[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain

David PAUGAM David.Paugam at genavir.fr
Fri Mar 12 08:12:41 UTC 2021 

Sorry, I first replied to your personal addresss...

> Thank you Rowland for your new reply!
>
> I checked several things:
>
>   * created a new user in Active Directory, as the exact copy (but the
>     names) of an account which I can find through "getent passwd
>     myNewUser"
>       o it is not retrieved in "getent"
>   * Samba is 4.9.5
>   * Active Directory servers are W2012 and 2016
>
>
> Then I tried a few things and checked each modification of the conf 
> with the 2 commands
>
>   * wbinfo -u |wc -l
>   * getent passwd |wc -l
>
> They give the number of lines, so the number of accounts.
> When I get problems, the first one returns arount 3400, the second one 
> around 1140.
> When everythings seems fine the 2 numbers are very close. The 
> difference should be the local accounts.
>
>
> Then, I unwillingly made a mistake in smb.conf and it worked!! The 2 
> previous commands returned the good numbers!
>
> Surprisingly, the conf seemed to work when the idmap Domain name is 
> wrong...
>
> Here is the "working" smb.conf, which must be wrong. And this time, 
> the mistake is done intentionnally ;-)
>
> /[global]//
> //        workgroup=MYDOM//
> //        security=ads//
> //        realm=MYDOM.FR//
> //        winbind enum users=yes//
> //        winbind enum groups=yes//
> //        winbind use default domain=yes//
> //   idmap config * : backend = tdb//
> //   idmap config * : range = 3000-7999//
> /
>
> /
> /
>
> /#Here are the "bad" lines / bad domain, which actually solved the 
> "getent passwd"//
> /
>
> /   idmap config WRONGDOM : backend = rid//
> //   idmap config WRONGDOM : range = 10000-999999/
>
> /
> /
>
> /template homedir = /home/%U//
> //template shell = /bin/bash//
> //dedicated keytab file = /etc/krb5.keytab//
> //kerberos method = secrets and keytab//
> //winbind refresh tickets = Yes/
>
> Is there an explanation to this behaviour?
>
> Is there a way to check the way rid works?
>
> Thanks,
>
> David
>
>
>
> Le 11/03/2021 à 10:02, Rowland penny via samba a écrit :
>> On 11/03/2021 08:29, David PAUGAM via samba wrote:
>>> Hello Rowland,
>>>
>>> sorry, I tried - and failed :-) - to mask the domain from the conf.
>>>
>>> So, IFR is the name, and MYDOM a try to hide it...
>>
>>
>> Sort of thought that was what was going on.
>>
>>>
>>> What do you mean by "Also, how are the usernames truncated ?"
>>
>>
>> Sorry, i read it one way and you meant it another 😁
>>
>> You meant that you get a shortened list of users, I read it as you 
>> get shortened usernames 😅
>>
>> You are using the winbind 'rid' backend , so the ID's are calculated 
>> with this formula:
>>
>> ID = RID + LOW_RANGE_ID
>>
>> Which in your case, would be:
>>
>> ID = RID + 30000
>>
>> This means that any RID's larger than 969999 would be ignored, but 
>> this is such a large number that I don't think this is your problem.
>>
>> As you are using Debian buster, I take it you are using Samba 4.9.5 
>> but what is the DC ? not that this should matter.
>>
>> If 'user1' is shown by getent, but 'user2' isn't, then I would 
>> suggest comparing the two user objects in AD.
>>
>> Rowland
>>
>>
>>

More information about the samba mailing list