> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > Rowland Penny via samba > Sent: Saturday, February 26, 2022 12:19 AM > To: samba at lists.samba.org > Subject: Re: [Samba] getent not returning users/groups > > On Fri, 2022-02-25 at 17:01 -0800, Michael Evans via samba wrote: > > All groups and all users must have GID and UID entries if they show > > up in the passwd / groups nss list. > > Only if you are using the winbind 'ad' idmap backend, which Gregory > isn't. > > > > > Please ensure that at least the user's unix UID and primary group > > unix Group ID are set via some method. > > Why ? >It was my belief this was required for the users and groups to show up; but that one method for IDs being assigned were the other, non-AD storage, local ID storage configurations.> > > > There probably should be a wiki page dedicated to just this issue. > > There is. > > Also, the 'enum' lines are only required for troubleshooting purposes > (such as this) and shouldn't be in a production smb.conf. >How _should_ the unix IDs for users and groups that are part of the domain be exposed to the host system outside of Samba? My understanding is that this was the only way; so I've clearly misunderstood the documentation.
I could retype what's in the Wiki, but really it says it best. (Even though I don't likely understand all the implications.) ? I think the biggest points are that:? The AD backend allows you to have individualized *nix login shells and home dirs, but requires you to keep track and ensure the ID's _manually_ assigned are unique. RID doesn't require manually assigning ID's (essentially Samba does it all for you), but you can't have individualized *nix home-dirs or login-shells. ? If you're mostly using Samba in a Windows environment, RID likely is good enough. ? But reading the wiki is obviously far better at covering things in a non-TLDR (in detail) format. ? https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend ? And the three main back-ends. ? https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Idmap_config_rid https://wiki.samba.org/index.php/Idmap_config_autorid? ? ? --- I'm not sure what you're concerned about - though this may be what you're referencing. ? From the *AD* back-end wiki: --- If you use the winbind 'ad' backend, you must add a gidNumber attribute to the Domain Users group in AD. You must also give any users, that you want to be visible to Unix, a uidNumber attribute.?? --- ? But that *ONLY* applies to the AD back-end. If you use RID, the ID assignment happens automagically. (And thus all users/group are visible automatically.) ? ? ??>> -----Original Message----- >> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of >> Rowland Penny via samba >> Sent: Saturday, February 26, 2022 12:19 AM >> To:?samba at lists.samba.org >> Subject: Re: [Samba] getent not returning users/groups>> On Fri, 2022-02-25 at 17:01 -0800, Michael Evans via samba wrote:>>> All groups and all users must have GID and UID entries if they show >>> up in the passwd / groups nss list.>> Only if you are using the winbind 'ad' idmap backend, which Gregory >> isn't.>>> Please ensure that at least the user's unix UID and primary group >>> unix Group ID are set via some method. >> Why ?> It was my belief this was required for the users and groups to show up; but > that one method for IDs being assigned were the other, non-AD storage, local > ID storage configurations.>>> There probably should be a wiki page dedicated to just this issue.>> There is.>> Also, the 'enum' lines are only required for troubleshooting purposes >> (such as this) and shouldn't be in a production smb.conf.> How _should_ the unix IDs for users and groups that are part of the domain > be exposed to the host system outside of Samba? ?My understanding is that > this was the only way; so I've clearly misunderstood the documentation.
On Sun, 2022-02-27 at 13:48 -0800, Michael Evans wrote:> > -----Original Message----- > > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of > > Rowland Penny via samba > > Sent: Saturday, February 26, 2022 12:19 AM > > To: samba at lists.samba.org > > Subject: Re: [Samba] getent not returning users/groups > > > > On Fri, 2022-02-25 at 17:01 -0800, Michael Evans via samba wrote: > > > All groups and all users must have GID and UID entries if they > > > show > > > up in the passwd / groups nss list. > > > > Only if you are using the winbind 'ad' idmap backend, which Gregory > > isn't. > > > > > Please ensure that at least the user's unix UID and primary group > > > unix Group ID are set via some method. > > > > Why ? > > > > It was my belief this was required for the users and groups to show > up; but > that one method for IDs being assigned were the other, non-AD > storage, local > ID storage configurations.You only need to add RFC2307 attributes if you are going to use the winbind 'ad' idmap backend on Unix domain members, the 'autorid' and 'rid' idmap backends calculate Unix IDs from the RID.> > > > There probably should be a wiki page dedicated to just this > > > issue. > > > > There is. > > > > Also, the 'enum' lines are only required for troubleshooting > > purposes > > (such as this) and shouldn't be in a production smb.conf. > > > > How _should_ the unix IDs for users and groups that are part of the > domain > be exposed to the host system outside of Samba? My understanding is > that > this was the only way; so I've clearly misunderstood the > documentation.It was explained in the wiki, but someone removed it. I am working on putting it back (when I have the time) and trying to make it clearer. Rowland