[Samba] getent only displays local users & groups

[Henry via samba]

I have read numerous posts regarding this issue without finding a
resolution. I have a fresh Samba AD DC & a Samba Member server. the
member server has been setup using idmap config ad

wbinfo -u & wbinfo -g both work and list the domain users & groups
getent passwd & getent group both only display the local member server
users and groups

From what I have read I understand getent passwd & getent group should
display the domain users & groups. "getent passwd administrator"
returns nothing

Any help would be greatly appreciated...

root@ares:/# cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = SAMDOM
realm = INT.SAMDOM.COM.AU
netbios name = ARES
server role = active directory domain controller
dns forwarder = 192.168.1.254
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/int.samdom.com.au/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

root@aphrodite:/# cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = SAMDOM
realm = INT.SAMDOM.COM.AU

log file = /var/log/samba/%m.log
log level = 1

# Default idmap config used for BUILTIN and local windows accounts/groups
idmap config *:backend = tdb
idmap config *:range = 2000-9999

# idmap config for domain SAMDOM
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307

root@aphrodite:/# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

#passwd: compat
passwd: files winbind
#group: compat
group: files winbind
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Alex Crow via samba]

Getent will only show accounts with a uidnumber and gidnumber. Administrator in new install does not have these.

Sent from my android device.

netgroup: nis

--
This message is intended only for the addressee and may contain
confidential information. Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.
This email is not intended to, nor should it be taken to, constitute advice.
The information provided is correct to our knowledge & belief and must not
be used as a substitute for obtaining tax, regulatory, investment, legal or
any other appropriate advice.

"Transact" is operated by Integrated Financial Arrangements Ltd.
29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300.
(Registered office: as above; Registered in England and Wales under
number: 3727592). Authorised and regulated by the Financial Conduct
Authority (entered on the Financial Services Register; no. 190856)

[Rowland Penny via samba]

It sounds likely you have made the same assumption that a lot a of
people make, you assume that by adding the 'idmap config' lines to
smb.conf, you will get users & groups shown by 'getent'.
It's not that simple, you need to give your users a 'uidNumber'
attribute containing a unique number inside the range '10000-99999'.
You will also need to give 'Domain Users' a 'gidNumber' containing a
number inside the same range.
Do not give Administrator a 'uidNumber', use a user.map instead,add
this to smb.conf on the domain member:

username map = /etc/samba/user.map

Then create /etc/samba/user.map containing this:

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

Restart Samba and Administrator will now be mapped to the Unix user
'root'

Rowland

[Micha Ballmann via samba]

Did you install libnss-ldap ?

Best regards

[Rowland Penny via samba]

On Fri, 25 Nov 2016 07:45:06 +1100
Henry <der...@gmail.com> wrote:

> Hi Rowland.
>
> Have included the usermap for administrator and given domain users an
> ID in ADUC
>
> getent passwd & group still only displays the local accounts ?
>
> getent passwd administrator => nothing
>

Firstly 'getent passwd administrator' on a domain member shouldn't show
anything (it does on a Samba AD DC), remember it is now mapped to root.

If you run 'getent passwd <a username>' does this produce any output ?

By default, 'getent passwd' without a username will show nothing, you
will need to add these lines to smb.conf:

winbind enum users = yes
winbind enum groups = yes

I don't think you mentioned what OS you are using, but you will also
need a few extra packages installed, on debian based distros these are:

libnss-winbind and libpam-winbind

I also install libpam-krb5

[Rowland Penny via samba]

On Fri, 25 Nov 2016 12:34:57 +1100
Henry <der...@gmail.com> wrote:

> Thanks Rowland.
>
> getent passwd => lists all local users
>
> getent passwd administrator => returns nothing on DC or member.
>
> I have created an AD user called "henry" and assigned a uid
> getent passwd henry => returns nothing

'getent' will only display domain users provided that:

Each user has a uidNumber attribute containing a unique number inside
the DOMAIN range set in smb.conf, in your case '10000-99999'

The group 'Domain Users' has a gidNumber attribute containing a number
inside the same range

The necessary PAM glue is installed i.e. PAM can talk to winbind.

'winbind' is added to the 'passwd' & 'group' lines
in /etc/nsswitch.conf

>
> root@aphrodite:~# wbinfo -u
> SAMDOM\henry
> SAMDOM\administrator
> SAMDOM\krbtgt
> SAMDOM\guest
>
> I am using Ubuntu 16.04
>
> Are these three extra packages installed on DC or member?
>

You can install them on both if you need to, if you only use the DC for
authentication, then don't install them on the DC, they are the
'missing' bits that turn a DC into a 'fileserver' as well.

If everything is correct, you should get results like this:

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

[Rowland Penny via samba]

On Sat, 26 Nov 2016 12:25:23 +1100
Henry <der...@gmail.com> wrote:

> thanks again Rowland however I must have something wrong as I have
> double checked everything...
>
> Group: Domains Users has GID of 10000
> User: henry has UID of 10000
> can the user and group have the same number?

