[Samba] `getent passwd` not working with ad backend
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 24 10:40:09 UTC 2019
Hai,
> Here's how I added new group:
>
> `samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`
>
> Here's how I added new user:
>
> `samba-tool user create user23 --unix-home=/home/%U
> --uid-number=14800 --login-shell=/bin/bash --gid-number=16000
> --nis-domain SAMDOM`
Yes, thats fine too..
>
> On the DC, I checked the new user:
>
> root at DC1 # getent passwd user23
>
> SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash
>
> But I noticed that although I set the gid of user23 to be
> 16000, the gid reported by `getent passwd user23` is 12000
> (gid of Domain Users). A little digging in the sam.ldb file
> says that the primaryGroupID is still 513. Could this be
> causing any problem?
No, that is the RID. Which is not the GID. ;-)
Run : net cache flush
Stop/start samba : systemctl stop smbd winbind nmbd
* change the ranges to your needs.
For client only, read the last line in that config part.
## map id's outside to domain to tdb files. (BUILTIN)
idmap config * : backend = tdb
idmap config * : range = 10000-20000
## map ids from the SAMDOM domain and (*) the range may not overlap !
## https://wiki.samba.org/index.php/Idmap_config_ad
idmap config SAMDOM : backend = ad
idmap config SAMDOM : schema_mode = rfc2307
idmap config SAMDOM : range = 21000-200000
# Samba version 4.6.0 and up.
# https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options
idmap config SAMDOM : unix_nss_info = yes
idmap config SAMDOM : unix_primary_group = yes
systemctl start smbd winbind nmbd
And check again.
>
> ===========================
>
> user23 entry from sam.ldb
>
> ==========================
>
> #record 25
> dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: user23
> instanceType: 4
> whenCreated: 20190124131800.0Z
> whenChanged: 20190124131800.0Z
> uSNCreated: 3945
> name: user23
> objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-671610647-2237101781-313523630-1131
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: user23
> sAMAccountType: 805306368
> userPrincipalName: user23 at samdom.example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> om
> uidNumber: 14800
> gidNumber: 16000
> loginShell: /bin/bash
> unixHomeDirectory: /home/%U
> msSFU30NisDomain: SAMDOM
> msSFU30Name: user23
> unixUserPassword: ABCD!efgh12345$67890
> pwdLastSet: 131928094807802460
> userAccountControl: 512
> uSNChanged: 3948
> distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
>
> > And test with
>
> > getent passwd username
>
> No output with this command too.
>
> > You can change these settings to no, for testing its ok,
>
> > but it only slows down you server.
>
> > For member and DC, set to no.
>
> I set it only for testing. I'll disable it once I move it to
> production.
>
> > ==============================
>
> >
>
> > > winbind enum users = yes
>
> > > winbind enum groups = yes
>
> >
>
> > member only
>
> Okay.
>
> > ============
>
> > If you use :
>
> >
>
> > > kerberos method = secrets and keytab
>
> >
>
> > Then also set :
>
> > dedicated keytab file = /etc/krb5.keytab
>
> > renew the kerberos ticket
>
> > ==========================
>
> > winbind refresh tickets = yes
>
> Noted.
>
> > Besides that the configs look ok.
>
> > Can you show /etc/nsswitch.conf
>
> ==
>
> nsswitch.conf
>
> ==============
>
> #/etc/nsswitch.conf
>
> ==
>
> #Example configuration of GNU Name Service Switch functionality.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
> hosts: files dns wins
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> Thanks for your help!
> Regards,
> Harp
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list