samba.org
Thu Nov 24 08:17:02 UTC 2016
On Thu, 24 Nov 2016 14:08:18 +1100
Henry via samba <samba at lists.samba.org> wrote:
> I have read numerous posts regarding this issue without finding a
> resolution. I have a fresh Samba AD DC & a Samba Member server. the
> member server has been setup using idmap config ad
>
> wbinfo -u & wbinfo -g both work and list the domain users & groups
> getent passwd & getent group both only display the local member server
> users and groups
>
> From what I have read I understand getent passwd & getent group should
> display the domain users & groups. "getent passwd administrator"
> returns nothing
>
> Any help would be greatly appreciated...
>
>
>
> root at ares:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> workgroup = SAMDOM
> realm = INT.SAMDOM.COM.AU
> netbios name = ARES
> server role = active directory domain controller
> dns forwarder = 192.168.1.254
> idmap_ldb:use rfc2307 = yes
>
> [netlogon]
> path = /var/lib/samba/sysvol/int.samdom.com.au/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> root at aphrodite:/# cat /etc/samba/smb.conf
> [global]
> security = ADS
> workgroup = SAMDOM
> realm = INT.SAMDOM.COM.AU
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> # Default idmap config used for BUILTIN and local windows
> accounts/groups idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> # idmap config for domain SAMDOM
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
>
>
> root at aphrodite:/# cat /etc/nsswitch.conf
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
>
> #passwd: compat
> passwd: files winbind
> #group: compat
> group: files winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
It sounds likely you have made the same assumption that a lot a of
people make, you assume that by adding the 'idmap config' lines to
smb.conf, you will get users & groups shown by 'getent'.
It's not that simple, you need to give your users a 'uidNumber'
attribute containing a unique number inside the range '10000-99999'.
You will also need to give 'Domain Users' a 'gidNumber' containing a
number inside the same range.
Do not give Administrator a 'uidNumber', use a user.map instead,add
this to smb.conf on the domain member:
username map = /etc/samba/user.map
Then create /etc/samba/user.map containing this:
!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator
Restart Samba and Administrator will now be mapped to the Unix user
'root'
Rowland
More information about the samba
mailing list