Yes, this is me on my Unix domain member:

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

> henry is a member of "Domain Users"
> /etc/nnswitch.conf has winbind the the passwd & group lines
> I have installed libnss-winbind and libpam-winbind on the member
> server.

>
> getent passwd henry => returns nothing

Ah, do you have this line in smb.conf:

winbind use default domain = yes

If not, try like this:

getent passwd SAMDOM\\henry

>
> I note when I click the "UNIX Attributes" tab for the group I
> initially receive a popup message of "Unwilling to Perform" and once I
> click OK it goes away and display the attributes. I do not get this on
> the user properties.
>

ADUC does funny things like that.

> Above you made the following comment:

> "Firstly 'getent passwd administrator' on a domain member shouldn't
> show anything (it does on a Samba AD DC), remember it is now mapped to
> root."
>

> I note on my DC getent passwd administrator => returns nothing, could
> this indicate the problem cause?

Unlikely, as I said, you need the PAM glue to get 'getent' to work,
without libnss-winbind & PAM, 'getent' will only show local users.

> As I have the user.map on the member server how would the DC know
> administrator is mapped to root?

It is mapped in idmap.ldb on the DC, if you open this in ldbedit,
i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb

You should find something like this:

dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
cn: S-1-5-21-1768301897-3342589593-1064908849-500
objectClass: sidMap
objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500

Administrator has the windows RID '500' and is mapped to the Unix ID
'0' and this is always 'root'

[Rowland Penny via samba]

On Sun, 27 Nov 2016 10:33:04 +1100
Henry <der...@gmail.com> wrote:

> On Sat, Nov 26, 2016 at 8:30 PM, Rowland Penny via samba
> <sa...@lists.samba.org> wrote:
> > On Sat, 26 Nov 2016 12:25:23 +1100
> > Henry <der...@gmail.com> wrote:
> >
> >> thanks again Rowland however I must have something wrong as I have
> >> double checked everything...
> >>
> >> Group: Domains Users has GID of 10000
> >> User: henry has UID of 10000
> >> can the user and group have the same number?
> >
> > Yes, this is me on my Unix domain member:
> >
> > rowland@devstation:~$ getent passwd rowland
> > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >
> >> henry is a member of "Domain Users"
> >> /etc/nnswitch.conf has winbind the the passwd & group lines
> >> I have installed libnss-winbind and libpam-winbind on the member
> >> server.
> >>
> >> getent passwd henry => returns nothing
> >
> > Ah, do you have this line in smb.conf:
> >
> > winbind use default domain = yes
> >
> > If not, try like this:
> >
> > getent passwd SAMDOM\\henry
>

> It works !!!!
>
> root@aphrodite:~# getent passwd SAMDOM\\henry
> SAMDOM\henry:*:10000:10000:Henry:/home/henry:/bin/sh
> root@aphrodite:~# vi /etc/samba/smb.conf
> ** REBOOT **
> root@aphrodite:~# getent passwd henry
> henry:*:10000:10000:Henry McLaughlin:/home/henry:/bin/sh
> root@aphrodite:~# getent group Domain\ Users
> domain users:x:10000:

>
> >
> >>
> >> I note when I click the "UNIX Attributes" tab for the group I
> >> initially receive a popup message of "Unwilling to Perform" and
> >> once I click OK it goes away and display the attributes. I do not
> >> get this on the user properties.
> >>
> >
> > ADUC does funny things like that.
>

> OK

>
> >
> >> Above you made the following comment:
> >> "Firstly 'getent passwd administrator' on a domain member shouldn't
> >> show anything (it does on a Samba AD DC), remember it is now
> >> mapped to root."
> >>
> >> I note on my DC getent passwd administrator => returns nothing,
> >> could this indicate the problem cause?
> >
> > Unlikely, as I said, you need the PAM glue to get 'getent' to work,
> > without libnss-winbind & PAM, 'getent' will only show local users.
> >
> >> As I have the user.map on the member server how would the DC know
> >> administrator is mapped to root?
> >
> > It is mapped in idmap.ldb on the DC, if you open this in ldbedit,
> > i.e. ldbedit -e nano -H /usr/local/samba/private/idmap.ldb
> >
> > You should find something like this:
> >
> > dn: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> > cn: S-1-5-21-1768301897-3342589593-1064908849-500
> > objectClass: sidMap
> > objectSid: S-1-5-21-1768301897-3342589593-1064908849-500
> > type: ID_TYPE_UID
> > xidNumber: 0
> > distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-500
> >
> > Administrator has the windows RID '500' and is mapped to the Unix ID
> > '0' and this is always 'root'
>

> Does this mean that on the DC "administrator" is auto mapped to "root"
> however not on the member so we need the usermap on the member to tell
> it what the mapping is?

That is a very good way of putting it.

>
> >
> > Rowland
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>

> Once again Rowland thanks for all your help here. Could not have got
> this far without your help :)

Np problem. glad to help.