[Samba] Surprising behavior with getent on AD service

Marc-Henri Pamiseux marc-henri.pamiseux at libricks.org
Wed Jan 18 21:12:00 UTC 2023


Hi Rowland,

I'm really happy to talk to you again (the last time was a long time ago).

For production issues, I can't change these settings at the moment, but 
I will soon.

On the file server, the command "getent passwd user2" gives me the 
correct information about user2.
But on the AD server, the command "getent passwd user2" still gives me 
information about user1.

I know 4.14 is outdated, but I can't afford to update. In this network, 
we still have 2 Apple computers (MacOS 10.5) that use an authentication 
via the NT1 scheme.

Best regards,
-- 
Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr


Le 18/01/2023 à 18:10, Rowland Penny via samba a écrit :
> 
> 
> On 18/01/2023 16:28, Marc-Henri Pamiseux via samba wrote:
>> Hello,
>>
>> On the local network, we have installed two separate GNU/Linux servers.
>>
>> One runs a 4.14.14-Debian version Samba-AD DC service while the other 
>> runs a 4.14.14-Debian version Samba service for file sharing.
>>
>> The second is a member of the AD domain.
>>
>> On the second one, when I want to show all the accounts defined in AD 
>> using the "getent passwd" command, the system returns the identifiers 
>> and groups to me.
>>
>> On the AD server, I had to rename a user's account but kept their SID 
>> and Linux uid (10004 in my case).
>> I used the Windows RSAT tools for this.
>> Let's say I simply renamed the user1 account to user2.
>>
>> On the domain member server, when I invoke the "getent passwd" 
>> command, it is indeed the user2 account that is displayed with the 
>> identifier 10004.
>>
>> On the other hand, on the AD domain controller, the same command 
>> "getent passwd" returns me the user1 account with the identifier 
>> 10004. I invoke the command "net cache flush" on both servers, but 
>> nothing changes.
>>
>> Could you please give me a lead on how to restore consistency on 
>> theses users accounts?
>>
>> Best regards
> 
> If you are just running 'getent passwd' and getting a list of users, 
> then it sounds like you have set the not recommended 'winbind enum users 
> = yes' line in your smb.conf, if you have, I suggest you remove it 
> (along with the 'group' one), you do not need it.
> Does 'getent passwd user2' produce the correct info ?
> 
> I suggest you have a look in idmap.ldb on the DC, you might possibly 
> find something in there.
> 
> By the way 4.14.x is EOL from the Samba point of view.
> 
> Rowland
> 
> 



More information about the samba mailing list