[Samba] NSS interface lists all domain users but gives error on single user
Rowland Penny
rpenny at samba.org
Wed Oct 17 17:25:52 UTC 2018
On Wed, 17 Oct 2018 18:46:35 +0200
Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> Hello Rowland,
>
> Il giorno mer, 17/10/2018 alle 14.32 +0100, Rowland Penny via samba ha
> scritto:
> > On Wed, 17 Oct 2018 15:03:41 +0200
> > Giuseppe Sacco via samba <samba at lists.samba.org> wrote:
> > [...]
> > > # Global parameters
> > > [global]
> > > dns proxy = No
> > > log file = /var/log/samba/log.%m
> > > map to guest = Bad User
> > > max log size = 1000
> > > panic action = /usr/share/samba/panic-action %d
> > > realm = AGENZIA.LOCAL
> > > security = ADS
> > > server role = member server
> > > server string = %h server (Samba, Ubuntu)
> > > template homedir = /home/%U
> > > template shell = /bin/bash
> > > usershare allow guests = Yes
> > > winbind cache time = 5
> > > winbind enum groups = Yes
> > > winbind enum users = Yes
> > > winbind offline logon = Yes
> > > winbind refresh tickets = Yes
> > > winbind separator = +
> > > workgroup = AGENZIA
> > > idmap config * : range = 5000-5100
> > > idmap config * : backend = tdb
> >
> > You haven't set up idmap correctly, see here:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > and here:
> > https://wiki.samba.org/index.php/Idmap_config_ad
> > or here:
> > https://wiki.samba.org/index.php/Idmap_config_rid
>
> If I understand the documentation, I need to setup two idmap config,
> one allocating ids for the BUILTIN users (using the tdb backend) and a
> separate one for my domain users. I tought that using "*" would have
> covered all domains, but I now think this is not true. Moreover, using
> the rid backend, I found that not all users were listed until its
> range was not large enough.
>
> So, I changed the idmap config this way:
>
> idmap config * : range = 3000-7999
> idmap config * : backend = tdb
> idmap config AGENZIA : range = 8000-20000
> idmap config AGENZIA : backend = rid
>
> I stopped the samba daemons, deleted the relevant tdb files, restarted
> all daemons. I did not leave/join the domain again.
>
> But I still have the same problem: "getent passwd" list all users,
> while "getent passwd 'AGENZIA+manuelb'" does not give any results.
>
okay, try changing this in /etc/nsswitch.conf:
passwd: files winbind systemd
group: files winbind systemd
shadow: files winbind
To this:
NSS configuration is simple:
passwd: files winbind
group: files winbind
shadow: files
make sure that 'smbd' & 'winbind' are running.
Providing the there is a user called 'manuelb' in AD, winbind should
show the user with 'getent passwd AGENZIA+manuelb'
Rowland
More information about the samba
mailing list