On 27 February 2022 23:48 Michael Evans wrote:> Someone I expect knows much more about samba than I do has stated that winbind emum is incorrect > for exposing that user and group list to NSS services (so that they're shown with getent passwd and > getent group; as well as any programs that want to validate usernames / etc): So what should I and > others do instead?The winbind enum line in smb.conf is purely to "enumerate" the list of users so that you can use "getent passwd" or "getent group" to get a list of users a groups, including AD users and groups. Remove that line from smb.conf and all you will get are local users and groups when you use the getent commands. However as Gregory says, the AD users are still *known* to the operating system as will be demonstrated by appending an AD user's name or group to the getent command. For example on my system getent passwd roy produces: roy at pi4b:~$ getent passwd roy roy:*:11601:10513:roy:/home/MICROLYNX/roy:/bin/bash HTH, Roy
On Mon, 2022-02-28 at 08:10 +0000, spindles seven via samba wrote:> On 27 February 2022 23:48 Michael Evans wrote: > > Someone I expect knows much more about samba than I do has stated > > that winbind emum is incorrect > > for exposing that user and group list to NSS services (so that > > they're shown with getent passwd and > > getent group; as well as any programs that want to validate > > usernames / etc): So what should I and > > others do instead? > > The winbind enum line in smb.conf is purely to "enumerate" the list > of users so that you can use "getent passwd" or "getent group" to get > a list of users a groups, including AD users and groups. > Remove that line from smb.conf and all you will get are local users > and groups when you use the getent commands.Wrong, totally wrong. Provided that everything else is set up correctly, getent will display all individual users & groups without the 'enum' lines. Rowland