[Samba] Surprising behavior with getent on AD service
Rowland Penny
rpenny at samba.org
Wed Jan 18 17:10:55 UTC 2023
On 18/01/2023 16:28, Marc-Henri Pamiseux via samba wrote:
> Hello,
>
> On the local network, we have installed two separate GNU/Linux servers.
>
> One runs a 4.14.14-Debian version Samba-AD DC service while the other
> runs a 4.14.14-Debian version Samba service for file sharing.
>
> The second is a member of the AD domain.
>
> On the second one, when I want to show all the accounts defined in AD
> using the "getent passwd" command, the system returns the identifiers
> and groups to me.
>
> On the AD server, I had to rename a user's account but kept their SID
> and Linux uid (10004 in my case).
> I used the Windows RSAT tools for this.
> Let's say I simply renamed the user1 account to user2.
>
> On the domain member server, when I invoke the "getent passwd" command,
> it is indeed the user2 account that is displayed with the identifier 10004.
>
> On the other hand, on the AD domain controller, the same command "getent
> passwd" returns me the user1 account with the identifier 10004. I invoke
> the command "net cache flush" on both servers, but nothing changes.
>
> Could you please give me a lead on how to restore consistency on theses
> users accounts?
>
> Best regards
If you are just running 'getent passwd' and getting a list of users,
then it sounds like you have set the not recommended 'winbind enum users
= yes' line in your smb.conf, if you have, I suggest you remove it
(along with the 'group' one), you do not need it.
Does 'getent passwd user2' produce the correct info ?
I suggest you have a look in idmap.ldb on the DC, you might possibly
find something in there.
By the way 4.14.x is EOL from the Samba point of view.
Rowland
More information about the samba
mailing list