Yes, my active domain user is displayed. The user I'm searching for is also displayed after a few teaks / restarts. Couldn't replicate a stable workaround that always works for me - best solution I found was create passwd with mkpasswd -d and then move the file (was also not very stable, the user was found, then it wasn't and I needed to run it again, for now it works). I'm looking for something that will force getent to query my DC, or maybe delete its cache. Any idea? -----Original Message----- From: Brian Inglis [mailto:Brian.Inglis@SystematicSw.ab.ca] Sent: Tuesday, May 28, 2019 6:15 PM To: cygwin@cygwin.com Subject: Re: getent doesn't show all domain users On 2019-05-28 02:36, Maayan Apelboim wrote: >> Systems may have tens to hundreds of local user accounts, and domains >> may have hundreds to hundreds of thousands of user accounts. >> The system probably caches only active users, and getent enumerates >> those if no /etc/passwd file exists, as it was designed to enumerate >> only a few entries from local files. >> As it is, getent will not even enumerate hosts from the local hosts >> files or resolver. >> It appears that mkpasswd enumerates all local and system accounts in >> the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM >> loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably >> does the same for domain accounts from Active Directory Domain Service. > Ok, I understand why it won't display all users, but even when I query > for this specific user that exists in the domain - it returns nothing. > It only works when I have /etc/passwd file in place (generated by > mkpasswd -d), but I was told in a previous thread that I should not > use mkpasswd -d anymore, and use getent instead. > Is there something I need to do with getent to get access for all my > domain users? > Should I keep my previous passwd file generated by mkpasswd -d? Does "getent passwd" display any active domain+accounts on your system? If someone is logged on to that system from a domain+account? Check your domain membership: $ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE and any other DOMAIN environment variables you have, and explicitly specify a known account in that domain before the userid using a plus sign "+" separator: $ getent passwd domain+account similar to Trusted Installer: $ getent passwd nt\ service+trustedinstaller NT SERVICE+TrustedInstaller:*:328384:328384:U-NT SERVICE\TrustedInstaller,S-1-5-80-...:/:/sbin/nologin If the account doesn't display, check you are using the correct domain membership using AD DS tools or e.g a PowerShell script. -- Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised. ТÒÐÐ¥&ö&ÆVÒ&W÷'G3¢‡GG¢òö7–wv–âæ6öÒ÷&ö&ÆV×2æ‡FÖÀФd¢‡GG¢òö7–wv–âæ6öÒöfðФFö7VÖVçFF–ö㢇GG¢òö7–wv–âæ6öÒöFö72æ‡FÖÀÐ¥Vç7V'67&–&R–æfó¢‡GG¢òö7–wv–âæ6öÒöÖÂò7Vç7V'67&–&R×6–×ÆPРÐ