[Samba] wbinfo work getent passwd does

basti mailinglist at unix-solution.de
Wed Apr 21 14:30:28 UTC 2021



On 21.04.21 16:14, Rowland penny via samba wrote:
> On 21/04/2021 14:10, basti via samba wrote:
>>
>>
>> On 14.04.21 15:24, Rowland penny via samba wrote:
>>> On 14/04/2021 14:05, basti via samba wrote:
>>>>
>>>>
>>>> yes the uid=100 is seen on AD DC.
>>>> On an dc in an other domain upgrade from nt4 it looks like:
>>>> gid=30000(BUILTIN\users) groups=30000(BUILTIN\users)
>>>
>>>
>>> I would suggest you remove that gidNumber from 'dn: 
>>> CN=Users,CN=Builtin,.......'
>>>
>>>>
>>>> sorry my greylister delay your message.
>>>> yes all users has:
>>>>
>>>> - uidNumber
>>>> - gidNumber
>>>
>>>
>>> Yes, but are they in the range you set in smb.conf for the DOMAIN ?
>>>
>>>>
>>>>>
>>>>> You could try changing these lines:
>>>>>
>>>>>    idmap config SAMDM:backend = ad
>>>>>    idmap config SAMDOM:schema_mode = rfc2307
>>>>>    idmap config SAMDOM:range = 7000-20000
>>>>> For these:
>>>>>
>>>>>    idmap config SAMDM:backend = rid
>>>>>    idmap config SAMDOM:range = 7000-20000
>>>>>
>>>>> Restart Samba and see if 'getent passwd A_USERNAME' works, replace 
>>>>> A_USERNAME with a valid AD user.
>>>>
>>>> for now it works, I do not understand what was the problem before. 
>>>
>>>
>>> If it works with the 'rid' backend, then your range for the 'ad' 
>>> backend does not match the uidNumber & gidNumber attributes in AD.
>>>
>>> Rowland
>>>
>>>
>>>
>>>
>>
>> getent passwd does not work anymore:
>> wbinfo show domain users.
>>
>> on dc:
>>
>> dc1:~# getent passwd user1
>> NET\user1:*:7101:100::/home/NET/user1:/bin/false
> 
> 
> Lets start by trying to find out where that '100' is coming from, a 
> similar command on my DC produces:
> 
> SAMDOM\rowland:*:10000:10000::/home/SAMDOM/rowland:/bin/false
> 
> The second '10000' is the uidNumber for Domain Users.
> 
> Can you run the following two commands on your DC and post the output 
> (sanitised if required).
> 
> ldbsearch -H ldap://$(hostname -s) 
> '(&(objectCategory=person)(objectClass=user)(sAMAccountName=user1))' -P
> 
> ldbsearch -H ldap://$(hostname -s) '(&(objectCategory=group)(cn=Domain 
> Users))' -P
> 
> Rowland
> 
> 
> 

In a post before I'am also ask where the 100 comes from.
on an other dc in an other domain I get gid=30000.

I guess the 100 come from /etc/group? but I don't know why.


dc1:~# ldbsearch -H ldap://$(hostname -s) 
'(&(objectCategory=person)(objectClass=user)(sAMAccountName=user1))' -P
# record 1
dn: CN=user1,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: user1
sn: test
givenName: ius
instanceType: 4
whenCreated: 20210414090625.0Z
displayName: user1
uSNCreated: 2377054
name: user1
objectGUID: 76a31f75-e895-4a43-a98c-5d7e57004fc3
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-1732978637-3172972945-805327809-1219
accountExpires: 9223372036854775807
sAMAccountName: user1
sAMAccountType: 805306368
userPrincipalName: user1 at samdom.example.de
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example
  ,DC=com
pwdLastSet: 132628647852952750
userAccountControl: 66048
lastLogonTimestamp: 132628648073330090
uidNumber: 7099
whenChanged: 20210414095625.0Z
uSNChanged: 2379089
msSFU30Name: samdom
lastLogon: 132634869922418970
logonCount: 13
distinguishedName: CN=user1,CN=Users,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.de/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.de/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.de/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals



dc1:~# ldbsearch -H ldap://$(hostname -s) 
'(&(objectCategory=group)(cn=Domain Users))' -P
# record 1
dn: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20200116093420.0Z
whenChanged: 20200116093420.0Z
uSNCreated: 3622
uSNChanged: 3622
name: Domain Users
objectGUID: a37f673e-fe36-4a84-a748-9de66aba51ff
objectSid: S-1-5-21-1732978637-3172972945-805327809-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,
  DC=com
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com
distinguishedName: CN=Domain Users,CN=Users,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals





More information about the samba mailing list