[Samba] Getent doesn't show AD users/groups

Rowland penny rpenny at samba.org
Tue Dec 15 10:01:25 UTC 2020

On 15/12/2020 09:37, Alex Orlov via samba wrote:
> Hello all,
> I have a problem with getent passwd/group. When I do
> $getent passwd administrator
> administrator:*:0:100::/home/MYDOM/administrator:/bin/false
> however, when I do
> $getent passwd
> I don’t get administrator in the command output.  The same I have with groups. Because of this,
> as I understand, I can’t change folder group in mc — groups from AD are not listed there.
> I used samba4 before and I could easily change folder group in mc, but now I can’t. Could anyone help?

You shouldn't be using a DC as a fileserver, it really isn't recommended.

It doesn't matter that 'getent passwd' doesn't show Administrator and 
getent passwd Administrator' does, because you should not be using 
Administrator on Unix. Administrator is for use on Windows and you use 
'root' on Unix, if you look closely at the output of 'getent passwd 
Administrator', you will see that the Unix ID for Administrator is '0', 
which is the same Unix ID that 'root' uses i.e. Administrator is mapped 
to the Unix user 'root'.

> nsswitch.conf
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
You should not add winbind to the shadow line in /etc/nsswitch.conf
> gshadow:        files
> smb.conf
> [global]
>      workgroup = ..
>      realm = ...
>      netbios name = ...
>      server role = active directory domain controller
>      dns forwarder = ...
>      idmap_ldb:use rfc2307 = yes
>      bind interfaces only = yes
>      interfaces = eth0
>      hosts allow = ...
>      hosts deny =
>      winbind enum users = yes
>      winbind enum groups = yes
>      winbind use default domain = yes
I would remove the winbind lines, the 'enum' ones just slow things down 
and are not required, the last one does nothing on a DC.


More information about the samba mailing list