[Samba] NSS interface lists all domain users but gives error on single user

Giuseppe Sacco giuseppe at eppesuigoccas.homedns.org
Wed Oct 17 16:46:35 UTC 2018


Hello Rowland,

Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha
scritto:
> On Wed, 17 Oct 2018 15:03:41 +0200
> Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> [...]
> > # Global parameters
> > [global]
> > 	dns proxy = No
> > 	log file = /var/log/samba/log.%m
> > 	map to guest = Bad User
> > 	max log size = 1000
> > 	panic action = /usr/share/samba/panic-action %d
> > 	realm = AGENZIA.LOCAL
> > 	security = ADS
> > 	server role = member server
> > 	server string = %h server (Samba, Ubuntu)
> > 	template homedir = /home/%U
> > 	template shell = /bin/bash
> > 	usershare allow guests = Yes
> > 	winbind cache time = 5
> > 	winbind enum groups = Yes
> > 	winbind enum users = Yes
> > 	winbind offline logon = Yes
> > 	winbind refresh tickets = Yes
> > 	winbind separator = +
> > 	workgroup = AGENZIA
> > 	idmap config * : range = 5000-5100
> > 	idmap config * : backend = tdb
> 
> You haven't set up idmap correctly, see here:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> and here:
> https://wiki.samba.org/index.php/Idmap_config_ad
> or here:
> https://wiki.samba.org/index.php/Idmap_config_rid

If I understand the documentation, I need to setup two idmap config,
one allocating ids for the BUILTIN users (using the tdb backend) and a
separate one for my domain users. I tought that using "*" would have
covered all domains, but I now think this is not true. Moreover, using
the rid backend, I found that not all users were listed until its range
was not large enough.

So, I changed the idmap config this way:

	idmap config * : range = 3000-7999
	idmap config * : backend = tdb
	idmap config AGENZIA : range = 8000-20000
	idmap config AGENZIA : backend = rid

I stopped the samba daemons, deleted the relevant tdb files, restarted
all daemons. I did not leave/join the domain again.

But I still have the same problem: "getent passwd" list all users,
while "getent passwd 'AGENZIA+manuelb'" does not give any results.

Thank you very much,
Giuseppe



More information about the samba mailing list