[Samba] getent passwd blank response

Bob Wooden bob at donelsontrophy.com
Mon Aug 17 11:19:13 UTC 2020

On 8/17/20 4:36 AM, Rowland penny via samba wrote:
> On 17/08/2020 10:20, L.P.H. van Belle via samba wrote:
>> But have you tried this :
>> getent passwd "SAMDOM\username"
> Unless you have in smb.conf (which are not recommended):
> winbind enum users = yes
> winbind enum groups = yes
> Running 'getent passwd' and 'getent group' will only show local users 
> and groups.
> you need to specify a username or group, but if you also specify the 
> workgroup name, you still will not get output unless it is specified 
> correctly, this will not work:
> getent passwd SAMDOM\username
> But any of these will:
> getent passwd SAMDOM\\username
> getent passwd 'SAMDOM\username'
> getent passwd "SAMDOM\username"
> Of course, they all depend on smb.conf, nsswitch.conf and the links 
> being setup correctly.
> Rowland
root at mbr04:~# getent passwd SUBDOM\\username
root at mbr04:~# getent passwd SUBDOM\username
root at mbr04:~# getent passwd 'SUBDOM\username'
root at mbr04:~# getent passwd "SUBDOM\username"
root at mbr04:~# cat /etc/samba/smb.conf
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
log level = 4
log file = /var/log/samba/%m.log
max log size = 1000

# netbios name = By default this is "hostname -s" but in caps.
workgroup = DOM
security = ADS

# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man 
smb.conf )
# ! There can only be ONE master browser.
preferred master = no
domain master = no

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 3000-7000

## map ids from the domain  the range may not overlap !
idmap config SUBDOM : backend = ad
idmap config SUBDOM : schema_mode = rfc2307
idmap config SUBDOM : range = 10000-999999
idmap config SUBDOM : unix_nss_info = yes
idmap config SUBDOM : unix_primary_group = yes    ##added per Louis 
email 2020-08-13

# Renew the kerberos tickets
winbind refresh tickets = yes

# Enable offline logins
winbind offline logon = yes

# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307

# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
##winbind trusted domains only = no

# *Keep no in production, set yes when debugging, this slows down your 
*winbind enum users  = yes**
**winbind enum groups = yes*

# Check depth of nested groups, ! slows down you samba, if to much 
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4

# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber 
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local 
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping

# disable usershares creating, when set empty no error log messages.
usershare path =

# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes

# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes

# Included per Louis' member sacript
include = /etc/samba/smb-shares.conf

######## SHARE DEFINITIONS ################
##moved to /etc/samba/smb-shares.conf

root at mbr04:~# cat /etc/samba/smb-shares.conf
     # Hidden share for Adminstrator and "Domain Admins" members/Folder 
     # By default "Domain Admins" are allowed to read/write
     path = /srv/samba
     browseable = yes
     read only = no

     # main share for all company data.
     path = /srv/samba/companydata
     browseable = yes
     read only = no

     # Windows user profiles, Used for/by windows only share.
     # Add a $ on the end to hide the share-name.
     # By default "Domain users" are allowed to read/write
     # Optional, yes and windows  defaults are: no/posix
     # acl_xattr:ignore system acls = [yes|no]
     # acl_xattr:default acl style = [posix|windows|everyone]
     path = /srv/samba/profiles
     #map acl inherit = no
     browseable = yes
     read only = no

     # Samba/Windows User homedirs.
     # By default the User (And root/Administrator/Domain Admins) are 
allowed to read/write
     path = /srv/samba/users
     browseable = yes
     read only = no

     # A public share.
     # By default "Domain users" are allowed to read/write
     path = /srv/samba/public
     browseable = yes
     read only = no

root at mbr04:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files winbind systemd
group:          files winbind systemd
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

As you can see I have tried all variations but still returns blank response.

As a reminder, Debian 10, Samba v4.12.5.

Included all reference config files. Does anyone see anything that needs 

(Sent from home location.)

username Wooden

More information about the samba mailing list