samba - Dec 2018 - AD Domain member - getent passwd truncated to only 18 users

Em 12/12/2018 17:39, Rowland Penny via samba escreveu:
> The above lines are only applicable for Samba >= 4.6.0
> Add: winbind nss info = rfc2307
> remove the last two lines, see here for more info:
>
> https://wiki.samba.org/index.php/Idmap_config_ad
Oh, God! Vacation is coming... Thank you for such obvious correction.

BUT

I edited smb.conf the right way, removed winbindd_idmap.tdb and 
winbindd_cache.tdb and restarted daemons. Now I get rfc2307 info from AD 
and not from template. And still, 'getent passwd' returns only 18 
accounts from AD.

root at marte:~# cat /etc/samba/smb.conf
[global]
     security = ADS
     netbios name = Marte
     realm = AD.TLD

     workgroup = A1

     log file = /var/log/samba/%m.log
     log level = 1

     winbind use default domain = yes
     idmap config * : backend = tdb
     idmap config * : range = 70000-70999

     idmap config A1 :backend = ad
     idmap config A1 :schema_mode = rfc2307
     idmap config A1 :range = 500-65300
     # idmap config A1 :unix_nss_info = yes
     # idmap config A1 :unix_primary_group = yes

     username map = /etc/samba/user.map

     local master = no
     domain master = no
     preferred master = no
     dns proxy = no
     encrypt passwords = yes
     winbind use default domain = yes
     winbind offline logon = false
     winbind nss info = rfc2307
     winbind separator = +
     winbind enum users = Yes
     winbind enum groups = Yes
     password server = eucalipto.ad.TLD
root at marte:~#


-- 
*Marcio Merlone*

On Thu, 13 Dec 2018 10:32:04 -0200
Marcio Vogel Merlone dos Santos via samba <samba at lists.samba.org>
wrote:
> Em 12/12/2018 17:39, Rowland Penny via samba escreveu:
> > The above lines are only applicable for Samba >= 4.6.0
> > Add: winbind nss info = rfc2307
> > remove the last two lines, see here for more info:
> >
> > https://wiki.samba.org/index.php/Idmap_config_ad
> 
> Oh, God! Vacation is coming... Thank you for such obvious correction.
> 
> BUT
> 
> I edited smb.conf the right way, removed winbindd_idmap.tdb and 
> winbindd_cache.tdb and restarted daemons. Now I get rfc2307 info from
> AD and not from template. And still, 'getent passwd' returns only
18
> accounts from AD.
> 
> root at marte:~# cat /etc/samba/smb.conf
> [global]
>      security = ADS
>      netbios name = Marte
>      realm = AD.TLD
> 
>      workgroup = A1
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
> 
>      winbind use default domain = yes
>      idmap config * : backend = tdb
>      idmap config * : range = 70000-70999
> 
>      idmap config A1 :backend = ad
>      idmap config A1 :schema_mode = rfc2307
>      idmap config A1 :range = 500-65300
>      # idmap config A1 :unix_nss_info = yes
>      # idmap config A1 :unix_primary_group = yes
> 
>      username map = /etc/samba/user.map
> 
>      local master = no
>      domain master = no
>      preferred master = no
>      dns proxy = no
>      encrypt passwords = yes
>      winbind use default domain = yes
>      winbind offline logon = false
>      winbind nss info = rfc2307
>      winbind separator = +
>      winbind enum users = Yes
>      winbind enum groups = Yes
>      password server = eucalipto.ad.TLD
> root at marte:~#
> 
> 
Do all your users have a uidNumber attribute ?
Have you done anything strange, such as changing the users primary
group ID ?

It should work (well it does for me)

Rowland

Em 13/12/2018 11:05, Rowland Penny via samba escreveu:
> Do all your users have a uidNumber attribute ?
Yes, works fine on other servers.

> Have you done anything strange, such as changing the users primary
> group ID ?
Primary group is not domain members, but it does not make any diff on 
others services and servers. Other than that, plain vanilla, nothing strange

> It should work (well it does for me)
Will try pam_ldap to see how it goes if no other idea.

-- 
*Marcio Merlone*

I think its good to know the OS first since the range  500-65300 might overlap
the system id's

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 13 december 2018 14:05
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Domain member - getent passwd 
> truncated to only 18 users
> 
> On Thu, 13 Dec 2018 10:32:04 -0200
> Marcio Vogel Merlone dos Santos via samba 
> <samba at lists.samba.org> wrote:
> 
> > Em 12/12/2018 17:39, Rowland Penny via samba escreveu:
> > > The above lines are only applicable for Samba >= 4.6.0
> > > Add: winbind nss info = rfc2307
> > > remove the last two lines, see here for more info:
> > >
> > > https://wiki.samba.org/index.php/Idmap_config_ad
> > 
> > Oh, God! Vacation is coming... Thank you for such obvious 
> correction.
> > 
> > BUT
> > 
> > I edited smb.conf the right way, removed winbindd_idmap.tdb and 
> > winbindd_cache.tdb and restarted daemons. Now I get rfc2307 
> info from
> > AD and not from template. And still, 'getent passwd' 
> returns only 18 
> > accounts from AD.
> > 
> > root at marte:~# cat /etc/samba/smb.conf
> > [global]
> >      security = ADS
> >      netbios name = Marte
> >      realm = AD.TLD
> > 
> >      workgroup = A1
> > 
> >      log file = /var/log/samba/%m.log
> >      log level = 1
> > 
> >      winbind use default domain = yes
> >      idmap config * : backend = tdb
> >      idmap config * : range = 70000-70999
> > 
> >      idmap config A1 :backend = ad
> >      idmap config A1 :schema_mode = rfc2307
> >      idmap config A1 :range = 500-65300
> >      # idmap config A1 :unix_nss_info = yes
> >      # idmap config A1 :unix_primary_group = yes
> > 
> >      username map = /etc/samba/user.map
> > 
> >      local master = no
> >      domain master = no
> >      preferred master = no
> >      dns proxy = no
> >      encrypt passwords = yes
> >      winbind use default domain = yes
> >      winbind offline logon = false
> >      winbind nss info = rfc2307
> >      winbind separator = +
> >      winbind enum users = Yes
> >      winbind enum groups = Yes
> >      password server = eucalipto.ad.TLD
> > root at marte:~#
> > 
> > 
> 
> Do all your users have a uidNumber attribute ?
> Have you done anything strange, such as changing the users primary
> group ID ?
> 
> It should work (well it does for me)
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Em 13/12/2018 11:35, L.P.H. van Belle via samba
escreveu:
> I think its good to know the OS first since the range  500-65300 might
overlap the system id's
Ubuntu server 18.04, fresh install and no other domains. That range 
comes from a legacy openldap user base.

-- 
*Marcio Merlone*

Where the range is coming from is not important. ( for me then ) 

But it does overlap you system id range. 
Debian/ubuntu 0-999 system user id's by default 

You need to change your id's because these may not overlap. 
Check the current id's and if still possible lower the ids in the file :
/etc/adduser.conf
If you dont want to change the samba id's. 


Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Vogel Merlone dos Santos via samba
> Verzonden: donderdag 13 december 2018 14:39
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Domain member - getent passwd 
> truncated to only 18 users
> 
> Em 13/12/2018 11:35, L.P.H. van Belle via samba escreveu:
> > I think its good to know the OS first since the range  
> 500-65300 might overlap the system id's
> Ubuntu server 18.04, fresh install and no other domains. That range 
> comes from a legacy openldap user base.
> 
> -- 
> *Marcio Merlone*
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>