samba - Feb 2022 - getent not returning users/groups

Rowland - I think you didn't read the last para Roy posted in his OP. (late
yesterday, at least in my TZ)
?
?
---
...the AD users are still *known* to the operating system as will be
demonstrated by appending an AD user's name or group to the getent command.
For example on my system getent passwd roy produces:
roy at pi4b:~$ getent passwd roy
roy:*:11601:10513:roy:/home/MICROLYNX/roy:/bin/bash?
--- ?
?
So, I don't actually think he was wrong in his initial post.?
(Though I'd agree it was easy to read the first couple of paras and think he
had it wrong.)
?
---
Can we all agree that without the winbind enum line, you can't just do a
getent group/passwd and get a full listing of all the group/user records in AD,
but you CAN get individual records by specifying them?
?
And as the wiki says (or should/may have said before it was hosed) the enum
lines should generally only be used for troubleshooting/debugging since they
place more load on the DC's - especially for large AD data-sets.
?
:)
???
> On Mon, 2022-02-28 at 15:42 +0000, spindles seven wrote:
>> I must be missing something here. ?If what you say above is true,
>> then why does the WiKi advise adding the "winbind enum" lines
to the
>> smb.conf in order for the getent commands to show all AD users and
>> groups??
> It didn't (it seems to have been removed in the pruning of required
> information), it said to only to use them for testing purposes.
> ?
>> ? ? Also your other answer in this thread seems to contradict this as
>> well. ? I certainly cannot get the list to include AD users and
>> groups without the enum lines.
> I doubt I said that and if you must have the 'enum' lines in
smb.conf
> for your Unix domain member to work, then you have something
> exceedingly strangely wrong with your set up.
>> So what settings "when set up correctly" allow getent to
display all
>> users and groups (without the 'enum' lines)?
> None, because you do not need them:
> rowland at devstation:~$ getent passwd | grep rowland
> rowland at devstation:~$?
> Just running the output of 'getent passwd' through grep with my
name,
> produces no output.
> rowland at devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> Yet adding my name to the getent command does.
> rowland at devstation:~$ cat /etc/passwd | grep rowland
> rowland at devstation:~$?
> My name is not in /etc/passwd
> rowland at devstation:~$ cat /etc/samba/smb.conf | grep 'enum'
> rowland at devstation:~$?
> I do not have the 'enum' lines in smb.conf, yet everything works.
> Rowland

On Mon, 2022-02-28 at 08:14 -0800, Gregory Sloop via samba
wrote:
> Rowland - I think you didn't read the last para Roy posted in his OP.
> (late yesterday, at least in my TZ)
If I did misunderstand the OP's post then I apologise, but my reading
was that he has to use the 'enum' lines to get any output.
>  
>  
> ---
> ...the AD users are still *known* to the operating system as will be
> demonstrated by appending an AD user's name or group to the getent
> command.
> For example on my system getent passwd roy produces:
> roy at pi4b:~$ getent passwd roy
> roy:*:11601:10513:roy:/home/MICROLYNX/roy:/bin/bash 
> ---  
>  
> So, I don't actually think he was wrong in his initial post. 
> (Though I'd agree it was easy to read the first couple of paras and
> think he had it wrong.)
>  
> ---
> Can we all agree that without the winbind enum line, you can't just
> do a getent group/passwd and get a full listing of all the group/user
> records in AD, but you CAN get individual records by specifying them?
I would agree with that.
>  
> And as the wiki says (or should/may have said before it was hosed)
> the enum lines should generally only be used for
> troubleshooting/debugging since they place more load on the DC's -
> especially for large AD data-sets.
It used to say this:

For testing purposes only (remove for production), add these lines:

   winbind enum users = yes
   winbind enum groups = yes

	The above lines just make 'getent passwd' and 'getent group'
display all domain users and groups, they are not required for anything
else and Samba will work correctly and faster without them.

Eventually (when I get the information tidied up and reformatted) it
will say something similar.

Rowland