samba - Oct 2018 - getent passwd no domainusers

Hi,

I just want to add a linux machine to my samba 4 ad. Its a debian stretch and I
installed the  following packages:apt-get install winbind libpam-winbind
libnss-winbind libpam-krb5 krb5-config krb5-user samba attr ...  My
machine-configs:

nsswitch.conf:
passwd: files winbind
group: files winbind
shadow: compat
gshadow:files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
network:files
protocols:db files
services: db files
ethers:db files
rpc: db files
netgroup: nis


krb5.conf:
[libdefaults]
	default_realm = EXAMPLE.COM
	dns_lookup_realm = false
	dns_lookup_kdc = true


smb.conf:
[global]
security = ADS
workgroup = EXAMPLE
realm = EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1

template shell = /bin/bash
template homedir = /home/%U
winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind normalize names = yes
winbind refresh tickets = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 60
winbind nss info = rfc2307
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : schema_mode = rfc2307
idmap config EXAMPLE : range = 10000-999999

resolv.conf:
search example.com
nameserver 192.168.2.2


my ad smb.conf:
[global]
        netbios name = PDC
        realm = EXAMPLE.COM
        workgroup = EXAMPLE
        server role = active directory domain controller
        bind interfaces only = yes
        interfaces = br0
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        template homedir= /home/%U
        dns forwarder = 8.8.8.8
        ldap server require strong auth = no
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 10
        winbind offline logon = yes
        allow dns updates = nonsecure and secure
        log file = /var/log/samba/%m.log
        max log size = 10000
        log level = 1


"wbinfo --ping" shows checking the NETLOGON for domain[EXAMPLE] dc
connection to "pdc.example.com" succeeded.
"wbinfo -u" show me all domain users
"wbinfo -g" show me all domain groups
"getent group" shows me all local AND domain groups...

BUT getent passwd is only show my local users... not my domain users..

What could be the reason for that?

On Sat, 6 Oct 2018 17:15:01 +0200
basti mueller via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I just want to add a linux machine to my samba 4 ad. Its a debian
> stretch and I installed the  following packages:apt-get install
> winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config
> krb5-user samba attr ...  My machine-configs:
> 
> nsswitch.conf:
> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
Only change I would make to nsswitch.conf would be the above line:

hosts: files dns

 
> smb.conf:
> [global]
> winbind nss info = rfc2307
> winbind nss info = rfc2307
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : schema_mode = rfc2307
> idmap config EXAMPLE : range = 10000-999999
What version of Samba ?
If it is >= 4.6.0 then the above lines are wrong:
Remove the 'winbind nss info' lines (you shouldn't have two a two
even
if you are using the default 4.5.12)

Add:
idmap config EXAMPLE : unix_nss_info = yes
> BUT getent passwd is only show my local users... not my domain users..
> 
> What could be the reason for that?
Finally, does 'Domain Users' have a gidNumber ?

Rowland

>> Hi,
>> 
>> I just want to add a linux machine to my samba 4 ad. Its a debian
>> stretch and I installed the  following packages:apt-get install
>> winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config
>> krb5-user samba attr ...  My machine-configs:
>> 
>> nsswitch.conf:
>> hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
> Only change I would make to nsswitch.conf would be the above line:
> hosts: files dns
Just added it :)
 
>> smb.conf:
>> [global]
>> winbind nss info = rfc2307
>> winbind nss info = rfc2307
>> idmap config * : backend = tdb
>> idmap config * : range = 3000-7999
>> idmap config EXAMPLE : backend = ad
>> idmap config EXAMPLE : schema_mode = rfc2307
>> idmap config EXAMPLE : range = 10000-999999
> What version of Samba ?
> If it is >= 4.6.0 then the above lines are wrong:
> Remove the 'winbind nss info' lines (you shouldn't have two a
two even
> if you are using the default 4.5.12)
> Add:
> idmap config EXAMPLE : unix_nss_info = yes
I use the debian package of samba so the version is 2.4.5 ... should I leave
these settings in my conf?
>> BUT getent passwd is only show my local users... not my domain users..
>> 
>> What could be the reason for that?
> Finally, does 'Domain Users' have a gidNumber ?
Yes.

On Mon, 8 Oct 2018 15:56:59 +0200
basti.mueller31 at web.de wrote:
> Hi Rowland,
> 
> yesterday night I found out the problem.. The migrated samba server
> was like 10 years old. There are 2 problems with the id-range of my
> users/groups.
> 
> The first id of a domain group is "512" (EXAMPLE\domain
admins)
> and the last one is: "3000040" (EXAMPLE\dnsupdateproxy)
That doesn't look like a gidNumber, it looks like an xidNumber
if it is an xidNumber, then I am surprised setting the upper range to
'4000000' works, xidNumber's are NOT used on a Unix domain member.
> 
> I didn't add them by myself..the migration-process created the
> dnsupdateproxy for example.
> 
> so I just set the range on my client to:
> idmap config EXAMPLE : backend = ad
> idmap config EXAMPLE : schema_mode = rfc2307
> idmap config EXAMPLE : range = 0-4000000
> 
> now it works.
>