# Domain users not listed in getent passwd



## annapoorani (Apr 20, 2010)

Domain users not listed in getent passwd.Only local posix users displayed.

My Configurations:

*smb.conf:*

```
#======================= Global Settings =====================================
[global]
workgroup = EXAMPLESERVER 
realm=EXAMPLESERVER.COM
server string = OUR Server
security = ads
allow trusted domains =Yes
log file = /var/log/samba/log.%m
max log size = 1024 
log level = 10
dns proxy = No
wins server = XXX.XXX.X.X
ldap ssl = no
idmap backend = ad
#idmap uid = 10000-20000
#idmap gid = 10000-20000
idmap uid = 12000
idmap gid = 3000-3500
#idmap uid = 16777216-33554431
#idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = Yes
remote announce =255.255.255.0/EXAMPLESERVER
#client use spnego = yes
password server =  XXX.XXX.X.X
auth methods = winbind
winbind separator = + 
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = no
#winbind nss info = sfu 
encrypt passwords = yes
#============================ Share Definitions ==============================
[poorani]
  comment = poorani Share
  path=/tank/poorani-share
  valid users = DOMAINSERVER+poorani, DOMAINSERVER+preethi,DOMAINSERVER+annapoorani
  writable = yes
  create mask = 0775	

[B]KRB5.CONF[/B]
[libdefaults]
        default_realm = EXAMPLESERVER.COM
        dns_lookup_realm=false
        dns_lookup_kdc=false
        ticket_lifetime=24h
        forwardable=yes
        krb4_config = /usr/kerberos/lib/krb.conf
        krb4_realms = /usr/kerberos/lib/krb.realms

[realms]
       EXAMPLESERVER.COM= {
       kdc = XXX.XXX.X.XX
 }
[domain_realm]
        .exampleserver.com = EXAMPLESERVER.COM
        .exampleserver=EXAMPLESERVER
        exampleserver=EXAMPLESERVER

*************************************
```
*/etc/pam.d/login*


```
# auth
auth            sufficient      pam_self.so             no_warn
auth            include         system
auth            sufficient      /usr/local/lib/pam_winbind.so
# account
account         requisite       pam_securetty.so
account         required        pam_nologin.so
account         include         system
account         sufficient      /usr/local/lib/pam_winbind.so

# session
session         include         system

# password
password        include         system

***********************
```

`wbinfo -u,wbinfo -g` display domain users and groups
but `getent passwd` wont

what missing here?


----------



## joe2010 (Sep 10, 2010)

*Same problem here*

Hello,

it looks like I have the same problem here.
I am trying to set up Samba as ActiveDirectory Domain Member.
PDC is a Windows 2008 server.

I built Samba34 and Kerberos5 from ports.
Samba + LDAP, ADS, WINBIND, EXP_MODULES, POPT
Krb5 + DNS_FOR_REALM

I can get Kerberos tickets:

```
# kinit Administrator@DOMAIN
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@DOMAIN

  Issued           Expires          Principal
Sep 10 18:51:44  Sep 11 04:51:44  krbtgt/DOMAIN@DOMAIN
```

I can join the Domain:

```
# net ads join -U Administrator
Using short domain name -- DOMAIN
Joined 'DC1' to realm 'domain.*'

# net ads info
LDAP server: *.*.*.*
LDAP server name: DC.domain.*
Realm: DOMAIN.*
Bind Path: dc=DOMAIN,dc=*,dc=*,dc=*
LDAP port: 389
Server time: Fri, 10 Sep 2010 18:59:52 CEST
KDC server: *.*.*.*
Server time offset: -29
```

I can list remote groups and users:

```
# wbinfo -u
administrator
guest
...

# wbinfo -g
domain admins
domain users
domain guests
...
```

But I cannot access the shares:

```
# smbclient -L localhost -U Administrator
session setup failed: NT_STATUS_LOGON_FAILURE
```

Also 'getent passwd' and 'getent group' diplay only the local users.

