Web lists-archives.com

RE: getent doesn't show all domain users




Yes, my active domain user is displayed.
The user I'm searching for is also displayed after a few teaks / restarts.
Couldn't replicate a stable workaround that always works for me - best solution I found was create passwd with mkpasswd -d and then move the file (was also not very stable, the user was found, then it wasn't and I needed to run it again, for now it works).

I'm looking for something that will force getent to query my DC, or maybe delete its cache.
Any idea?

-----Original Message-----
From: Brian Inglis [mailto:Brian.Inglis@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, May 28, 2019 6:15 PM
To: cygwin@xxxxxxxxxx
Subject: Re: getent doesn't show all domain users

On 2019-05-28 02:36, Maayan Apelboim wrote:
>> Systems may have tens to hundreds of local user accounts, and domains 
>> may have hundreds to hundreds of thousands of user accounts.
>> The system probably caches only active users, and getent enumerates 
>> those if no /etc/passwd file exists, as it was designed to enumerate 
>> only a few entries from local files.
>> As it is, getent will not even enumerate hosts from the local hosts 
>> files or resolver.
>> It appears that mkpasswd enumerates all local and system accounts in 
>> the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM 
>> loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably 
>> does the same for domain accounts from Active Directory Domain Service.

> Ok, I understand why it won't display all users, but even when I query 
> for this specific user that exists in the domain - it returns nothing.
> It only works when I have /etc/passwd file in place (generated by 
> mkpasswd -d), but I was told in a previous thread that I should not 
> use mkpasswd -d anymore, and use getent instead.
> Is there something I need to do with getent to get access for all my 
> domain users?
> Should I keep my previous passwd file generated by mkpasswd -d?

Does "getent passwd" display any active domain+accounts on your system?
If someone is logged on to that system from a domain+account?

Check your domain membership:

	$ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE

and any other DOMAIN environment variables you have, and explicitly specify a known account in that domain before the userid using a plus sign "+" separator:

	$ getent passwd domain+account

similar to Trusted Installer:

	$ getent passwd nt\ service+trustedinstaller
	NT SERVICE+TrustedInstaller:*:328384:328384:U-NT
 	SERVICE\TrustedInstaller,S-1-5-80-...:/:/sbin/nologin

If the account doesn't display, check you are using the correct domain membership using AD DS tools or e.g a PowerShell script.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.