[Samba] `getent passwd` not working with ad backend

Rowland Penny rpenny at samba.org
Thu Jan 24 11:28:33 UTC 2019 

On Thu, 24 Jan 2019 10:03:19 +0000
Harpoon via samba <samba at lists.samba.org> wrote:

> > Did you assing uid/gid's to the user/groups?
> 
> > https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADU
> 
> > C
> 
> I added uid/gid to the new users and groups. I dont have access to
> ADUC so can't check atm.
> 
> Here's how I added new group:
> 
> `samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`

If you want to use a group other than Domain Users as the users Unix
primary group, you will need to use a Samba version >= 4.6.0

See here for latest Debian packages:

http://apt.van-belle.nl/

You MUST give Domain Users a gidNumber attribute containing a number
inside the '21000-200000' (this is the range you have set in smb.conf)

> 
> Here's how I added new user:
> 
> `samba-tool user create user23 --unix-home=/home/%U
> --uid-number=14800 --login-shell=/bin/bash --gid-number=16000
> --nis-domain SAMDOM`

They will NEVER be shown by getent because they are outside the range
you have set in smb.conf

> 
> On the DC, I checked the new user:
> 
> root at DC1 # getent passwd user23
> 
> SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash
> 
> But I noticed that although I set the gid of user23 to be 16000, the
> gid reported by `getent passwd user23` is 12000 (gid of Domain
> Users). 

Ah, so you have set a gidNumber on Domain Users, pity it is out side
the range you have set for the domain in smb.conf


>A little digging in the sam.ldb file says that the
> primaryGroupID is still 513. Could this be causing any problem?

No, because every domain users primary group is '513' (Domain Users),
as I said, you need Samba >= 4.6.0 to have a Unix primary group that
isn't Domain Users.

> 
> ===========================
> 
> user23 entry from sam.ldb
> 
> ==========================
> 
> #record 25
> dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: user23
> instanceType: 4
> whenCreated: 20190124131800.0Z
> whenChanged: 20190124131800.0Z
> uSNCreated: 3945
> name: user23
> objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-671610647-2237101781-313523630-1131
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: user23
> sAMAccountType: 805306368
> userPrincipalName: user23 at samdom.example.com
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c om
> uidNumber: 14800
> gidNumber: 16000
> loginShell: /bin/bash
> unixHomeDirectory: /home/%U
> msSFU30NisDomain: SAMDOM
> msSFU30Name: user23
> unixUserPassword: ABCD!efgh12345$67890
> pwdLastSet: 131928094807802460
> userAccountControl: 512
> uSNChanged: 3948
> distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> 
> > And test with
> 
> > getent passwd username
> 
> No output with this command too.

Well, you wouldn't. It is fairly simple, with your Samba version
(probably 4.5.12) Domain Users MUST have a gidNumber attribute and your
users MUST have a uidNumber attribute and ALL these numbers must be
inside the domain range you set in smb.conf (21000-200000 in your case).
If the gidNumber for Domain Users isn't inside the range, ALL your
users will be ignored by Unix.
If any users have a uidNumber outside the range, they will be ignored,
even if the gidNumber attribute for Domain Users is correct.
 
Rowland

More information about the samba mailing list