[Samba] getent not returning users/groups
gregs at sloop.net
Mon Feb 28 00:11:45 UTC 2022
> Right, the wiki describes how to have Samba assign unix IDs for use within __just samba__. There are segregated pages that describe each different storage backend.
RID and AD both provide ID's inside a *nix domain member.
> The AD backend is the only way to ensure you have the same exact Unix UIDs and GIDs in use on all domain.
> The other two methods are both ways of having samba automatically assign those IDs and store them locally.
> However, that's not the current topic.
> What is the _correct_ way of exposing the users defined in the AD to unix systems? I'm confused on that, and others are too.
> Someone I expect knows much more about samba than I do has stated that winbind emum is incorrect for exposing that user and group list to NSS services (so that they're shown with getent passwd and getent group; as well as any programs that want to validate usernames / etc): So what should I and others do instead?
I'm not going to get into the weeds here.
RID and AD *BOTH *expose* all the users to *nix.
RID does so automagically, and as long as in the samba config, the ID ranges are defied identically, then the ID's will be the same across all unix member servers.
[quoting: User and group IDs are only the same on other domain members using the rid back end, if the same ID ranges are configured for the domain.]
(Again, there's detail in the Wiki that's important, and I'm afraid I'll forget some detail and get excoriated as "wrong.")
AD does this *IF* you manually assign unique ID's to all users and groups. (and if I understand it correctly, by suppressing/not-providing an ID for a particular user/group, you can suppress it from appearing as a user/group on Unix domain members. This is something you can not do with RID.)
All I care about is a mainly Windows environment, so would be unsurprised if there's some detail about *nix I've got wrong.
But RID absolutely DOES enumerate the AD ID's inside, for example, Ubuntu, just fine - without needing to manually assign ID's using the AD back end.
And those are consistent across multiple members, as the wiki notes "if the same ID ranges are configured for the domain."
But the gist here is that your warning that I had to assign ID's when I'm using the RID back-end to get the users/groups to show up using getent is simply incorrect.
If I'd been using AD, then I _would_ have to assign them in the AD records.
I'm not going to go further - as I'm getting outside of what I'm fairly confident I know.
If you want to debate this more, it will have to be with someone else.
More information about the samba