samba - Jan 2019 - `getent passwd` not working with ad backend

Hai, 
> Here's how I added new group:
> 
> `samba-tool group add lag --gid-number 16000 --nis-domain SAMDOM`
> 
> Here's how I added new user:
> 
> `samba-tool user create user23 --unix-home=/home/%U 
> --uid-number=14800 --login-shell=/bin/bash --gid-number=16000 
> --nis-domain SAMDOM`
Yes, thats fine too..

> 
> On the DC, I checked the new user:
> 
> root at DC1 # getent passwd user23
> 
> SAMDOM\user23:*:14800:12000::/home/SAMDOM/user23:/bin/bash
> 
> But I noticed that although I set the gid of user23 to be 
> 16000, the gid reported by `getent passwd user23` is 12000 
> (gid of Domain Users). A little digging in the sam.ldb file 
> says that the primaryGroupID is still 513. Could this be 
> causing any problem?
No, that is the RID. Which is not the GID.  ;-) 

Run : net cache flush
Stop/start samba : systemctl stop smbd winbind nmbd 

* change the ranges to your needs. 
For client only, read the last line in that config part. 

    ## map id's outside to domain to tdb files. (BUILTIN)
    idmap config * : backend = tdb
    idmap config * : range = 10000-20000

    ## map ids from the SAMDOM domain and (*) the range may not overlap !
    ## https://wiki.samba.org/index.php/Idmap_config_ad  
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 21000-200000
    # Samba version 4.6.0 and up. 
    #
https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options
    idmap config SAMDOM : unix_nss_info = yes
    idmap config SAMDOM : unix_primary_group = yes


systemctl start smbd winbind nmbd

And check again. 

> 
> ==========================> 
> user23 entry from sam.ldb
> 
> =========================> 
> #record 25
> dn: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: user23
> instanceType: 4
> whenCreated: 20190124131800.0Z
> whenChanged: 20190124131800.0Z
> uSNCreated: 3945
> name: user23
> objectGUID: 0515e770-7844-4442-abc7-4dbe081d66d5
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-671610647-2237101781-313523630-1131
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: user23
> sAMAccountType: 805306368
> userPrincipalName: user23 at samdom.example.com
> objectCategory: 
> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c
> om
> uidNumber: 14800
> gidNumber: 16000
> loginShell: /bin/bash
> unixHomeDirectory: /home/%U
> msSFU30NisDomain: SAMDOM
> msSFU30Name: user23
> unixUserPassword: ABCD!efgh12345$67890
> pwdLastSet: 131928094807802460
> userAccountControl: 512
> uSNChanged: 3948
> distinguishedName: CN=user23,CN=Users,DC=samdom,DC=example,DC=com
> 
> > And test with
> 
> > getent passwd username
> 
> No output with this command too.
> 
> > You can change these settings to no, for testing its ok,
> 
> > but it only slows down you server.
> 
> > For member and DC, set to no.
> 
> I set it only for testing. I'll disable it once I move it to 
> production.
> 
> > =============================> 
> >
> 
> > > winbind enum users = yes
> 
> > > winbind enum groups = yes
> 
> >
> 
> > member only
> 
> Okay.
> 
> > ===========> 
> > If you use :
> 
> >
> 
> > > kerberos method = secrets and keytab
> 
> >
> 
> > Then also set :
> 
> > dedicated keytab file = /etc/krb5.keytab
> 
> > renew the kerberos ticket
> 
> > =========================> 
> > winbind refresh tickets = yes
> 
> Noted.
> 
> > Besides that the configs look ok.
> 
> > Can you show /etc/nsswitch.conf
> 
> => 
> nsswitch.conf
> 
> =============> 
> #/etc/nsswitch.conf
> 
> => 
> #Example configuration of GNU Name Service Switch functionality.
> 
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
> hosts: files dns wins
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> 
> Thanks for your help!
> Regards,
> Harp
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>