Hai,> I have an issue that "getent passwd SAMDOM\usrname" returns a blank response.And> Running "getent passwd" returns all the local users.Both results "are" correct. But have you tried this : getent passwd "SAMDOM\username" And does id username still work ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bob > Wooden via samba > Verzonden: zaterdag 15 augustus 2020 14:34 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] getent passwd blank response > > On 8/15/20 6:55 AM, Rowland penny via samba wrote: > > what OS are you using ? > Debian 10 > > I assume that your users have a uidNumber attribute and the Domain > > Users group has a gidNumber attribute. > You are correct. > > I always prefer to double check that I have not confused myself on > issues/differences with source built (the way I use to run > Samba 4.11) > and Louis/distro packages (my current setup.) > > Point is, I thought I was correct that the Louis/distro > packages should > know where to find "libnss_winbind.so.2". > > As I do not see Louis on the list on the weekends and I am going away > for the weekend myself, I'll wait to see if Louis comments > when we all > get back online on Monday. > > Thanks for your help on this. I really appreciate it. > > Stay safe! > > -- > (Sent from home location.) > > Bob Wooden > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 17/08/2020 10:20, L.P.H. van Belle via samba wrote:> Hai, > >> I have an issue that "getent passwd SAMDOM\usrname" returns a blank response. > And >> Running "getent passwd" returns all the local users. > Both results "are" correct. > > But have you tried this : > getent passwd "SAMDOM\username" > And does id username still work >Have you ever heard of this statement 'Cannot see the wood for the trees' ? Totally missed that :-( Unless you have in smb.conf (which are not recommended): winbind enum users = yes winbind enum groups = yes Running 'getent passwd' and 'getent group' will only show local users and groups. you need to specify a username or group, but if you also specify the workgroup name, you still will not get output unless it is specified correctly, this will not work: getent passwd SAMDOM\username But any of these will: getent passwd SAMDOM\\username getent passwd 'SAMDOM\username' getent passwd "SAMDOM\username" Of course, they all depend on smb.conf, nsswitch.conf and the links being setup correctly. Rowland
On 8/17/20 4:36 AM, Rowland penny via samba wrote:> On 17/08/2020 10:20, L.P.H. van Belle via samba wrote: >> >> But have you tried this : >> getent passwd "SAMDOM\username" > > Unless you have in smb.conf (which are not recommended): > > winbind enum users = yes > > winbind enum groups = yes > > Running 'getent passwd' and 'getent group' will only show local users > and groups. > > you need to specify a username or group, but if you also specify the > workgroup name, you still will not get output unless it is specified > correctly, this will not work: > > getent passwd SAMDOM\username > > But any of these will: > > getent passwd SAMDOM\\username > > getent passwd 'SAMDOM\username' > > getent passwd "SAMDOM\username" > > Of course, they all depend on smb.conf, nsswitch.conf and the links > being setup correctly. > > Rowland > >root at mbr04:~# getent passwd SUBDOM\\username root at mbr04:~# getent passwd SUBDOM\username root at mbr04:~# getent passwd 'SUBDOM\username' root at mbr04:~# getent passwd "SUBDOM\username" root at mbr04:~# cat /etc/samba/smb.conf # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member # log level = 4 log file = /var/log/samba/%m.log max log size = 1000 # netbios name = By default this is "hostname -s" but in caps. realm = SUBDOM.EXAMPLE.COM workgroup = DOM security = ADS # set master browser for the network. # preffered + domain master = yes = guarantee master browser ( man smb.conf ) # ! There can only be ONE master browser. preferred master = no domain master = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 3000-7000 ## map ids from the domain? the range may not overlap ! idmap config SUBDOM : backend = ad idmap config SUBDOM : schema_mode = rfc2307 idmap config SUBDOM : range = 10000-999999 idmap config SUBDOM : unix_nss_info = yes idmap config SUBDOM : unix_primary_group = yes??? ##added per Louis email 2020-08-13 # Renew the kerberos tickets winbind refresh tickets = yes # Enable offline logins winbind offline logon = yes # User uid/Gid from AD. (rfc2307) winbind nss info = rfc2307 # With default domain, wbinfo -u, yes = username, no is SAMBADOM\username winbind use default domain = yes ##winbind trusted domains only = no # *Keep no in production, set yes when debugging, this slows down your samba.