Rowland penny
2021-Mar-11 09:02 UTC
[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain
On 11/03/2021 08:29, David PAUGAM via samba wrote:> Hello Rowland, > > sorry, I tried - and failed :-) - to mask the domain from the conf. > > So, IFR is the name, and MYDOM a try to hide it...Sort of thought that was what was going on.> > What do you mean by "Also, how are the usernames truncated ?"Sorry, i read it one way and you meant it another ? You meant that you get a shortened list of users, I read it as you get shortened usernames ? You are using the winbind 'rid' backend , so the ID's are calculated with this formula: ID = RID + LOW_RANGE_ID Which in your case, would be: ID = RID + 30000 This means that any RID's larger than 969999 would be ignored, but this is such a large number that I don't think this is your problem. As you are using Debian buster, I take it you are using Samba 4.9.5 but what is the DC ? not that this should matter. If 'user1' is shown by getent, but 'user2' isn't, then I would suggest comparing the two user objects in AD. Rowland
David PAUGAM
2021-Mar-12 12:25 UTC
[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain
[I correct by "sending to the list" instead of my previous mail - sorry for that] Thank you Rowland for your new reply! I checked several things: * created a new user in Active Directory, as the exact copy (but the names) of an account which I can find through "getent passwd myNewUser" o it is not retrieved in "getent" * Samba is 4.9.5 * Active Directory servers are W2012 and 2016 Then I tried a few things and checked each modification of the conf with the 2 commands * wbinfo -u |wc -l * getent passwd |wc -l They give the number of lines, so the number of accounts. When I get problems, the first one returns arount 3400, the second one around 1140. When everythings seems fine the 2 numbers are very close. The difference should be the local accounts. Then, I unwillingly made a mistake in smb.conf and it worked!! The 2 previous commands returned the good numbers! Surprisingly, the conf seemed to work when the idmap Domain name is wrong... Here is the "working" smb.conf, which must be wrong. And this time, the mistake is done intentionnally ;-) /[global]// //??????? workgroup=MYDOM// //??????? security=ads// //??????? realm=MYDOM.FR// //??????? winbind enum users=yes// //??????? winbind enum groups=yes// //??????? winbind use default domain=yes// //?? idmap config * : backend = tdb// //?? idmap config * : range = 3000-7999// / / / /#Here are the "bad" lines / bad domain, which actually solved the "getent passwd"// / /?? idmap config WRONGDOM : backend = rid// //?? idmap config WRONGDOM : range = 10000-999999/ / / /template homedir = /home/%U// //template shell = /bin/bash// //dedicated keytab file = /etc/krb5.keytab// //kerberos method = secrets and keytab// //winbind refresh tickets = Yes/ Is there an explanation to this behaviour? Is there a way to check the way rid works? Thanks, David Le 11/03/2021 ? 10:02, Rowland penny via samba a ?crit?:> On 11/03/2021 08:29, David PAUGAM via samba wrote: >> Hello Rowland, >> >> sorry, I tried - and failed :-) - to mask the domain from the conf. >> >> So, IFR is the name, and MYDOM a try to hide it... > > > Sort of thought that was what was going on. > >> >> What do you mean by "Also, how are the usernames truncated ?" > > > Sorry, i read it one way and you meant it another ? > > You meant that you get a shortened list of users, I read it as you get > shortened usernames ? > > You are using the winbind 'rid' backend , so the ID's are calculated > with this formula: > > ID = RID + LOW_RANGE_ID > > Which in your case, would be: > > ID = RID + 30000 > > This means that any RID's larger than 969999 would be ignored, but > this is such a large number that I don't think this is your problem. > > As you are using Debian buster, I take it you are using Samba 4.9.5 > but what is the DC ? not that this should matter. > > If 'user1' is shown by getent, but 'user2' isn't, then I would suggest > comparing the two user objects in AD. > > Rowland > > >