*/usr/local/etc/smb.conf*

```
[global]
security = ADS
workgroup = DOMAIN
realm = domain.*
wins server = dc.domain.*
password server = dc.domain.*

winbind uid = 1000 - 20000
winbind gid = 1000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap uid = 1000 - 20000
idmap gid = 1000 - 20000
idmap config DOMAIN : backend  = rid
idmap config DOMAIN : base_rid = 1000
idmap config DOMAIN : range    = 1000 - 20000
```

*/etc/nsswitch.conf*

```
group: files winbind
group_compat: nis
hosts: files dns wins
networks: files
passwd: files winbind
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

This is now my third day searching samba doc, forums, mailinglists and internet... -.-

It looks like winbind is properly set up (wbinfo is working), but when samba tries to authenticate a request through nsswitch it fails.

I am very thankful for every kind of help.


----------



## joe2010 (Sep 10, 2010)

*Getting better, but still...*

Hello,

I made a step forward.

My idmap config was incorrect:
- Winbind uid/gid is an alias for idmap uid/gid, so it is redundant.
- Idmap rid backend isn't writable, therefore it can't cache the mappings. See man idmap_rid. So we need to enable for example TDB.
- The entry base_rid is deprecated and unneeded.

The resulting */usr/local/etc/smb.conf*


```
[global]
security = ADS
workgroup = DOMAIN
realm = domain.*
wins server = dc.domain.*
password server = dc.domain.*

winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap backend = tdb
idmap uid = 10000 - 20000
idmap gid = 10000 - 20000
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range   = 10000 - 20000

passdb backend = tdbsam  # should be default
```

Now 'getent passwd' and 'getent group' display both local and remote users/groups.

But still my remote users can't use the samba shares...

*/var/log/samba34/log.smbd*

```
auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [WORKGROUP]\[Administrator]@[HOST] with the new password interface
auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DC1]\[Administrator]@[HOST]
auth/auth_sam.c:350(check_sam_security)
  check_sam_security: Couldn't find user 'Administrator' in passdb.
auth/auth_winbind.c:54(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [DC1] was for this SAM.
auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
```

The log snippet shows an attempt to access the shares.

Again my call: Please help.
Thanks


----------



## joe2010 (Sep 11, 2010)

Hello,

it's solved now.

I needed a supplementary entry in smb.conf:

```
map untrusted to domain = Yes
```

For further explanation see the Samba 3.4.0 changelog under section "Authentication Changes" and the Samba doc.

Cya... hoping for more answers the next time.


----------



## jyavenard (Feb 5, 2011)

I've been running into the exact same problem; unfortunately I'm getting nowhere 

I've copied the exact same configuration above (and the one from hundred of web sites)


```
[global]
security = ADS
workgroup = MEL
realm = mel.domain.com
wins server = ad.domain.com
password server = ad.domain.com

winbind uid = 1000 - 20000
winbind gid = 1000 - 20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind refresh tickets = Yes
winbind nested groups = No
#winbind separator = +

idmap uid = 1000 - 20000
idmap gid = 1000 - 20000
idmap config MEL : backend  = rid
idmap config MEL : base_rid = 1000
idmap config MEL : range    = 1000 - 20000
map untrusted to domain = Yes
```

I also compiled samba with -DDEBUG_NSS in order to determine what was going on.

*wbinfo -u* and *wbinfo -g* properly shows all the username and groups defined on the AD.

However, *getent passwd* only returns the local users:


```
group: files winbind
#group_compat: ldap
hosts: files dns
networks: files
passwd: files winbind
#passwd: compat
#passwd_compat: winbind
shells: files
services: files
protocols: files
rpc: files
```

*getend passwd* returns:

```
# getent passwd
[22522]: endpwent
[22522]: endpwent returns NSS_STATUS_SUCCESS (1)
... list of local users
[22522]: getpwent
[22522]: getpwent returns NSS_STATUS_NOTFOUND (0)
[22522]: setpwent
[22522]: setpwent returns NSS_STATUS_SUCCESS (1)
```

That is shows the debug information leads me to believe that nss_winbind is properly called.