* *winbind enum users? = yes** **winbind enum groups = yes* # Check depth of nested groups, ! slows down you samba, if to much groups depth # Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4. winbind expand groups = 4 # User Administrator workaround, without it you are unable to set privileges # !Note: When using the AD ID mapping back end, do not set the uidNumber attribute for the domain administrator account. # If the account has the attribute set, the value overrides the local UID 0 of the root user and thus the mapping fails. username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. usershare path # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For Windows ACL support on member file server, enabled globaly, OBLIGATED # For a mixed setup of rights, put this per share! vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # Included per Louis' member sacript include = /etc/samba/smb-shares.conf ######## SHARE DEFINITIONS ################ ##moved to /etc/samba/smb-shares.conf root at mbr04:~# cat /etc/samba/smb-shares.conf [samba$] ??? # Hidden share for Adminstrator and "Domain Admins" members/Folder managers ??? # By default "Domain Admins" are allowed to read/write ??? path = /srv/samba ??? browseable = yes ??? read only = no [companydata] ??? # main share for all company data. ??? path = /srv/samba/companydata ??? browseable = yes ??? read only = no [profiles] ??? # Windows user profiles, Used for/by windows only share. ??? # Add a $ on the end to hide the share-name. ??? # By default "Domain users" are allowed to read/write ??? # https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html ??? # Optional, yes and windows? defaults are: no/posix ??? # acl_xattr:ignore system acls = [yes|no] ??? # acl_xattr:default acl style = [posix|windows|everyone] ??? path = /srv/samba/profiles ??? #map acl inherit = no ??? browseable = yes ??? read only = no [users] ??? # Samba/Windows User homedirs. ??? # By default the User (And root/Administrator/Domain Admins) are allowed to read/write ??? path = /srv/samba/users ??? browseable = yes ??? read only = no [public] ??? # A public share. ??? # By default "Domain users" are allowed to read/write ??? path = /srv/samba/public ??? browseable = yes ??? read only = no root at mbr04:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd:???????? files winbind systemd group:????????? files winbind systemd shadow:???????? files gshadow:??????? files hosts:????????? files dns networks:?????? files protocols:????? db files services:?????? db files ethers:???????? db files rpc:??????????? db files netgroup:?????? nis As you can see I have tried all variations but still returns blank response. As a reminder, Debian 10, Samba v4.12.5. Included all reference config files. Does anyone see anything that needs adjustment? -- (Sent from home location.) username Wooden
Hai Bob, Try this. First flush cache. net cache flush getent passwd username id username And run this one again for me: https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh Reply might be bit later on, im running around here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Bob > Wooden via samba > Verzonden: maandag 17 augustus 2020 13:19 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] getent passwd blank response > > On 8/17/20 4:36 AM, Rowland penny via samba wrote: > > On 17/08/2020 10:20, L.P.H. van Belle via samba wrote: > >> > >> But have you tried this : > >> getent passwd "SAMDOM\username" > > > > Unless you have in smb.conf (which are not recommended): > > > > winbind enum users = yes > > > > winbind enum groups = yes > > > > Running 'getent passwd' and 'getent group' will only show > local users > > and groups. > > > > you need to specify a username or group, but if you also > specify the > > workgroup name, you still will not get output unless it is > specified > > correctly, this will not work: > > > > getent passwd SAMDOM\username > > > > But any of these will: > > > > getent passwd SAMDOM\\username > > > > getent passwd 'SAMDOM\username' > > > > getent passwd "SAMDOM\username" > > > > Of course, they all depend on smb.conf, nsswitch.conf and the links > > being setup correctly. > > > > Rowland > > > > > root at mbr04:~# getent passwd SUBDOM\\username > root at mbr04:~# getent passwd SUBDOM\username > root at mbr04:~# getent passwd 'SUBDOM\username' > root at mbr04:~# getent passwd "SUBDOM\username" > root at mbr04:~# cat /etc/samba/smb.conf > # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > # > log