Marc-Henri Pamiseux
2023-Jan-18 16:28 UTC
[Samba] Surprising behavior with getent on AD service
Hello, On the local network, we have installed two separate GNU/Linux servers. One runs a 4.14.14-Debian version Samba-AD DC service while the other runs a 4.14.14-Debian version Samba service for file sharing. The second is a member of the AD domain. On the second one, when I want to show all the accounts defined in AD using the "getent passwd" command, the system returns the identifiers and groups to me. On the AD server, I had to rename a user's account but kept their SID and Linux uid (10004 in my case). I used the Windows RSAT tools for this. Let's say I simply renamed the user1 account to user2. On the domain member server, when I invoke the "getent passwd" command, it is indeed the user2 account that is displayed with the identifier 10004. On the other hand, on the AD domain controller, the same command "getent passwd" returns me the user1 account with the identifier 10004. I invoke the command "net cache flush" on both servers, but nothing changes. Could you please give me a lead on how to restore consistency on theses users accounts? Best regards -- Marc-Henri Pamiseux - SARL Libricks - www.libricks.fr
On 18/01/2023 16:28, Marc-Henri Pamiseux via samba wrote:> Hello, > > On the local network, we have installed two separate GNU/Linux servers. > > One runs a 4.14.14-Debian version Samba-AD DC service while the other > runs a 4.14.14-Debian version Samba service for file sharing. > > The second is a member of the AD domain. > > On the second one, when I want to show all the accounts defined in AD > using the "getent passwd" command, the system returns the identifiers > and groups to me. > > On the AD server, I had to rename a user's account but kept their SID > and Linux uid (10004 in my case). > I used the Windows RSAT tools for this. > Let's say I simply renamed the user1 account to user2. > > On the domain member server, when I invoke the "getent passwd" command, > it is indeed the user2 account that is displayed with the identifier 10004. > > On the other hand, on the AD domain controller, the same command "getent > passwd" returns me the user1 account with the identifier 10004. I invoke > the command "net cache flush" on both servers, but nothing changes. > > Could you please give me a lead on how to restore consistency on theses > users accounts? > > Best regardsIf you are just running 'getent passwd' and getting a list of users, then it sounds like you have set the not recommended 'winbind enum users = yes' line in your smb.conf, if you have, I suggest you remove it (along with the 'group' one), you do not need it. Does 'getent passwd user2' produce the correct info ? I suggest you have a look in idmap.ldb on the DC, you might possibly find something in there. By the way 4.14.x is EOL from the Samba point of view. Rowland
Seemingly Similar Threads
- Surprising behavior with getent on AD service
- Surprising behavior with getent on AD service
- Unable to Join the Active Directory as a Domain Controller
- Unable to Join the Active Directory as a Domain Controller
- Migrate a share from Mac-OSX to NAS ASUSTOR samba 4.4