[Samba] getent passwd user no output, addc + dm
rpenny at samba.org
Fri Feb 17 18:35:01 UTC 2017
On Fri, 17 Feb 2017 12:04:43 -0600
Lin Pro <linforpros at gmail.com> wrote:
> >>> You are using the winbind 'ad' backend, do your users have a
> 'uidNumber' attribute containing a unique number inside the range
> '10000-999999' ?
> Does 'Domain Users' have a 'gidNumber' attribute inside the same
> range ? <<<
> I do not know. "samba-tool user help" does not reveal a "view"
> argument to have a look.
ldbsearch does though, or ADUC on a windows version less than 10
The sheer fact that you do not know, tells me that you don't have
'uidNumber' or 'gidNumber' attributes in AD. You personally have to add
them! They are not created automatically.
> But remember - on the Ubuntu AD DC the getent passwd <user> works. Let
> me list it for you:
> root at dc1:~# getent passwd justin
> SF\justin:*:3000020:100:Justin Falon:/home/SF/justin:/bin/false
Well it would work on the DC, these numbers are coming from idmap.ldb
> Is the big number "3000020" a uidNumber attribute?
No, it is an 'xidNumber' that is mapped to the users SID in idmap.ldb
> Removal of the lines that you mentioned (there were added in
> desparation to look for a solution anyway) did not produce expected
It won't have made it worse either ;-)
> So at this moment the following is the result:
> root at ubuntu-dm1:~# getent group "Domain Users"
> root at ubuntu-dm1:~# getent group "Admin Users"
> root at ubuntu-dm1:~# getent passwd justin
> root at ubuntu-dm1:~#
Have you read the Samba wiki ?
> Let me show you the /etc/smb.conf on both machines, AD DC and teh
> Memeber Domain
> AD DC smb.conf
> # Global parameters
> workgroup = SF
> realm = SF.TEST.ORG
> netbios name = DC1
> server role = active directory domain controller
> # dns forwarder just for testing
What do you mean 'just for testing' ? if you use the internal DNS
server, you need the forwarder.
> And member Domain server
> root at ubuntu-dm1:~# cat /etc/krb5.conf
> default_realm = SF.TEST.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true
That is correct for the Unix domain member, it is also all you need on
the DC as well.
More information about the samba