samba - Feb 2022 - getent not returning users/groups

I could retype what's in the Wiki, but really it says it best. (Even though
I don't likely understand all the implications.)
?
I think the biggest points are that:?
The AD backend allows you to have individualized *nix login shells and home
dirs, but requires you to keep track and ensure the ID's _manually_ assigned
are unique.
RID doesn't require manually assigning ID's (essentially Samba does it
all for you), but you can't have individualized *nix home-dirs or
login-shells.
?
If you're mostly using Samba in a Windows environment, RID likely is good
enough.
?
But reading the wiki is obviously far better at covering things in a non-TLDR
(in detail) format.
?
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member#Choosing_an_idmap_backend
?
And the three main back-ends.
?
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
https://wiki.samba.org/index.php/Idmap_config_autorid? ?
?
---
I'm not sure what you're concerned about - though this may be what
you're referencing.
?
From the *AD* back-end wiki:
---
If you use the winbind 'ad' backend, you must add a gidNumber attribute
to the Domain Users group in AD. You must also give any users, that you want to
be visible to Unix, a uidNumber attribute.??
---
?
But that *ONLY* applies to the AD back-end.
If you use RID, the ID assignment happens automagically. (And thus all
users/group are visible automatically.)
?
?
??
>> -----Original Message-----
>> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
>> Rowland Penny via samba
>> Sent: Saturday, February 26, 2022 12:19 AM
>> To:?samba at lists.samba.org
>> Subject: Re: [Samba] getent not returning users/groups
>> On Fri, 2022-02-25 at 17:01 -0800, Michael Evans via samba wrote:
>>> All groups and all users must have GID and UID entries if they show
>>> up in the passwd / groups nss list.
>> Only if you are using the winbind 'ad' idmap backend, which
Gregory
>> isn't.

>>> Please ensure that at least the user's unix UID and primary
group
>>> unix Group ID are set via some method.
>> Why ?
> It was my belief this was required for the users and groups to show up; but
> that one method for IDs being assigned were the other, non-AD storage,
local
> ID storage configurations.
>>> There probably should be a wiki page dedicated to just this issue.
>> There is.
>> Also, the 'enum' lines are only required for troubleshooting
purposes
>> (such as this) and shouldn't be in a production smb.conf.
> How _should_ the unix IDs for users and groups that are part of the domain
> be exposed to the host system outside of Samba? ?My understanding is that
> this was the only way; so I've clearly misunderstood the documentation.

Right, the wiki describes how to have Samba assign unix IDs for use within
__just samba__.  There are segregated pages that describe each different storage
backend.

The AD backend is the only way to ensure you have the same exact Unix UIDs and
GIDs in use on all domain.
The other two methods are both ways of having samba automatically assign those
IDs and store them locally.

However, that's not the current topic.

What is the _correct_ way of exposing the users defined in the AD to unix
systems?  I'm confused on that, and others are too.

Someone I expect knows much more about samba than I do has stated that winbind
emum is incorrect for exposing that user and group list to NSS services (so that
they're shown with getent passwd and getent group; as well as any programs
that want to validate usernames / etc): So what should I and others do instead?