[Samba] `getent passwd` not working with ad backend

Harpoon harp00n at protonmail.com
Thu Jan 24 10:03:19 UTC 2019

> Did you assing uid/gid's to the user/groups?

> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU

> C

I added uid/gid to the new users and groups. I dont have access to ADUC so can't check atm.

Here's how I added new group:

`samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`

Here's how I added new user:

`samba-tool user create user23 --unix-home=/home/%U --uid-number=14800 --login-shell=/bin/bash --gid-number=16000 --nis-domain SAMDOM`

On the DC, I checked the new user:

root at DC1 # getent passwd user23


But I noticed that although I set the gid of user23 to be 16000, the gid reported by `getent passwd user23` is 12000 (gid of Domain Users). A little digging in the sam.ldb file says that the primaryGroupID is still 513. Could this be causing any problem?


user23 entry from sam.ldb


#record 25
dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user23
instanceType: 4
whenCreated: 20190124131800.0Z
whenChanged: 20190124131800.0Z
uSNCreated: 3945
name: user23
objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-671610647-2237101781-313523630-1131
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user23
sAMAccountType: 805306368
userPrincipalName: user23 at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
uidNumber: 14800
gidNumber: 16000
loginShell: /bin/bash
unixHomeDirectory: /home/%U
msSFU30NisDomain: SAMDOM
msSFU30Name: user23
unixUserPassword: ABCD!efgh12345$67890
pwdLastSet: 131928094807802460
userAccountControl: 512
uSNChanged: 3948
distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com

> And test with

> getent passwd username

No output with this command too.

> You can change these settings to no, for testing its ok,

> but it only slows down you server.

> For member and DC, set to no.

I set it only for testing. I'll disable it once I move it to production.

> ==============================


> > winbind enum users = yes

> > winbind enum groups = yes


> member only


> ============

> If you use :


> > kerberos method = secrets and keytab


> Then also set :

> dedicated keytab file = /etc/krb5.keytab

> renew the kerberos ticket

> ==========================

> winbind refresh tickets = yes


> Besides that the configs look ok.

> Can you show /etc/nsswitch.conf






#Example configuration of GNU Name Service Switch functionality.

passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

Thanks for your help!

More information about the samba mailing list