samba - Feb 2020 - winbindd: getent passwd yields empty GECOS field

Dear all;

I'm trying to use winbindd to resolve names in an AD setup.  I can 
authenticate just fine, but I've noticed that for some users "getent 
passwd" returns a GECOS field populated with displayName from the LDAP 
servers and for others is does not.  For example:

   $ getent passwd user1
   user1:*:1111111111:2222222222:John Doe:/home/user1:/bin/bash
   $ getent passwd user2
   user2:*:3333333333:2222222222::/home/user2:/bin/bash

I don't see any systematic differences between users for which this 
works and for those where it doesn't, but I would like to see the GECOS 
populated for all users.  I've seen this issue discussed in various 
places in the past but nowhere solved, so I' hoping there's simple fix. 
Can anyone provide insight?

Full smb.conf below (the Time Machine stuff is probably irrelevant, but 
included for completeness); this is using the buster-samba410 packages 
from https://apt.van-belle.nl/debian.

[global]
         client signing = required
         load printers = No
         local master = No
         log file = /var/log/samba/log.%m
         max log size = 1000
         mdns name = mdns
         realm = AD.EXAMPLE.COM
         security = ADS
         server min protocol = SMB2
         server signing = required
         server string = Samba %v (%h)
         template homedir = /home/%U
         template shell = /bin/bash
         winbind use default domain = Yes
         workgroup = AD
         fruit:copyfile = yes
         idmap config * : rangesize = 1000000
         idmap config * : range = 1734200000 - 1999999999
         idmap config * : backend = autorid
         use sendfile = Yes
         vfs objects = catia fruit streams_xattr


[time_machine]
         comment = Time Machine (%h)
         path = /var/time_machine/%U
         read only = No
         valid users = "@AD.EXAMPLE.COM\mygroup"
         fruit:model = RackMac
         fruit:encoding = native
         fruit:time machine max size = 1024G
         fruit:time machine = yes

// Best wishes; Johan

On 2/13/20 5:07 PM, Johan Hattne via samba wrote:
> Dear all;
> 
> I'm trying to use winbindd to resolve names in an AD setup.? I can 
> authenticate just fine, but I've noticed that for some users
"getent
> passwd" returns a GECOS field populated with displayName from the LDAP
> servers and for others is does not.? For example:
> 
>  ? $ getent passwd user1
>  ? user1:*:1111111111:2222222222:John Doe:/home/user1:/bin/bash
>  ? $ getent passwd user2
>  ? user2:*:3333333333:2222222222::/home/user2:/bin/bash
I also see this problem.  Haven't figured out what's in common to make 
or not make the displayname show up.  There for some and not for others.
> 
> I don't see any systematic differences between users for which this 
> works and for those where it doesn't, but I would like to see the GECOS
> populated for all users.? I've seen this issue discussed in various 
> places in the past but nowhere solved, so I' hoping there's simple
fix.
> Can anyone provide insight?
> 
> Full smb.conf below (the Time Machine stuff is probably irrelevant, but 
> included for completeness); this is using the buster-samba410 packages 
> from https://apt.van-belle.nl/debian.
> 
> [global]
>  ??????? client signing = required
>  ??????? load printers = No
>  ??????? local master = No
>  ??????? log file = /var/log/samba/log.%m
>  ??????? max log size = 1000
>  ??????? mdns name = mdns
>  ??????? realm = AD.EXAMPLE.COM
>  ??????? security = ADS
>  ??????? server min protocol = SMB2
>  ??????? server signing = required
>  ??????? server string = Samba %v (%h)
>  ??????? template homedir = /home/%U
>  ??????? template shell = /bin/bash
>  ??????? winbind use default domain = Yes
>  ??????? workgroup = AD
>  ??????? fruit:copyfile = yes
>  ??????? idmap config * : rangesize = 1000000
>  ??????? idmap config * : range = 1734200000 - 1999999999
>  ??????? idmap config * : backend = autorid
>  ??????? use sendfile = Yes
>  ??????? vfs objects = catia fruit streams_xattr
> 
> 
> [time_machine]
>  ??????? comment = Time Machine (%h)
>  ??????? path = /var/time_machine/%U
>  ??????? read only = No
>  ??????? valid users = "@AD.EXAMPLE.COM\mygroup"
>  ??????? fruit:model = RackMac
>  ??????? fruit:encoding = native
>  ??????? fruit:time machine max size = 1024G
>  ??????? fruit:time machine = yes
> 
> // Best wishes; Johan
>

On 13/02/2020 23:07, Johan Hattne via samba wrote:
> Dear all;
>
> I'm trying to use winbindd to resolve names in an AD setup.? I can 
> authenticate just fine, but I've noticed that for some users
"getent
> passwd" returns a GECOS field populated with displayName from the LDAP
> servers and for others is does not.? For example:
>
> ? $ getent passwd user1
> ? user1:*:1111111111:2222222222:John Doe:/home/user1:/bin/bash
> ? $ getent passwd user2
> ? user2:*:3333333333:2222222222::/home/user2:/bin/bash
>
> I don't see any systematic differences between users for which this 
> works and for those where it doesn't, but I would like to see the 
> GECOS populated for all users.? I've seen this issue discussed in 
> various places in the past but nowhere solved, so I' hoping there's
> simple fix. Can anyone provide insight?
>
> Full smb.conf below (the Time Machine stuff is probably irrelevant, 
> but included for completeness); this is using the buster-samba410 
> packages from https://apt.van-belle.nl/debian.
>
> [global]
> ??????? client signing = required
> ??????? load printers = No
> ??????? local master = No
> ??????? log file = /var/log/samba/log.%m
> ??????? max log size = 1000
> ??????? mdns name = mdns
> ??????? realm = AD.EXAMPLE.COM
> ??????? security = ADS
> ??????? server min protocol = SMB2
> ??????? server signing = required
> ??????? server string = Samba %v (%h)
> ??????? template homedir = /home/%U
> ??????? template shell = /bin/bash
> ??????? winbind use default domain = Yes
> ??????? workgroup = AD
> ??????? fruit:copyfile = yes
> ??????? idmap config * : rangesize = 1000000
> ??????? idmap config * : range = 1734200000 - 1999999999
> ??????? idmap config * : backend = autorid
> ??????? use sendfile = Yes
> ??????? vfs objects = catia fruit streams_xattr
>
>
> [time_machine]
> ??????? comment = Time Machine (%h)
> ??????? path = /var/time_machine/%U
> ??????? read only = No
> ??????? valid users = "@AD.EXAMPLE.COM\mygroup"
> ??????? fruit:model = RackMac
> ??????? fruit:encoding = native
> ??????? fruit:time machine max size = 1024G
> ??????? fruit:time machine = yes
>
> // Best wishes; Johan
>
Have you actually populated all the users 'gecos' attributes ?

Rowland

On Thu, 2020-02-13 at 15:07 -0800, Johan Hattne via samba
wrote:
> Dear all;
> 
> I'm trying to use winbindd to resolve names in an AD setup.  I can 
> authenticate just fine, but I've noticed that for some users
"getent
> passwd" returns a GECOS field populated with displayName from the LDAP
> servers and for others is does not.  For example:
> 
>    $ getent passwd user1
>    user1:*:1111111111:2222222222:John Doe:/home/user1:/bin/bash
>    $ getent passwd user2
>    user2:*:3333333333:2222222222::/home/user2:/bin/bash
> 
> I don't see any systematic differences between users for which this 
> works and for those where it doesn't, but I would like to see the GECOS
> populated for all users.  I've seen this issue discussed in various 
> places in the past but nowhere solved, so I' hoping there's simple
fix.
> Can anyone provide insight?
Users who we have seen a login for (and so have cached the full name)
will get it, others we omit it due to the cost to obtain those for a
full domain.

The the 'samlogon cache' as a keyword to understand this more. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2020-02-14 01:05, Andrew Bartlett wrote:
> On Thu, 2020-02-13 at 15:07 -0800, Johan Hattne via samba wrote:
>> Dear all;
>>
>> I'm trying to use winbindd to resolve names in an AD setup.  I can
>> authenticate just fine, but I've noticed that for some users
"getent
>> passwd" returns a GECOS field populated with displayName from the
LDAP
>> servers and for others is does not.  For example:
>>
>>     $ getent passwd user1
>>     user1:*:1111111111:2222222222:John Doe:/home/user1:/bin/bash
>>     $ getent passwd user2
>>     user2:*:3333333333:2222222222::/home/user2:/bin/bash
>>
>> I don't see any systematic differences between users for which this
>> works and for those where it doesn't, but I would like to see the
GECOS
>> populated for all users.  I've seen this issue discussed in various
>> places in the past but nowhere solved, so I' hoping there's
simple fix.
>> Can anyone provide insight?
> 
> Users who we have seen a login for (and so have cached the full name)
> will get it, others we omit it due to the cost to obtain those for a
> full domain.
> 
> The the 'samlogon cache' as a keyword to understand this more.
Ah, great!  That explains it.

I'm still wondering why that cache wasn't refreshed, but that is an 
entirely different problem.

// Cheers; Johan