[Samba] `getent passwd` not working with ad backend
Harpoon
harp00n at protonmail.com
Thu Jan 24 10:03:19 UTC 2019
> Did you assing uid/gid's to the user/groups?
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU
> C
I added uid/gid to the new users and groups. I dont have access to ADUC so can't check atm.
Here's how I added new group:
`samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`
Here's how I added new user:
`samba-tool user create user23 --unix-home=/home/%U --uid-number=14800 --login-shell=/bin/bash --gid-number=16000 --nis-domain SAMDOM`
On the DC, I checked the new user:
root at DC1 # getent passwd user23
SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash
But I noticed that although I set the gid of user23 to be 16000, the gid reported by `getent passwd user23` is 12000 (gid of Domain Users). A little digging in the sam.ldb file says that the primaryGroupID is still 513. Could this be causing any problem?
===========================
user23 entry from sam.ldb
==========================
#record 25
dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user23
instanceType: 4
whenCreated: 20190124131800.0Z
whenChanged: 20190124131800.0Z
uSNCreated: 3945
name: user23
objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-671610647-2237101781-313523630-1131
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: user23
sAMAccountType: 805306368
userPrincipalName: user23 at samdom.example.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
om
uidNumber: 14800
gidNumber: 16000
loginShell: /bin/bash
unixHomeDirectory: /home/%U
msSFU30NisDomain: SAMDOM
msSFU30Name: user23
unixUserPassword: ABCD!efgh12345$67890
pwdLastSet: 131928094807802460
userAccountControl: 512
uSNChanged: 3948
distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> And test with
> getent passwd username
No output with this command too.
> You can change these settings to no, for testing its ok,
> but it only slows down you server.
> For member and DC, set to no.
I set it only for testing. I'll disable it once I move it to production.
> ==============================
>
> > winbind enum users = yes
> > winbind enum groups = yes
>
> member only
Okay.
> ============
> If you use :
>
> > kerberos method = secrets and keytab
>
> Then also set :
> dedicated keytab file = /etc/krb5.keytab
> renew the kerberos ticket
> ==========================
> winbind refresh tickets = yes
Noted.
> Besides that the configs look ok.
> Can you show /etc/nsswitch.conf
==
nsswitch.conf
==============
#/etc/nsswitch.conf
==
#Example configuration of GNU Name Service Switch functionality.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Thanks for your help!
Regards,
Harp
More information about the samba
mailing list