> -----Original Message-----
> From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of
> Rowland Penny via samba
> Sent: Monday, February 28, 2022 8:23 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] getent not returning users/groups
>
> On Mon, 2022-02-28 at 08:14 -0800, Gregory Sloop via samba wrote:
> > Rowland - I think you didn't read the last para Roy posted in his
OP.
> > (late yesterday, at least in my TZ)
>
> If I did misunderstand the OP's post then I apologise, but my reading
> was that he has to use the 'enum' lines to get any output.
>
> >
> >
> > ---
> > ...the AD users are still *known* to the operating system as will be
> > demonstrated by appending an AD user's name or group to the getent
> > command.
> > For example on my system getent passwd roy produces:
> > roy at pi4b:~$ getent passwd roy
> > roy:*:11601:10513:roy:/home/MICROLYNX/roy:/bin/bash
> > ---
> >
> > So, I don't actually think he was wrong in his initial post.
> > (Though I'd agree it was easy to read the first couple of paras
and
> > think he had it wrong.)
> >
> > ---
> > Can we all agree that without the winbind enum line, you can't
just
> > do a getent group/passwd and get a full listing of all the group/user
> > records in AD, but you CAN get individual records by specifying them?
>
> I would agree with that.
>
> >
> > And as the wiki says (or should/may have said before it was hosed)
> > the enum lines should generally only be used for
> > troubleshooting/debugging since they place more load on the DC's -
> > especially for large AD data-sets.
>
> It used to say this:
>
> For testing purposes only (remove for production), add these lines:
>
> winbind enum users = yes
> winbind enum groups = yes
>
> The above lines just make 'getent passwd' and 'getent
group'
> display all domain users and groups, they are not required for anything
> else and Samba will work correctly and faster without them.
>
> Eventually (when I get the information tidied up and reformatted) it
> will say something similar.
>
> Rowland
>
>
The documentation is not infrequently consulted when troubleshooting issues.
This would be a good place to clarify the intended normal behavior as well
as which other items to check if it is not working as intended.
## getent passwd ; getent group
Under normal operation samba will not enumerate the entire pool of users and
groups for the OS.
getent passwd USERNAME ; getent group GROUPNAME will still confirm
individual users/groups.
If those are broken please check (hyperlinks to other pages of relevant
config) nsswitch.conf, smb.conf, kerb5.conf, hostname / hosts / DNS.
For testing purposes only (remove for production), add these lines:
winbind enum users = yes
winbind enum groups = yes
The above lines just make 'getent passwd' and 'getent group'
display all domain users and groups, they are not required for anything else
and Samba will work correctly and faster (FIXME: what are the performance
impact considerations?) without them.
PS: ad vs RID / etc... What I actually want Samba to do is have AD over-ride
RID but to use both, and be able to manually assign a user / group UID / GID
if required for local compatibility.