[Samba] getent passwd blank response
Bob Wooden
bob at donelsontrophy.com
Mon Aug 17 11:19:13 UTC 2020
On 8/17/20 4:36 AM, Rowland penny via samba wrote:
> On 17/08/2020 10:20, L.P.H. van Belle via samba wrote:
>>
>> But have you tried this :
>> getent passwd "SAMDOM\username"
>
> Unless you have in smb.conf (which are not recommended):
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> Running 'getent passwd' and 'getent group' will only show local users
> and groups.
>
> you need to specify a username or group, but if you also specify the
> workgroup name, you still will not get output unless it is specified
> correctly, this will not work:
>
> getent passwd SAMDOM\username
>
> But any of these will:
>
> getent passwd SAMDOM\\username
>
> getent passwd 'SAMDOM\username'
>
> getent passwd "SAMDOM\username"
>
> Of course, they all depend on smb.conf, nsswitch.conf and the links
> being setup correctly.
>
> Rowland
>
>
root at mbr04:~# getent passwd SUBDOM\\username
root at mbr04:~# getent passwd SUBDOM\username
root at mbr04:~# getent passwd 'SUBDOM\username'
root at mbr04:~# getent passwd "SUBDOM\username"
root at mbr04:~# cat /etc/samba/smb.conf
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
#
log level = 4
log file = /var/log/samba/%m.log
max log size = 1000
# netbios name = By default this is "hostname -s" but in caps.
realm = SUBDOM.EXAMPLE.COM
workgroup = DOM
security = ADS
# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man
smb.conf )
# ! There can only be ONE master browser.
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 3000-7000
## map ids from the domain the range may not overlap !
idmap config SUBDOM : backend = ad
idmap config SUBDOM : schema_mode = rfc2307
idmap config SUBDOM : range = 10000-999999
idmap config SUBDOM : unix_nss_info = yes
idmap config SUBDOM : unix_primary_group = yes ##added per Louis
email 2020-08-13
# Renew the kerberos tickets
winbind refresh tickets = yes
# Enable offline logins
winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
##winbind trusted domains only = no
# *Keep no in production, set yes when debugging, this slows down your
samba.*
*winbind enum users = yes**
**winbind enum groups = yes*
# Check depth of nested groups, ! slows down you samba, if to much
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4
# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# Included per Louis' member sacript
include = /etc/samba/smb-shares.conf
######## SHARE DEFINITIONS ################
##moved to /etc/samba/smb-shares.conf
root at mbr04:~# cat /etc/samba/smb-shares.conf
[samba$]
# Hidden share for Adminstrator and "Domain Admins" members/Folder
managers
# By default "Domain Admins" are allowed to read/write
path = /srv/samba
browseable = yes
read only = no
[companydata]
# main share for all company data.
path = /srv/samba/companydata
browseable = yes
read only = no
[profiles]
# Windows user profiles, Used for/by windows only share.
# Add a $ on the end to hide the share-name.
# By default "Domain users" are allowed to read/write
#
https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html
# Optional, yes and windows defaults are: no/posix
# acl_xattr:ignore system acls = [yes|no]
# acl_xattr:default acl style = [posix|windows|everyone]
path = /srv/samba/profiles
#map acl inherit = no
browseable = yes
read only = no
[users]
# Samba/Windows User homedirs.
# By default the User (And root/Administrator/Domain Admins) are
allowed to read/write
path = /srv/samba/users
browseable = yes
read only = no
[public]
# A public share.
# By default "Domain users" are allowed to read/write
path = /srv/samba/public
browseable = yes
read only = no
root at mbr04:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind systemd
group: files winbind systemd
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
As you can see I have tried all variations but still returns blank response.
As a reminder, Debian 10, Samba v4.12.5.
Included all reference config files. Does anyone see anything that needs
adjustment?
--
(Sent from home location.)
username Wooden
More information about the samba
mailing list