[Samba] `getent passwd` not working with ad backend

Harpoon harp00n at protonmail.com
Thu Jan 24 08:57:21 UTC 2019


Hi all,
I've been reading and it seems like ad backend has many features that I'd like to use. However, despite browsing many forums and docs, I am still unable to get domain users list using `getent passwd` while using `ad backend`. If I change backend to tdb, then I can get usernames on the clients. Authentication works fine too when using `tdb backend`. I think the only issue is with the mapping part. Otherwise the domain is working pretty fine.

All boxes are running Debian Stretch.

===================================================
Server's smb.conf
===================================================
# Global parameters
[global]
netbios name = DC1
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
dns forwarder = 10.0.5.200
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash

[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

===================================================
Client's smb.conf
===================================================
[global]
netbios name = client1
realm = SAMDOM.EXAMPLE.COM
workgroup = SAMDOM
security = ADS
kerberos method = secrets and keytab
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nss info = rfc2307
#   FOR Samba-share `getent` testing
#    password server = dc1.samdom.example.com
#    client signing = auto
#    server signing = auto

idmap config * : backend = tdb
idmap config * : range = 10000-20000

idmap config SAMDOM : backend = ad
idmap config SAMDOM : range = 21000-200000
-------------------------------------------------------------------------

**With ad backend:**
1. wbinfo -u lists all domain users
2. `getent passwd` doesn't list domain users

**WIth tdb backend:**
1. wbinfo -u lists all domain users
2. `getent passwd` also lists all domain users

Just by commenting out the `idmap config SAMDOM` lines in the client's smb.conf, all other things start working such as `getent passwd`, authentication, etc.

I tried adding multiple Unix groups and users following instructions on Samba Wiki, but the result it always the same. I've been trying to sort it out for a couple of weeks and its now driving me insane.
Any help would be appreciated!

Kind regards,
Harp


More information about the samba mailing list