On 8/17/20 4:36 AM, Rowland penny via samba wrote:> On 17/08/2020 10:20, L.P.H. van Belle via samba wrote:
>>
>> But have you tried this :
>> getent passwd "SAMDOM\username"
>
> Unless you have in smb.conf (which are not recommended):
>
> winbind enum users = yes
>
> winbind enum groups = yes
>
> Running 'getent passwd' and 'getent group' will only show
local users
> and groups.
>
> you need to specify a username or group, but if you also specify the
> workgroup name, you still will not get output unless it is specified
> correctly, this will not work:
>
> getent passwd SAMDOM\username
>
> But any of these will:
>
> getent passwd SAMDOM\\username
>
> getent passwd 'SAMDOM\username'
>
> getent passwd "SAMDOM\username"
>
> Of course, they all depend on smb.conf, nsswitch.conf and the links
> being setup correctly.
>
> Rowland
>
>
root at mbr04:~# getent passwd SUBDOM\\username
root at mbr04:~# getent passwd SUBDOM\username
root at mbr04:~# getent passwd 'SUBDOM\username'
root at mbr04:~# getent passwd "SUBDOM\username"
root at mbr04:~# cat /etc/samba/smb.conf
# https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
#
log level = 4
log file = /var/log/samba/%m.log
max log size = 1000
# netbios name = By default this is "hostname -s" but in caps.
realm = SUBDOM.EXAMPLE.COM
workgroup = DOM
security = ADS
# set master browser for the network.
# preffered + domain master = yes = guarantee master browser ( man
smb.conf )
# ! There can only be ONE master browser.
preferred master = no
domain master = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 3000-7000
## map ids from the domain? the range may not overlap !
idmap config SUBDOM : backend = ad
idmap config SUBDOM : schema_mode = rfc2307
idmap config SUBDOM : range = 10000-999999
idmap config SUBDOM : unix_nss_info = yes
idmap config SUBDOM : unix_primary_group = yes??? ##added per Louis
email 2020-08-13
# Renew the kerberos tickets
winbind refresh tickets = yes
# Enable offline logins
winbind offline logon = yes
# User uid/Gid from AD. (rfc2307)
winbind nss info = rfc2307
# With default domain, wbinfo -u, yes = username, no is SAMBADOM\username
winbind use default domain = yes
##winbind trusted domains only = no
# *Keep no in production, set yes when debugging, this slows down your
samba.*
*winbind enum users? = yes**
**winbind enum groups = yes*
# Check depth of nested groups, ! slows down you samba, if to much
groups depth
# Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4.
winbind expand groups = 4
# User Administrator workaround, without it you are unable to set privileges
# !Note: When using the AD ID mapping back end, do not set the uidNumber
attribute for the domain administrator account.
# If the account has the attribute set, the value overrides the local
UID 0 of the root user and thus the mapping fails.
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Windows ACL support on member file server, enabled globaly, OBLIGATED
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
# Included per Louis' member sacript
include = /etc/samba/smb-shares.conf
######## SHARE DEFINITIONS ################
##moved to /etc/samba/smb-shares.conf
root at mbr04:~# cat /etc/samba/smb-shares.conf
[samba$]
??? # Hidden share for Adminstrator and "Domain Admins"
members/Folder
managers
??? # By default "Domain Admins" are allowed to read/write
??? path = /srv/samba
??? browseable = yes
??? read only = no
[companydata]
??? # main share for all company data.
??? path = /srv/samba/companydata
??? browseable = yes
??? read only = no
[profiles]
??? # Windows user profiles, Used for/by windows only share.
??? # Add a $ on the end to hide the share-name.
??? # By default "Domain users" are allowed to read/write
??? #
https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html
??? # Optional, yes and windows? defaults are: no/posix
??? # acl_xattr:ignore system acls = [yes|no]
??? # acl_xattr:default acl style = [posix|windows|everyone]
??? path = /srv/samba/profiles
??? #map acl inherit = no
??? browseable = yes
??? read only = no
[users]
??? # Samba/Windows User homedirs.
??? # By default the User (And root/Administrator/Domain Admins) are
allowed to read/write
??? path = /srv/samba/users
??? browseable = yes
??? read only = no
[public]
??? # A public share.
??? # By default "Domain users" are allowed to read/write
??? path = /srv/samba/public
??? browseable = yes
??? read only = no
root at mbr04:~# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd:???????? files winbind systemd
group:????????? files winbind systemd
shadow:???????? files
gshadow:??????? files
hosts:????????? files dns
networks:?????? files
protocols:????? db files
services:?????? db files
ethers:???????? db files
rpc:??????????? db files
netgroup:?????? nis
As you can see I have tried all variations but still returns blank response.
As a reminder, Debian 10, Samba v4.12.5.
Included all reference config files. Does anyone see anything that needs
adjustment?
--
(Sent from home location.)
username Wooden