Getent Group or Passwd is showing only local users.

Latest response

The Getent Group or Passwd command does not return domain users. The wbinfo command works perfect, and bring the users over from the domain. Can someone point me in the direction of why this would not be working?

Responses

Hi,

How does /etc/nsswitch.conf look like for:

passwd: shadow: group:

Regards,

Dusan Baljevic (amateur radio VK2COT)

Dear Dusan,

I had the same exact problem. Initially, I had the following configuration for my /etc/nsswitch.conf file:

passwd:         compat winbind
group:          compat winbind
shadow:         compat

But I could not retrieve users from AD by using getent passwd <user>. Then, I found your comment and added the following:

passwd:         compat winbind sss
group:          compat winbind sss
shadow:         compat

Now I am able to use getent passwd <user> properly. I hope this is correct. Thank you for your support.

The compat is ancient. It is similar to files but you can use extra codes for access to the old NIS service that almost noone use anymore.

You probably just need "files sss" for the three entries. Files to look in the local files (/etc/passwd etc), and sss to use the SSS Daemon to look up AD.

This is probably because by default only local users are shown, for performance reasons I suppose. Unless your environment is huge, it probably should be ok to change this. I don't know what you are using, but here is an example.

E.g.: We use sssd to connect to an LDAP, as can be seen from /etc/nsswitch.conf:

passwd:     files sss
shadow:     files sss
(...)

In order to get getent to show all users/group, I can add "enumerate=true" to the relevant section;

[domain/OURDOMAIN]
ldap_uri = ldap://ldapserver.example.com/
(...)
enumerate = true

Then restart the daemon

systemctl restart sssd