David PAUGAM
2021-Mar-12 08:12 UTC
[Samba] List of users seems truncated or incomplete in file server member of an Active Directory Domain
Sorry, I first replied to your personal addresss...> Thank you Rowland for your new reply! > > I checked several things: > > * created a new user in Active Directory, as the exact copy (but the > names) of an account which I can find through "getent passwd > myNewUser" > o it is not retrieved in "getent" > * Samba is 4.9.5 > * Active Directory servers are W2012 and 2016 > > > Then I tried a few things and checked each modification of the conf > with the 2 commands > > * wbinfo -u |wc -l > * getent passwd |wc -l > > They give the number of lines, so the number of accounts. > When I get problems, the first one returns arount 3400, the second one > around 1140. > When everythings seems fine the 2 numbers are very close. The > difference should be the local accounts. > > > Then, I unwillingly made a mistake in smb.conf and it worked!! The 2 > previous commands returned the good numbers! > > Surprisingly, the conf seemed to work when the idmap Domain name is > wrong... > > Here is the "working" smb.conf, which must be wrong. And this time, > the mistake is done intentionnally ;-) > > /[global]// > //??????? workgroup=MYDOM// > //??????? security=ads// > //??????? realm=MYDOM.FR// > //??????? winbind enum users=yes// > //??????? winbind enum groups=yes// > //??????? winbind use default domain=yes// > //?? idmap config * : backend = tdb// > //?? idmap config * : range = 3000-7999// > / > > / > / > > /#Here are the "bad" lines / bad domain, which actually solved the > "getent passwd"// > / > > /?? idmap config WRONGDOM : backend = rid// > //?? idmap config WRONGDOM : range = 10000-999999/ > > / > / > > /template homedir = /home/%U// > //template shell = /bin/bash// > //dedicated keytab file = /etc/krb5.keytab// > //kerberos method = secrets and keytab// > //winbind refresh tickets = Yes/ > > Is there an explanation to this behaviour? > > Is there a way to check the way rid works? > > Thanks, > > David > > > > Le 11/03/2021 ? 10:02, Rowland penny via samba a ?crit?: >> On 11/03/2021 08:29, David PAUGAM via samba wrote: >>> Hello Rowland, >>> >>> sorry, I tried - and failed :-) - to mask the domain from the conf. >>> >>> So, IFR is the name, and MYDOM a try to hide it... >> >> >> Sort of thought that was what was going on. >> >>> >>> What do you mean by "Also, how are the usernames truncated ?" >> >> >> Sorry, i read it one way and you meant it another ? >> >> You meant that you get a shortened list of users, I read it as you >> get shortened usernames ? >> >> You are using the winbind 'rid' backend , so the ID's are calculated >> with this formula: >> >> ID = RID + LOW_RANGE_ID >> >> Which in your case, would be: >> >> ID = RID + 30000 >> >> This means that any RID's larger than 969999 would be ignored, but >> this is such a large number that I don't think this is your problem. >> >> As you are using Debian buster, I take it you are using Samba 4.9.5 >> but what is the DC ? not that this should matter. >> >> If 'user1' is shown by getent, but 'user2' isn't, then I would >> suggest comparing the two user objects in AD. >> >> Rowland >> >> >>