level = 4 > log file = /var/log/samba/%m.log > max log size = 1000 > > # netbios name = By default this is "hostname -s" but in caps. > realm = SUBDOM.EXAMPLE.COM > workgroup = DOM > security = ADS > > # set master browser for the network. > # preffered + domain master = yes = guarantee master browser ( man > smb.conf ) > # ! There can only be ONE master browser. > preferred master = no > domain master = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 3000-7000 > > ## map ids from the domain? the range may not overlap ! > idmap config SUBDOM : backend = ad > idmap config SUBDOM : schema_mode = rfc2307 > idmap config SUBDOM : range = 10000-999999 > idmap config SUBDOM : unix_nss_info = yes > idmap config SUBDOM : unix_primary_group = yes??? ##added per Louis > email 2020-08-13 > > # Renew the kerberos tickets > winbind refresh tickets = yes > > # Enable offline logins > winbind offline logon = yes > > # User uid/Gid from AD. (rfc2307) > winbind nss info = rfc2307 ## REMOVE THIS ONE its replace and set above. (unix_nss_info = yes)##################### ^^^^^^^^^^^^^^^> > # With default domain, wbinfo -u, yes = username, no is SAMBADOM\username > winbind use default domain = yes > #winbind trusted domains only = no> > # *Keep no in production, set yes when debugging, this slows down your samba.* > *winbind enum users? = yes** > **winbind enum groups = yes* > > # Check depth of nested groups, ! slows down you samba, if to much > groups depth > # Samba default is 0, i suggest a minimal of 2 in this setup, > advices is 4. > winbind expand groups = 4 > > # User Administrator workaround, without it you are unable to > set privileges > # !Note: When using the AD ID mapping back end, do not set > the uidNumber > attribute for the domain administrator account. > # If the account has the attribute set, the value overrides the local > UID 0 of the root user and thus the mapping fails. > username map = /etc/samba/samba_usermapping > > # disable usershares creating, when set empty no error log messages. > usershare path > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > # For Windows ACL support on member file server, enabled > globaly, OBLIGATED > # For a mixed setup of rights, put this per share! > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > # Share Setting Globally > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > # Included per Louis' member sacript > include = /etc/samba/smb-shares.conf > > ######## SHARE DEFINITIONS ################ > ##moved to /etc/samba/smb-shares.conf > > root at mbr04:~# cat /etc/samba/smb-shares.conf > [samba$] > ??? # Hidden share for Adminstrator and "Domain Admins" > members/Folder > managers > ??? # By default "Domain Admins" are allowed to read/write > ??? path = /srv/samba > ??? browseable = yes > ??? read only = no > > [companydata] > ??? # main share for all company data. > ??? path = /srv/samba/companydata > ??? browseable = yes > ??? read only = no > > [profiles] > ??? # Windows user profiles, Used for/by windows only share. > ??? # Add a $ on the end to hide the share-name. > ??? # By default "Domain users" are allowed to read/write > ??? # > https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html > ??? # Optional, yes and windows? defaults are: no/posix > ??? # acl_xattr:ignore system acls = [yes|no] > ??? # acl_xattr:default acl style = [posix|windows|everyone] > ??? path = /srv/samba/profiles > ??? #map acl inherit = no > ??? browseable = yes > ??? read only = no > > [users] > ??? # Samba/Windows User homedirs. > ??? # By default the User (And root/Administrator/Domain Admins) are > allowed to read/write > ??? path = /srv/samba/users > ??? browseable = yes > ??? read only = no > > [public] > ??? # A public share. > ??? # By default "Domain users" are allowed to read/write > ??? path = /srv/samba/public > ??? browseable = yes > ??? read only = no > > root at mbr04:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd:???????? files winbind systemd > group:????????? files winbind systemd > shadow:???????? files > gshadow:??????? files > > hosts:????????? files dns > networks:?????? files > > protocols:????? db files > services:?????? db files > ethers:???????? db files > rpc:??????????? db files > > netgroup:?????? nis > > As you can see I have tried all variations but still returns > blank response. > > As a reminder, Debian 10, Samba v4.12.5. > > Included all reference config files. Does anyone see anything > that needs > adjustment? > > -- > (Sent from home location.) > > username Wooden > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >