[Samba] finger command with winbind / Linux

Rowland penny rpenny at samba.org
Fri Apr 16 19:13:10 UTC 2021 

On 16/04/2021 19:57, Jason Keltz via samba wrote:
>
> On 4/16/2021 2:27 PM, Rowland penny via samba wrote:
>> On 16/04/2021 17:54, Jason Keltz via samba wrote:
>>> Hi.
>>>
>>> A question about using the "finger" command under Linux when using 
>>> winbind nss backend..
>>>
>>> When users were in /etc/passwd, and I would do:
>>>
>>> finger <first name of user> or
>>>
>>> finger <last name of user>
>>>
>>> I would get back all entries from /etc/passwd with that first name 
>>> or last name matching my spec.
>>>
>>> With winbind in place, finger works, but only if I specify a full 
>>> username.  It doesn't find users based on their name field.
>>>
>>> The truth is, I only set "displayname" to the full name, and that 
>>> may be the issue because if I do finger "jas", the "Name:" field 
>>> from finger is blank.
>>>
>>> However, if I edit my user record under AD and set "gecos: Jason 
>>> Keltz", then finger "jas" now shows my full name under "Name:" 
>>> field, but I still can't search by "Jason" or "Keltz".
>>>
>>> Any thoughts?
>>>
>>> Jason.
>>>
>>>
>>
>> Yes, that's the way 'finger' works against AD, but you can get 
>> virtually the same info with getent, the only things missing are the 
>> uptime and last login.
>>
>> The question has to be, why are you using 'finger' ?
>
>
> Hi Rowland,
>
> I rarely use the finger command, but many users do use it, and I just 
> received a question about that today, so I was investigating.
>
> To my knowledge, getent doesn't allow a user to do a lookup based on a 
> first or last name... Does it?
>
> I wonder why finger behaves this way with AD.
>
> Jason.
>
>

No, getent only uses the login name to search, but it probably uses the 
same backend code (glibc ?). The problem is that 'gecos' isn't standard 
in AD (as you have found) and you cannot rely on the cn in AD being in 
the form 'Fred Bloggs', it could just be 'fred'.

Unless you are prepared to add the gecos to all users in AD, my best 
advice would be to tell your users to stop using 'finger'. Find out why 
your users are using 'finger', what information do they need ? Then 
write your own script to search in AD to supply this (hint: use 
ldbsearch with the machine password '-P')

Rowland

More information about the samba mailing list