```
# net ads info
LDAP server: 192.168.0.3
LDAP server name: ad.domain.com
Realm: MEL.DOMAIN.COM
Bind Path: dc=MEL,dc=DOMAIN,dc=COM
LDAP port: 389
Server time: Sat, 05 Feb 2011 20:13:24 EST
KDC server: 192.168.0.3
Server time offset: 9
```

So what am i missing? 

Thank you for your help
Jean-Yves


----------



## von_Gaden (Apr 4, 2011)

*Same problem*

I have exactly the same problem with almost the same configurations. I have been trying to solve this for about two years (FreeBSD 7) with no significant success... You may take a look at this old thread: http://lists-archives.org/samba/49286-freebsd-7-2-domain-member-problem-partially-solved.html

Well, the solution is not exactly a solution and it does not work with FreeBSD 8.2 and last samba 3.5 from ports. I need a very simple setup, without LDAP for nsswitch, no PAM. I just want fileserver functionality - to set permissions for AD domain users / groups on FreeBSD Samba files or shares.

If someone is interested I'll post my configuration files.

Best wishes,
Ivo


----------



## jyavenard (Apr 5, 2011)

Use Samba 3.4 then.

You have to choose between:
Getting the ACL to work properly from Windows: use 3.5
Getting winbind to work: you must use samba 3.4

take your pick


----------



## von_Gaden (Apr 5, 2011)

*idmap in 3.4 really works!*

Thank you for your quick reply!
I must admit I was little shocked reading it. I would not imagine working code in Samba 3.4 abandoned in 3.5...
But you were right! 3.4 works fine with the same configuration that 3.5 fails to show users/groups with getent, but shows them with wbinfo, id, pw.

Common for both versions is non-working RID IDmap backend. I tried a lot of variations in its configuration including this thread with no success at all. But still TDB does enough for me.
I am using FreeBSD as server OS since 2003 and I doubt that annoying Samba malfunctions like these are OS dependent. That is my not-proved conviction since I did no tests with other OS yet.
I'd ask if you can tell me in short what is the problem with ACLs in 3.4?


----------



## jyavenard (Apr 6, 2011)

von_Gaden said:
			
		

> Thank you for your quick reply!
> 
> But you were right! 3.4 works fine with the same configuration that 3.5 fails to show users/groups with getent, but shows them with wbinfo, id, pw.



It is something I learned the hard way unfortunately.



> I'd ask if you can tell me in short what is the problem with ACLs in 3.4?



Support for sunacl (FreeBSD version of ZFS/NFS4 ACL) was only added in Samba 3.5. When checking the permissions from Windows: things do not always appear properly, nor can you set them from Windows.

No such problem with 3.5; but then I can't use winbind.. I chose winbind over ACLs so I went with Samba 3.4.

I did find a way to get winbind to work with 3.5. But it's dirty as, and not really working 

I installed Samba 3.4; called getent; samba/winbind then create a cache of all the username and groups. Then if you uninstall 3.4 and install 3.5 on top; then you can use winbind as it uses the old cache create by 3.4.

Obviously, it's not something you would want to use... But it just shows that the problem is within samba.


----------



## von_Gaden (Apr 7, 2011)

*where is the problem?*

If it's Samba 3.5 we probably should notify the Samba team. Or it may be something in ports? Some debugging may help and I have an experimental system, but how can I do it? Is there any clue - howto or something?


----------



## tms3 (Nov 11, 2011)

*Samba 3.6*

Thanks for the info.


----------



## von_Gaden (Nov 11, 2011)

I've forgotten to notify that suddenly since Samba 3.5.6 everything works OK with the same configuration.


----------



## tms3 (Nov 12, 2011)

*Aye*

3.6 works like a champ. That's what I should have said.


----------



## jyavenard (Dec 11, 2011)

von_Gaden said:
			
		

> I've forgotten to notify that suddenly since Samba 3.5.6 everything works OK with the same configuration.



I've just upgraded to samba 3.5.11 and it does exactly the same as before. *wbinfo -u* or *wbinfo -g* list all the users, no problem. But *getent passwd* show no user whatsoever  And 3.6 doesn't compile for me 

Back to 3.4.


----------

