[Samba] `getent passwd` not working with ad backend

L. van Belle belle at samba.org
Thu Jan 24 09:10:22 UTC 2019


Did you assing uid/gid's to the user/groups? 
https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU
C 

And test with 
getent passwd username 

You can change these settings to no, for testing its ok, 
but it only slows down you server. 
# For member and DC, set to no. 
> winbind enum users = yes
> winbind enum groups = yes 


# member only 
If  you use : 
> kerberos method = secrets and keytab 
Then also set : 
    dedicated keytab file = /etc/krb5.keytab
    # renew the kerberos ticket
    winbind refresh tickets = yes


Besides that the configs look ok. 

Can you show /etc/nsswitch.conf 
I expect it to be good, just to be sure. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Harpoon via samba
> Verzonden: donderdag 24 januari 2019 9:57
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] `getent passwd` not working with ad backend
> 
> Hi all,
> I've been reading and it seems like ad backend has many 
> features that I'd like to use. However, despite browsing many 
> forums and docs, I am still unable to get domain users list 
> using `getent passwd` while using `ad backend`. If I change 
> backend to tdb, then I can get usernames on the clients. 
> Authentication works fine too when using `tdb backend`. I 
> think the only issue is with the mapping part. Otherwise the 
> domain is working pretty fine.
> 
> All boxes are running Debian Stretch.
> 
> ===================================================
> Server's smb.conf
> ===================================================
> # Global parameters
> [global]
> netbios name = DC1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> dns forwarder = 10.0.5.200
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> winbind enum users = yes
> winbind enum groups = yes
> template shell = /bin/bash
> 
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> ===================================================
> Client's smb.conf
> ===================================================
> [global]
> netbios name = client1
> realm = SAMDOM.EXAMPLE.COM
> workgroup = SAMDOM
> security = ADS
> kerberos method = secrets and keytab
> winbind trusted domains only = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind nss info = rfc2307
> #   FOR Samba-share `getent` testing
> #    password server = dc1.samdom.example.com
> #    client signing = auto
> #    server signing = auto
> 
> idmap config * : backend = tdb
> idmap config * : range = 10000-20000
> 
> idmap config SAMDOM : backend = ad
> idmap config SAMDOM : range = 21000-200000
> --------------------------------------------------------------
> -----------
> 
> **With ad backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` doesn't list domain users
> 
> **WIth tdb backend:**
> 1. wbinfo -u lists all domain users
> 2. `getent passwd` also lists all domain users
> 
> Just by commenting out the `idmap config SAMDOM` lines in the 
> client's smb.conf, all other things start working such as 
> `getent passwd`, authentication, etc.
> 
> I tried adding multiple Unix groups and users following 
> instructions on Samba Wiki, but the result it always the 
> same. I've been trying to sort it out for a couple of weeks 
> and its now driving me insane.
> Any help would be appreciated!
> 
> Kind regards,
> Harp
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list