samba - May 2015 - getent passwd and getent group reporting only local users

Good day all

I am working with samba4.2.1 DC, created after upgrading from samba3

the DC works fine, however the commands :

"getent passwd" and "getent group"

reports only local users.

however I am able to see all the id from the ccdc domain with the command
"id"

root at ccdc-samba4:~# id rocheian
uid=3439(rocheian) gid=513(domain users) groups=513(domain users),871
(smbconnectionssupport),759(domainusers),3000004(BUILTIN\users)


furthermore the command "wbinfo -u -g" is able to show All the users
and
group from the domaiun

my smb.conf is the following

# Global parameters
[global]
        workgroup = CCDC
        realm = CCDC.LAN
        netbios name = CCDC-SAMBA4
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 9.0.138.50
        #server services = -winbindd +winbind
        ##For debugging
        #dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, remote, winreg, srvsvc
        #auth methods = sam, winbind, ntdomain, ntdomain:winbind

        idmap config CCDC:backend = ad
        idmap config CCDC:schema_mode = rfc2307
        idmap config CCDC:range = 10-4000000

        # Store UIDs/GIDs for all other domains (including local
        # accounts/groups of this server) in a tdb file
        idmap config *:backend = tdb
        idmap config *:range = 2000000000-9999999

        # Use home directory and shell information from AD
        winbind nss info = rfc2307



[netlogon]
        path = /var/lib/samba/sysvol/ccdc.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


and my nsswitch.conf is the following:


# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis


Note that if i uncomment the following line from the smb.conf:

 #server services = -winbindd +winbind

and reboot samba service, then getent works perfectlly fine, however I need
that config line as without it my linux machines are not able to join the
domain.

any help is welcome

thanks!
___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic40191.gif)

Hi Mario,
> Good day all
>
> I am working with samba4.2.1 DC, created after upgrading from samba3
>
> the DC works fine, however the commands :
>
> "getent passwd" and "getent group"
>
> reports only local users.
from https://wiki.samba.org/index.php/Samba_4.2_Features_added/changed

"""
    winbindd does not list group memberships for display purposes (e.g. 
getent group <domain\<group>) anymore by default.

         The new default is "winbind expand groups = 0" now, the
reason
for this is the same as for "winbind enum users = no" and
"winbind enum
groups = no". Providing this information is not always reliably 
possible, e.g. if there are trusted domains.
"""

Cheers,

Denis
>
> however I am able to see all the id from the ccdc domain with the command
> "id"
>
> root at ccdc-samba4:~# id rocheian
> uid=3439(rocheian) gid=513(domain users) groups=513(domain users),871
> (smbconnectionssupport),759(domainusers),3000004(BUILTIN\users)
>
>
> furthermore the command "wbinfo -u -g" is able to show All the
users and
> group from the domaiun
>
> my smb.conf is the following
>
> # Global parameters
> [global]
>          workgroup = CCDC
>          realm = CCDC.LAN
>          netbios name = CCDC-SAMBA4
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          dns forwarder = 9.0.138.50
>          #server services = -winbindd +winbind
>          ##For debugging
>          #dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
> netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
> backupkey, dnsserver, remote, winreg, srvsvc
>          #auth methods = sam, winbind, ntdomain, ntdomain:winbind
>
>          idmap config CCDC:backend = ad
>          idmap config CCDC:schema_mode = rfc2307
>          idmap config CCDC:range = 10-4000000
>
>          # Store UIDs/GIDs for all other domains (including local
>          # accounts/groups of this server) in a tdb file
>          idmap config *:backend = tdb
>          idmap config *:range = 2000000000-9999999
>
>          # Use home directory and shell information from AD
>          winbind nss info = rfc2307
>
>
>
> [netlogon]
>          path = /var/lib/samba/sysvol/ccdc.lan/scripts
>          read only = No
>
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
>
>
> and my nsswitch.conf is the following:
>
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
installed, try:
> # `info libc "Name Service Switch"' for information about
this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat winbind
>
> hosts:          files dns
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
>
> Note that if i uncomment the following line from the smb.conf:
>
>   #server services = -winbindd +winbind
>
> and reboot samba service, then getent works perfectlly fine, however I need
> that config line as without it my linux machines are not able to join the
> domain.
>
> any help is welcome
>
> thanks!
>
___________________________________________________________________________________________
>
> Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353
1
> 815 2236, eMail: mariopiorusso at ie.ibm.com
> IBM Ireland Product Distribution Limited registered in Ireland with number
> 92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4
>
> (Embedded image moved to file: pic40191.gif)
>
>
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

