[Samba] getent only displays local users & groups
rpenny at samba.org
Sun Nov 27 08:17:40 UTC 2016
On Sun, 27 Nov 2016 10:33:04 +1100
Henry <dercni at gmail.com> wrote:
> On Sat, Nov 26, 2016 at 8:30 PM, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> > On Sat, 26 Nov 2016 12:25:23 +1100
> > Henry <dercni at gmail.com> wrote:
> >> thanks again Rowland however I must have something wrong as I have
> >> double checked everything...
> >> Group: Domains Users has GID of 10000
> >> User: henry has UID of 10000
> >> can the user and group have the same number?
> > Yes, this is me on my Unix domain member:
> > rowland at devstation:~$ getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >> henry is a member of "Domain Users"
> >> /etc/nnswitch.conf has winbind the the passwd & group lines
> >> I have installed libnss-winbind and libpam-winbind on the member
> >> server.
> >> getent passwd henry => returns nothing
> > Ah, do you have this line in smb.conf:
> > winbind use default domain = yes
> > If not, try like this:
> > getent passwd SAMDOM\\henry
> It works !!!!
> root at aphrodite:~# getent passwd SAMDOM\\henry
> root at aphrodite:~# vi /etc/samba/smb.conf
> ** REBOOT **
> root at aphrodite:~# getent passwd henry
> henry:*:10000:10000:Henry McLaughlin:/home/henry:/bin/sh
> root at aphrodite:~# getent group Domain\ Users
> domain users:x:10000:
> >> I note when I click the "UNIX Attributes" tab for the group I
> >> initially receive a popup message of "Unwilling to Perform" and
> >> once I click OK it goes away and display the attributes. I do not
> >> get this on the user properties.
> > ADUC does funny things like that.
> >> Above you made the following comment:
> >> "Firstly 'getent passwd administrator' on a domain member shouldn't
> >> show anything (it does on a Samba AD DC), remember it is now
> >> mapped to root."
> >> I note on my DC getent passwd administrator => returns nothing,
> >> could this indicate the problem cause?
> > Unlikely, as I said, you need the PAM glue to get 'getent' to work,
> > without libnss-winbind & PAM, 'getent' will only show local users.
> >> As I have the user.map on the member server how would the DC know
> >> administrator is mapped to root?
> > It is mapped in idmap.ldb on the DC, if you open this in ldbedit,
> > i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb
> > You should find something like this:
> > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> > cn: S-1-5-21-1768301897-3342589593-1064908849-500
> > objectClass: sidMap
> > objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> > type: ID_TYPE_UID
> > xidNumber: 0
> > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> > Administrator has the windows RID '500' and is mapped to the Unix ID
> > '0' and this is always 'root'
> Does this mean that on the DC "administrator" is auto mapped to "root"
> however not on the member so we need the usermap on the member to tell
> it what the mapping is?
That is a very good way of putting it.
> > Rowland
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> Once again Rowland thanks for all your help here. Could not have got
> this far without your help :)
Np problem. glad to help.
More information about the samba