[Samba] AD Domain member - getent passwd truncated to only 18 users

Marcio Vogel Merlone dos Santos marcio.merlone at a1.ind.br
Wed Dec 12 18:38:52 UTC 2018


Due to some legacy php app I have to integrate an Ubuntu 14.04 server on 
my AD structure. AD DC is a Ubuntu 18.04 with canonical packages running 
Samba 4.7 (4.7.6+dfsg~ubuntu-0ubuntu2.5) and member server runs Samba 
4.3 (4.3.11+dfsg-0ubuntu0.14.04.19).

After installing the 14.04 member server, installed samba packages and 
dependencies according to wiki and no errors. I get all users on 'wbinfo 
-u' but 'getent passwd' returns exactly 18 users only.

I run '/usr/sbin/winbindd -F -S -i --no-process-group -d 4', asked for 
'getent passwd', got only those 18 users and I have "ads query_user_list 
gave 235 entries" on winbindd output, which matches 'wbinfo -u | wc -l'. 
Asking 'id someuser' not listed on getent fails, 'id'ing one of those 18 
users works fine.

I have no idea what to check next, appreciate any help or hint. I added 
winbind enum options and password server to smb.conf just for debug.

root at marte:~# cat /etc/nsswitch.conf
passwd:     compat winbind
group:      compat winbind
shadow:     compat

hosts:      files dns
networks:   files

protocols:  db files
services:   db files
ethers:     db files
rpc:        db files

netgroup:   nis
sudoers     files
root at marte:~#
root at marte:~# cat /etc/krb5.conf
default_realm = AD.TLD

AD.TLD = {
   kdc = eucalipto.ad.TLD

   .TLD      = AD.TLD
   TLD       = AD.TLD
  .kerberos.server = AD.TLD
root at marte:~#
root at marte:~# cat /etc/samba/smb.conf
     security = ADS
     netbios name = Marte
     realm = AD.TLD
     workgroup = A1

     log file = /var/log/samba/%m.log
     log level = 1

     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 70000-70999

     idmap config A1 :backend = ad
     idmap config A1 :schema_mode = rfc2307
     idmap config A1 :range = 500-65300
     idmap config A1 :unix_nss_info = yes
     idmap config A1 :unix_primary_group = yes

     username map = /etc/samba/user.map

     local master = no
     domain master = no
     preferred master = no
     dns proxy = no
     encrypt passwords = yes
     winbind use default domain = yes
     winbind offline logon = false
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     password server = eucalipto.ad.TLD
root at marte:~#

Thank you, best regards.

*Marcio Merlone*

More information about the samba mailing list