RE: getent doesn't show all domain users
- Date: Wed, 29 May 2019 09:16:35 +0000
- From: Maayan Apelboim <Maayan.Apelboim@xxxxxxxxxxxx>
- Subject: RE: getent doesn't show all domain users
Yes, my active domain user is displayed.
The user I'm searching for is also displayed after a few teaks / restarts.
Couldn't replicate a stable workaround that always works for me - best solution I found was create passwd with mkpasswd -d and then move the file (was also not very stable, the user was found, then it wasn't and I needed to run it again, for now it works).
I'm looking for something that will force getent to query my DC, or maybe delete its cache.
From: Brian Inglis [mailto:Brian.Inglis@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, May 28, 2019 6:15 PM
Subject: Re: getent doesn't show all domain users
On 2019-05-28 02:36, Maayan Apelboim wrote:
>> Systems may have tens to hundreds of local user accounts, and domains
>> may have hundreds to hundreds of thousands of user accounts.
>> The system probably caches only active users, and getent enumerates
>> those if no /etc/passwd file exists, as it was designed to enumerate
>> only a few entries from local files.
>> As it is, getent will not even enumerate hosts from the local hosts
>> files or resolver.
>> It appears that mkpasswd enumerates all local and system accounts in
>> the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM
>> loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably
>> does the same for domain accounts from Active Directory Domain Service.
> Ok, I understand why it won't display all users, but even when I query
> for this specific user that exists in the domain - it returns nothing.
> It only works when I have /etc/passwd file in place (generated by
> mkpasswd -d), but I was told in a previous thread that I should not
> use mkpasswd -d anymore, and use getent instead.
> Is there something I need to do with getent to get access for all my
> domain users?
> Should I keep my previous passwd file generated by mkpasswd -d?
Does "getent passwd" display any active domain+accounts on your system?
If someone is logged on to that system from a domain+account?
Check your domain membership:
$ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE
and any other DOMAIN environment variables you have, and explicitly specify a known account in that domain before the userid using a plus sign "+" separator:
$ getent passwd domain+account
similar to Trusted Installer:
$ getent passwd nt\ service+trustedinstaller
If the account doesn't display, check you are using the correct domain membership using AD DS tools or e.g a PowerShell script.
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.