El 19/05/15 a les 16:22, Mario Pio Russo ha escrit:
> 
> Good day all
> 
> I am working with samba4.2.1 DC, created after upgrading from samba3
> 
> the DC works fine, however the commands :
> 
> "getent passwd" and "getent group"
> 
> reports only local users.
This is by design I think :-/
> 
> however I am able to see all the id from the ccdc domain with the command
> "id"
> 
> root at ccdc-samba4:~# id rocheian
> uid=3439(rocheian) gid=513(domain users) groups=513(domain users),871
> (smbconnectionssupport),759(domainusers),3000004(BUILTIN\users)
> 
> 
> furthermore the command "wbinfo -u -g" is able to show All the
users and
> group from the domaiun
> 
> my smb.conf is the following
> 
> # Global parameters
> [global]
>         workgroup = CCDC
>         realm = CCDC.LAN
>         netbios name = CCDC-SAMBA4
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
On the DC the above is the only line that it is used. Everything else
winbind related is ignored.
On a member server you can add

   winbind enum users = yes
   winbind enum groups = yes

then "getent passwd" will show all users (getent groups still
doesn't
work). But, again, those lines are ignored on the dc.

Bye
-- 
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007

cool thanks

i have tested from another linux member and both getent passwd and getnet
group works fine for me

thanks!

___________________________________________________________________________________________

Mario Pio Russo, System Admin SWG IT Services Dublin, Phone & FAX: +353 1
815 2236, eMail: mariopiorusso at ie.ibm.com
IBM Ireland Product Distribution Limited registered in Ireland with number
92815. Registered Office: IBM House, Shelbourne Road, Ballsbridge, Dublin 4

(Embedded image moved to file: pic01638.gif)



From:	Luca Olivetti <luca at wetron.es>
To:	samba at lists.samba.org
Date:	19/05/2015 16:36
Subject:	Re: [Samba] getent passwd and getent group reporting only local
            users
Sent by:	samba-bounces at lists.samba.org



El 19/05/15 a les 16:22, Mario Pio Russo ha escrit:
>
> Good day all
>
> I am working with samba4.2.1 DC, created after upgrading from samba3
>
> the DC works fine, however the commands :
>
> "getent passwd" and "getent group"
>
> reports only local users.
This is by design I think :-/
>
> however I am able to see all the id from the ccdc domain with the command
> "id"
>
> root at ccdc-samba4:~# id rocheian
> uid=3439(rocheian) gid=513(domain users) groups=513(domain users),871
> (smbconnectionssupport),759(domainusers),3000004(BUILTIN\users)
>
>
> furthermore the command "wbinfo -u -g" is able to show All the
users and
> group from the domaiun
>
> my smb.conf is the following
>
> # Global parameters
> [global]
>         workgroup = CCDC
>         realm = CCDC.LAN
>         netbios name = CCDC-SAMBA4
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
On the DC the above is the only line that it is used. Everything else
winbind related is ignored.
On a member server you can add

   winbind enum users = yes
   winbind enum groups = yes

then "getent passwd" will show all users (getent groups still
doesn't
work). But, again, those lines are ignored on the dc.

Bye
--
Luca Olivetti
Wetron Automation Technology http://www.wetron.es
Tel. +34 935883004  Fax +34 935883007
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba