samba - Nov 2024 - Very strange: Samba is unable to access one of its own files

On Thu, 14 Nov 2024 09:52:47 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> On 11/13/24 15:54, Rowland Penny via samba wrote:
> >>   ??? log level = 1
> >>
> >>   ??? # dns update command = /usr/sbin/samba_dnsupdate
> >> --use-samba-tool
> >>
> >>   ??? # Winbindd setup for shares:
> >>   ??? # template shell = /bin/bash
> >>   ??? # template homedir = /home/%U
> >>
> >>   ??? # idmap_nss plugin setup:
> >>   ??? idmap config * : backend = tdb
> >>   ??? idmap config * : range = 1000000-3999999
> >>
> >>   ??? idmap config SAMBA : backend? = nss
> >>   ??? idmap config SAMBA : range = 1000-999999
> > You should remove the 'idmap config' lines, they should never
be
> > set on a DC.
> 
> Thanks again! As soon as the idmap lines were removed--and Samba was 
> restarted--sanity was restored. I also uncommented these lines:
> 
>   ??? template shell = /bin/bash
>   ??? template homedir = /home/%U
> 
> I do get an unexpected result from retrieving my domain user's passwd
> line:
> 
>  ? ?? # getent passwd SAMDOM\\jgraham
>  ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false
> 
> It appears that somehow the defaults from smb.conf are being 
> ignored...or is it that the defaults were in place when the domain 
> account was created? But, hmm, running
> 
>  ???? samba-tool user show -U Administrator jgraham
> 
> gets me, among other things:
> 
>  ???? loginShell: /bin/bash
>  ???? unixHomeDirectory: /home/jgraham
> 
> Is the information that getent retrieves sourced somewhere else?
Yes and then again no ;-)

Try running 'net cache flush' and try again with getent.
The first time Samba is asked for a users details it gets it from AD,
but it also then caches the details to speed things up, you are probably
reading from the cache.

Rowland

On 11/14/24 10:04, Rowland Penny via samba wrote:
> Try running 'net cache flush' and try again with getent.
> The first time Samba is asked for a users details it gets it from AD,
> but it also then caches the details to speed things up, you are probably
> reading from the cache.
>
> Rowland
>
Alas, 'net cache flush' had no effect. getent is still returning 
information inconsistent with what's stored in AD.

- John