Web lists-archives.com

Re: [Samba] getent passwd user no output, addc + dm

On Fri, 17 Feb 2017 12:04:43 -0600
Lin Pro <linforpros@xxxxxxxxx> wrote:

> >>> You are using the winbind 'ad' backend, do your users have a
> 'uidNumber' attribute containing a unique number inside the range
> '10000-999999' ?
> Does 'Domain Users' have a 'gidNumber' attribute inside the same
> range ? <<<
> I do not know. "samba-tool user help" does not reveal a "view"
> argument to have a look.

ldbsearch does though, or ADUC on a windows version less than 10

The sheer fact that you do not know, tells me that you don't have
'uidNumber' or 'gidNumber' attributes in AD. You personally have to add
them! They are not created automatically.

> But remember - on the Ubuntu AD DC the getent passwd <user> works. Let
> me list it for you:
> root@dc1:~# getent passwd justin
> SF\justin:*:3000020:100:Justin Falon:/home/SF/justin:/bin/false

Well it would work on the DC, these numbers are coming from idmap.ldb

> Is the big number "3000020" a uidNumber attribute?

No, it is an 'xidNumber' that is mapped to the users SID in idmap.ldb

> Removal of the lines that you mentioned (there were added in
> desparation to look for a solution anyway) did not produce expected
> results.

It won't have made it worse either ;-)

> So at this moment the following is the result:
> root@ubuntu-dm1:~# getent group "Domain Users"
> root@ubuntu-dm1:~# getent group "Admin Users"
> root@ubuntu-dm1:~# getent passwd justin
> root@ubuntu-dm1:~#

Have you read the Samba wiki ?




> Let me show you the /etc/smb.conf on both machines, AD DC and teh
> Memeber Domain
> AD DC smb.conf
> # Global parameters
> [global]
> workgroup = SF
> realm = SF.TEST.ORG
> netbios name = DC1
> server role = active directory domain controller
> # dns forwarder just for testing

What do you mean 'just for testing' ? if you use the internal DNS
server, you need the forwarder.
> And member Domain server
> root@ubuntu-dm1:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = SF.TEST.ORG
> dns_lookup_realm = false
> dns_lookup_kdc = true

That is correct for the Unix domain member, it is also all you need on
the DC as well.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba