samba - Dec 2020 - Getent doesn't show AD users/groups

Hello all,
?
I have a problem with?getent passwd/group. When I do
?
$getent passwd administrator
administrator:*:0:100::/home/MYDOM/administrator:/bin/false
?
however, when I do
$getent passwd
I don?t get administrator in the command output.? The same I have with groups.
Because of this,
as I understand, I can?t change folder group in mc ? groups from AD are not
listed there.
I used samba4 before and I could easily change folder group in mc, but now I
can?t. Could anyone help?
?
This is what I have:
root at server:/etc# wbinfo -u
administrator
krbtgt
guest
?
root at server:/etc# wbinfo -g
enterprise read-only domain controllers
domain admins
domain users
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain
?
nsswitch.conf
passwd:???????? compat winbind
group:????????? compat winbind
shadow:???????? compat winbind
gshadow:??????? files
?
?
smb.conf
[global]
?? ?workgroup = ..
?? ?realm = ...
?? ?netbios name = ...
?? ?server role = active directory domain controller
?? ?dns forwarder = ...
?? ?idmap_ldb:use rfc2307 = yes
??? bind interfaces only = yes
?? ?interfaces = eth0
?? ?hosts allow = ...
?? ?hosts deny = 0.0.0.0/0
??? winbind enum users = yes
??? winbind enum groups = yes
??? winbind use default domain = yes
?
pam-auth-update?
* Kerberos authentication?
* Unix authentication
* Winbind NT/Active Directory authentication
* LDAP Authentication
?
--
Best regards, Alex Orlov

Check if libs are properly linked (search wiki to find your distro config) and
if winbind service is running without errors.
You may have to reassign privileges as well but do test above before.

Had the same problem for last few days ..

Paku,

Od: Alex Orlov via samba<mailto:samba at lists.samba.org>
Wys?ano: wtorek, 15 grudnia 2020 10:38
Do: samba<mailto:samba at lists.samba.org>
Temat: [Samba] Getent doesn't show AD users/groups


Hello all,

I have a problem with getent passwd/group. When I do

$getent passwd administrator
administrator:*:0:100::/home/MYDOM/administrator:/bin/false

however, when I do
$getent passwd
I don?t get administrator in the command output.  The same I have with groups.
Because of this,
as I understand, I can?t change folder group in mc ? groups from AD are not
listed there.
I used samba4 before and I could easily change folder group in mc, but now I
can?t. Could anyone help?

This is what I have:
root at server:/etc# wbinfo -u
administrator
krbtgt
guest

root at server:/etc# wbinfo -g
enterprise read-only domain controllers
domain admins
domain users
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain

nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
gshadow:        files
?

smb.conf
[global]
    workgroup = ..
    realm = ...
    netbios name = ...
    server role = active directory domain controller
    dns forwarder = ...
    idmap_ldb:use rfc2307 = yes
    bind interfaces only = yes
    interfaces = eth0
    hosts allow = ...
    hosts deny = 0.0.0.0/0
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes

pam-auth-update
* Kerberos authentication
* Unix authentication
* Winbind NT/Active Directory authentication
* LDAP Authentication

--
Best regards, Alex Orlov
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 15/12/2020 09:37, Alex Orlov via samba wrote:
> Hello all,
>   
> I have a problem with?getent passwd/group. When I do
>   
> $getent passwd administrator
> administrator:*:0:100::/home/MYDOM/administrator:/bin/false
>   
> however, when I do
> $getent passwd
> I don?t get administrator in the command output.? The same I have with
groups. Because of this,
> as I understand, I can?t change folder group in mc ? groups from AD are not
listed there.
> I used samba4 before and I could easily change folder group in mc, but now
I can?t. Could anyone help?
You shouldn't be using a DC as a fileserver, it really isn't
recommended.

It doesn't matter that 'getent passwd' doesn't show
Administrator and
getent passwd Administrator' does, because you should not be using 
Administrator on Unix. Administrator is for use on Windows and you use 
'root' on Unix, if you look closely at the output of 'getent passwd 
Administrator', you will see that the Unix ID for Administrator is
'0',
which is the same Unix ID that 'root' uses i.e. Administrator is mapped 
to the Unix user 'root'.
>   
>
>   
> nsswitch.conf
> passwd:???????? compat winbind
> group:????????? compat winbind
> shadow:???????? compat winbind
You should not add winbind to the shadow line in
/etc/nsswitch.conf
> gshadow:??????? files
> ?
>   
> smb.conf
> [global]
>  ?? ?workgroup = ..
>  ?? ?realm = ...
>  ?? ?netbios name = ...
>  ?? ?server role = active directory domain controller
>  ?? ?dns forwarder = ...
>  ?? ?idmap_ldb:use rfc2307 = yes
>  ??? bind interfaces only = yes
>  ?? ?interfaces = eth0
>  ?? ?hosts allow = ...
>  ?? ?hosts deny = 0.0.0.0/0
>  ??? winbind enum users = yes
>  ??? winbind enum groups = yes
>  ??? winbind use default domain = yes
I would remove the winbind lines, the 'enum' ones just slow things down 
and are not required, the last one does nothing on a DC.

Rowland