samba - Nov 2024 - Very strange: Samba is unable to access one of its own files

On 11/13/24 15:54, Rowland Penny via samba wrote:
>>   ??? log level = 1
>>
>>   ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>
>>   ??? # Winbindd setup for shares:
>>   ??? # template shell = /bin/bash
>>   ??? # template homedir = /home/%U
>>
>>   ??? # idmap_nss plugin setup:
>>   ??? idmap config * : backend = tdb
>>   ??? idmap config * : range = 1000000-3999999
>>
>>   ??? idmap config SAMBA : backend? = nss
>>   ??? idmap config SAMBA : range = 1000-999999
> You should remove the 'idmap config' lines, they should never be
set on
> a DC.
Thanks again! As soon as the idmap lines were removed--and Samba was 
restarted--sanity was restored. I also uncommented these lines:

  ??? template shell = /bin/bash
  ??? template homedir = /home/%U

I do get an unexpected result from retrieving my domain user's passwd line:

 ? ?? # getent passwd SAMDOM\\jgraham
 ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false

It appears that somehow the defaults from smb.conf are being 
ignored...or is it that the defaults were in place when the domain 
account was created? But, hmm, running

 ???? samba-tool user show -U Administrator jgraham

gets me, among other things:

 ???? loginShell: /bin/bash
 ???? unixHomeDirectory: /home/jgraham

Is the information that getent retrieves sourced somewhere else?

- John

On Thu, 14 Nov 2024 09:52:47 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/13/24 15:54, Rowland Penny via samba wrote:
> >>   ??? log level = 1
> >>
> >>   ??? # dns update command = /usr/sbin/samba_dnsupdate
> >> --use-samba-tool
> >>
> >>   ??? # Winbindd setup for shares:
> >>   ??? # template shell = /bin/bash
> >>   ??? # template homedir = /home/%U
> >>
> >>   ??? # idmap_nss plugin setup:
> >>   ??? idmap config * : backend = tdb
> >>   ??? idmap config * : range = 1000000-3999999
> >>
> >>   ??? idmap config SAMBA : backend? = nss
> >>   ??? idmap config SAMBA : range = 1000-999999
> > You should remove the 'idmap config' lines, they should never
be
> > set on a DC.
> 
> Thanks again! As soon as the idmap lines were removed--and Samba was 
> restarted--sanity was restored. I also uncommented these lines:
> 
>   ??? template shell = /bin/bash
>   ??? template homedir = /home/%U
> 
> I do get an unexpected result from retrieving my domain user's passwd
> line:
> 
>  ? ?? # getent passwd SAMDOM\\jgraham
>  ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false
> 
> It appears that somehow the defaults from smb.conf are being 
> ignored...or is it that the defaults were in place when the domain 
> account was created? But, hmm, running
> 
>  ???? samba-tool user show -U Administrator jgraham
> 
> gets me, among other things:
> 
>  ???? loginShell: /bin/bash
>  ???? unixHomeDirectory: /home/jgraham
> 
> Is the information that getent retrieves sourced somewhere else?
Yes and then again no ;-)

Try running 'net cache flush' and try again with getent.
The first time Samba is asked for a users details it gets it from AD,
but it also then caches the details to speed things up, you are probably
reading from the cache.

Rowland