[Samba] getent only displays local users & groups

Rowland Penny rpenny at samba.org
Sat Nov 26 09:30:51 UTC 2016

On Sat, 26 Nov 2016 12:25:23 +1100
Henry <dercni at gmail.com> wrote:

> thanks again Rowland however I must have something wrong as I have
> double checked everything...
> Group: Domains Users has GID of 10000
> User: henry has UID of 10000
> can the user and group have the same number?

Yes, this is me on my Unix domain member:

rowland at devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

> henry is a member of "Domain Users"
> /etc/nnswitch.conf has winbind the the passwd & group lines
> I have installed libnss-winbind and libpam-winbind on the member
> server.
> getent passwd henry => returns nothing

Ah, do you have this line in smb.conf:

    winbind use default domain = yes

If not, try like this:

getent passwd SAMDOM\\henry

> I note when I click the "UNIX Attributes" tab for the group I
> initially receive a popup message of "Unwilling to Perform" and once I
> click OK it goes away and display the attributes. I do not get this on
> the user properties.

ADUC does funny things like that.

> Above you made the following comment:
> "Firstly 'getent passwd administrator' on a domain member shouldn't
> show anything (it does on a Samba AD DC), remember it is now mapped to
> root."
> I note on my DC getent passwd administrator => returns nothing, could
> this indicate the problem cause?

Unlikely, as I said, you need the PAM glue to get 'getent' to work,
without libnss-winbind & PAM, 'getent' will only show local users.

> As I have the user.map on the member server how would the DC know
> administrator is mapped to root?

It is mapped in idmap.ldb on the DC, if you open this in ldbedit,
i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb

You should find something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

Administrator has the windows RID '500' and is mapped to the Unix ID
'0' and this is always 'root'


More information about the samba mailing list