samba - Dec 2018 - AD Domain member - getent passwd truncated to only 18 users

Hi,

Due to some legacy php app I have to integrate an Ubuntu 14.04 server on 
my AD structure. AD DC is a Ubuntu 18.04 with canonical packages running 
Samba 4.7 (4.7.6+dfsg~ubuntu-0ubuntu2.5) and member server runs Samba 
4.3 (4.3.11+dfsg-0ubuntu0.14.04.19).

After installing the 14.04 member server, installed samba packages and 
dependencies according to wiki and no errors. I get all users on 'wbinfo 
-u' but 'getent passwd' returns exactly 18 users only.

I run '/usr/sbin/winbindd -F -S -i --no-process-group -d 4', asked for 
'getent passwd', got only those 18 users and I have "ads
query_user_list
gave 235 entries" on winbindd output, which matches 'wbinfo -u | wc
-l'.
Asking 'id someuser' not listed on getent fails, 'id'ing one of
those 18
users works fine.

I have no idea what to check next, appreciate any help or hint. I added 
winbind enum options and password server to smb.conf just for debug.

root at marte:~# cat /etc/nsswitch.conf
passwd:     compat winbind
group:      compat winbind
shadow:     compat

hosts:      files dns
networks:   files

protocols:  db files
services:   db files
ethers:     db files
rpc:        db files

netgroup:   nis
sudoers     files
root at marte:~#
root at marte:~# cat /etc/krb5.conf
[libdefaults]
default_realm = AD.TLD

[realms]
AD.TLD = {
   kdc = eucalipto.ad.TLD
}

[domain_realm]
   .TLD      = AD.TLD
   TLD       = AD.TLD
  .kerberos.server = AD.TLD
root at marte:~#
root at marte:~# cat /etc/samba/smb.conf
[global]
     security = ADS
     netbios name = Marte
     realm = AD.TLD
     workgroup = A1

     log file = /var/log/samba/%m.log
     log level = 1

     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 70000-70999

     idmap config A1 :backend = ad
     idmap config A1 :schema_mode = rfc2307
     idmap config A1 :range = 500-65300
     idmap config A1 :unix_nss_info = yes
     idmap config A1 :unix_primary_group = yes

     username map = /etc/samba/user.map

     local master = no
     domain master = no
     preferred master = no
     dns proxy = no
     encrypt passwords = yes
     winbind use default domain = yes
     winbind offline logon = false
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     password server = eucalipto.ad.TLD
root at marte:~#

Thank you, best regards.


-- 
*Marcio Merlone*

On Wed, 12 Dec 2018 16:38:52 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
> Hi,
> 
> Due to some legacy php app I have to integrate an Ubuntu 14.04 server
> on my AD structure. AD DC is a Ubuntu 18.04 with canonical packages
> running Samba 4.7 (4.7.6+dfsg~ubuntu-0ubuntu2.5) and member server
> runs Samba 4.3 (4.3.11+dfsg-0ubuntu0.14.04.19).
> 
> After installing the 14.04 member server, installed samba packages
> and dependencies according to wiki and no errors. I get all users on
> 'wbinfo -u' but 'getent passwd' returns exactly 18 users
only.
> 
> I run '/usr/sbin/winbindd -F -S -i --no-process-group -d 4', asked
> for 'getent passwd', got only those 18 users and I have "ads
> query_user_list gave 235 entries" on winbindd output, which matches
> 'wbinfo -u | wc -l'. Asking 'id someuser' not listed on
getent fails,
> 'id'ing one of those 18 users works fine.
> 
> I have no idea what to check next, appreciate any help or hint. I
> added winbind enum options and password server to smb.conf just for
> debug.
> 
> root at marte:~# cat /etc/nsswitch.conf
> passwd:     compat winbind
> group:      compat winbind
> shadow:     compat
> 
> hosts:      files dns
> networks:   files
> 
> protocols:  db files
> services:   db files
> ethers:     db files
> rpc:        db files
> 
> netgroup:   nis
> sudoers     files
> root at marte:~#
> root at marte:~# cat /etc/krb5.conf
> [libdefaults]
> default_realm = AD.TLD
> 
> [realms]
> AD.TLD = {
>    kdc = eucalipto.ad.TLD
> }
> 
> [domain_realm]
>    .TLD      = AD.TLD
>    TLD       = AD.TLD
>   .kerberos.server = AD.TLD
> root at marte:~#
> root at marte:~# cat /etc/samba/smb.conf
> [global]
>      security = ADS
>      netbios name = Marte
>      realm = AD.TLD
>      workgroup = A1
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
> 
>      winbind use default domain = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 70000-70999
> 
>      idmap config A1 :backend = ad
>      idmap config A1 :schema_mode = rfc2307
>      idmap config A1 :range = 500-65300
>      idmap config A1 :unix_nss_info = yes
>      idmap config A1 :unix_primary_group = yes
The above lines are only applicable for Samba >= 4.6.0
Add: winbind nss info = rfc2307
remove the last two lines, see here for more info:

https://wiki.samba.org/index.php/Idmap_config_ad

Rowland

Em 12/12/2018 17:39, Rowland Penny via samba escreveu:
> The above lines are only applicable for Samba >= 4.6.0
> Add: winbind nss info = rfc2307
> remove the last two lines, see here for more info:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
Oh, God! Vacation is coming... Thank you for such obvious correction.

BUT

I edited smb.conf the right way, removed winbindd_idmap.tdb and 
winbindd_cache.tdb and restarted daemons. Now I get rfc2307 info from AD 
and not from template. And still, 'getent passwd' returns only 18 
accounts from AD.

root at marte:~# cat /etc/samba/smb.conf
[global]
     security = ADS
     netbios name = Marte
     realm = AD.TLD

     workgroup = A1

     log file = /var/log/samba/%m.log
     log level = 1

     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 70000-70999

     idmap config A1 :backend = ad
     idmap config A1 :schema_mode = rfc2307
     idmap config A1 :range = 500-65300
     # idmap config A1 :unix_nss_info = yes
     # idmap config A1 :unix_primary_group = yes

     username map = /etc/samba/user.map

     local master = no
     domain master = no
     preferred master = no
     dns proxy = no
     encrypt passwords = yes
     winbind use default domain = yes
     winbind offline logon = false
     winbind nss info = rfc2307
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     password server = eucalipto.ad.TLD
root at marte:~#


-- 
*Marcio Merlone*