[Samba] AD Domain member - getent passwd truncated to only 18 users

Rowland Penny rpenny at samba.org
Wed Dec 12 19:39:32 UTC 2018 

On Wed, 12 Dec 2018 16:38:52 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> Due to some legacy php app I have to integrate an Ubuntu 14.04 server
> on my AD structure. AD DC is a Ubuntu 18.04 with canonical packages
> running Samba 4.7 (4.7.6+dfsg~ubuntu-0ubuntu2.5) and member server
> runs Samba 4.3 (4.3.11+dfsg-0ubuntu0.14.04.19).
> 
> After installing the 14.04 member server, installed samba packages
> and dependencies according to wiki and no errors. I get all users on
> 'wbinfo -u' but 'getent passwd' returns exactly 18 users only.
> 
> I run '/usr/sbin/winbindd -F -S -i --no-process-group -d 4', asked
> for 'getent passwd', got only those 18 users and I have "ads
> query_user_list gave 235 entries" on winbindd output, which matches
> 'wbinfo -u | wc -l'. Asking 'id someuser' not listed on getent fails,
> 'id'ing one of those 18 users works fine.
> 
> I have no idea what to check next, appreciate any help or hint. I
> added winbind enum options and password server to smb.conf just for
> debug.
> 
> root at marte:~# cat /etc/nsswitch.conf
> passwd:     compat winbind
> group:      compat winbind
> shadow:     compat
> 
> hosts:      files dns
> networks:   files
> 
> protocols:  db files
> services:   db files
> ethers:     db files
> rpc:        db files
> 
> netgroup:   nis
> sudoers     files
> root at marte:~#
> root at marte:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = AD.TLD
> 
> [realms]
> AD.TLD = {
>    kdc = eucalipto.ad.TLD
> }
> 
> [domain_realm]
>    .TLD      = AD.TLD
>    TLD       = AD.TLD
>   .kerberos.server = AD.TLD
> root at marte:~#
> root at marte:~# cat /etc/samba/smb.conf
> [global]
>      security = ADS
>      netbios name = Marte
>      realm = AD.TLD
>      workgroup = A1
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
> 
>      winbind use default domain = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 70000-70999
> 
>      idmap config A1 :backend = ad
>      idmap config A1 :schema_mode = rfc2307
>      idmap config A1 :range = 500-65300
>      idmap config A1 :unix_nss_info = yes
>      idmap config A1 :unix_primary_group = yes

The above lines are only applicable for Samba >= 4.6.0
Add: winbind nss info = rfc2307
remove the last two lines, see here for more info:

https://wiki.samba.org/index.php/Idmap_config_ad

Rowland

More information about the samba mailing list