[Samba] AD Domain member - getent passwd truncated to only 18 users
Rowland Penny
rpenny at samba.org
Wed Dec 12 19:39:32 UTC 2018
On Wed, 12 Dec 2018 16:38:52 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:
> Hi,
>
> Due to some legacy php app I have to integrate an Ubuntu 14.04 server
> on my AD structure. AD DC is a Ubuntu 18.04 with canonical packages
> running Samba 4.7 (4.7.6+dfsg~ubuntu-0ubuntu2.5) and member server
> runs Samba 4.3 (4.3.11+dfsg-0ubuntu0.14.04.19).
>
> After installing the 14.04 member server, installed samba packages
> and dependencies according to wiki and no errors. I get all users on
> 'wbinfo -u' but 'getent passwd' returns exactly 18 users only.
>
> I run '/usr/sbin/winbindd -F -S -i --no-process-group -d 4', asked
> for 'getent passwd', got only those 18 users and I have "ads
> query_user_list gave 235 entries" on winbindd output, which matches
> 'wbinfo -u | wc -l'. Asking 'id someuser' not listed on getent fails,
> 'id'ing one of those 18 users works fine.
>
> I have no idea what to check next, appreciate any help or hint. I
> added winbind enum options and password server to smb.conf just for
> debug.
>
> root at marte:~# cat /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers files
> root at marte:~#
> root at marte:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = AD.TLD
>
> [realms]
> AD.TLD = {
> kdc = eucalipto.ad.TLD
> }
>
> [domain_realm]
> .TLD = AD.TLD
> TLD = AD.TLD
> .kerberos.server = AD.TLD
> root at marte:~#
> root at marte:~# cat /etc/samba/smb.conf
> [global]
> security = ADS
> netbios name = Marte
> realm = AD.TLD
> workgroup = A1
>
> log file = /var/log/samba/%m.log
> log level = 1
>
> winbind use default domain = yes
> idmap config * : backend = tdb
> idmap config * : range = 70000-70999
>
> idmap config A1 :backend = ad
> idmap config A1 :schema_mode = rfc2307
> idmap config A1 :range = 500-65300
> idmap config A1 :unix_nss_info = yes
> idmap config A1 :unix_primary_group = yes
The above lines are only applicable for Samba >= 4.6.0
Add: winbind nss info = rfc2307
remove the last two lines, see here for more info:
https://wiki.samba.org/index.php/Idmap_config_ad
Rowland
More information about the samba
mailing list