getent doesn't show all domain users

getent doesn't show all domain users

[Maayan Apelboim]

Hello,

I have a server in the domain (duplicated from another domain if it matters).
At first "getent passwd" run I see the user from the different domain, but after a few runs it disappears.
Even after it disappears getent doesn't return all domain users while mkpasswd -d returns all users.
When I try to chown user /home/user I get "invalid user" error - but this user exists in the domain.
After a few restarts to the server or logging with the user the problem is solved.
But I don't have a constant work around that works smoothly.

Is there a way to actively "refresh"/"restart" getent?


Thanks


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: getent doesn't show all domain users

[Brian Inglis]

On 2019-05-27 03:15, Maayan Apelboim wrote:
> I have a server in the domain (duplicated from another domain if it matters).
> At first "getent passwd" run I see the user from the different domain, but 
> after a few runs it disappears.
> Even after it disappears getent doesn't return all domain users while
> mkpasswd -d returns all users.
> When I try to chown user /home/user I get "invalid user" error - but this
> user exists in the domain.
> After a few restarts to the server or logging with the user the problem is
> solved.
> But I don't have a constant work around that works smoothly.

Systems may have tens to hundreds of local user accounts, and domains may have
hundreds to hundreds of thousands of user accounts.
The system probably caches only active users, and getent enumerates those if no
/etc/passwd file exists, as it was designed to enumerate only a few entries from
local files.
As it is, getent will not even enumerate hosts from the local hosts files or
resolver.

It appears that mkpasswd enumerates all local and system accounts in the
Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM loaded into
/proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably does the same for domain
accounts from Active Directory Domain Service.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: getent doesn't show all domain users

[Maayan Apelboim]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1585 bytes --]

Systems may have tens to hundreds of local user accounts, and domains may have hundreds to hundreds of thousands of user accounts.
The system probably caches only active users, and getent enumerates those if no /etc/passwd file exists, as it was designed to enumerate only a few entries from local files.
As it is, getent will not even enumerate hosts from the local hosts files or resolver.

It appears that mkpasswd enumerates all local and system accounts in the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably does the same for domain accounts from Active Directory Domain Service.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.

----

Ok, I understand why it won't display all users, but even when I query for this specific user that exists in the domain - it returns nothing.
It only works when I have /etc/passwd file in place (generated by mkpasswd -d), but I was told in a previous thread that I should not use mkpasswd -d anymore, and use getent instead.
Is there something I need to do with getent to get access for all my domain users?
Should I keep my previous passwd file generated by mkpasswd -d?

Thanks
\0ТÒÐÐ¥\a&ö&ÆVÒ\a&W\x06÷'G3¢\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒ÷\a&ö&ÆV×2æ‡FÖÀФd\x15\x13¢\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöf\x17\x12ðФFö7VÖVçF\x17F–öã¢\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöFö72æ‡FÖÀÐ¥Vç7V'67&–&R\x06–æfó¢\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöÖÂò7Vç7V'67&–&R×6–×\x06ÆPРÐ

Re: getent doesn't show all domain users

[Brian Inglis]

On 2019-05-28 02:36, Maayan Apelboim wrote:
>> Systems may have tens to hundreds of local user accounts, and domains may
>> have hundreds to hundreds of thousands of user accounts.
>> The system probably caches only active users, and getent enumerates those 
>> if no /etc/passwd file exists, as it was designed to enumerate only a few
>> entries from local files.
>> As it is, getent will not even enumerate hosts from the local hosts files
>> or resolver.
>> It appears that mkpasswd enumerates all local and system accounts in the 
>> Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM loaded 
>> into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably does the same
>> for domain accounts from Active Directory Domain Service.

> Ok, I understand why it won't display all users, but even when I query for 
> this specific user that exists in the domain - it returns nothing.
> It only works when I have /etc/passwd file in place (generated by mkpasswd 
> -d), but I was told in a previous thread that I should not use mkpasswd -d 
> anymore, and use getent instead.
> Is there something I need to do with getent to get access for all my domain
> users?
> Should I keep my previous passwd file generated by mkpasswd -d?

Does "getent passwd" display any active domain+accounts on your system?
If someone is logged on to that system from a domain+account?

Check your domain membership:

	$ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE

and any other DOMAIN environment variables you have, and explicitly specify a
known account in that domain before the userid using a plus sign "+" separator:

	$ getent passwd domain+account

similar to Trusted Installer:

	$ getent passwd nt\ service+trustedinstaller
	NT SERVICE+TrustedInstaller:*:328384:328384:U-NT
 	SERVICE\TrustedInstaller,S-1-5-80-...:/:/sbin/nologin

If the account doesn't display, check you are using the correct domain
membership using AD DS tools or e.g a PowerShell script.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

RE: getent doesn't show all domain users

[Maayan Apelboim]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 3106 bytes --]

Yes, my active domain user is displayed.
The user I'm searching for is also displayed after a few teaks / restarts.
Couldn't replicate a stable workaround that always works for me - best solution I found was create passwd with mkpasswd -d and then move the file (was also not very stable, the user was found, then it wasn't and I needed to run it again, for now it works).

I'm looking for something that will force getent to query my DC, or maybe delete its cache.
Any idea?

-----Original Message-----
From: Brian Inglis [mailto:Brian.Inglis@SystematicSw.ab.ca] 
Sent: Tuesday, May 28, 2019 6:15 PM
To: cygwin@cygwin.com
Subject: Re: getent doesn't show all domain users

On 2019-05-28 02:36, Maayan Apelboim wrote:
>> Systems may have tens to hundreds of local user accounts, and domains 
>> may have hundreds to hundreds of thousands of user accounts.
>> The system probably caches only active users, and getent enumerates 
>> those if no /etc/passwd file exists, as it was designed to enumerate 
>> only a few entries from local files.
>> As it is, getent will not even enumerate hosts from the local hosts 
>> files or resolver.
>> It appears that mkpasswd enumerates all local and system accounts in 
>> the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM 
>> loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably 
>> does the same for domain accounts from Active Directory Domain Service.

> Ok, I understand why it won't display all users, but even when I query 
> for this specific user that exists in the domain - it returns nothing.
> It only works when I have /etc/passwd file in place (generated by 
> mkpasswd -d), but I was told in a previous thread that I should not 
> use mkpasswd -d anymore, and use getent instead.
> Is there something I need to do with getent to get access for all my 
> domain users?
> Should I keep my previous passwd file generated by mkpasswd -d?

Does "getent passwd" display any active domain+accounts on your system?
If someone is logged on to that system from a domain+account?

Check your domain membership:

	$ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE

and any other DOMAIN environment variables you have, and explicitly specify a known account in that domain before the userid using a plus sign "+" separator:

	$ getent passwd domain+account

similar to Trusted Installer:

	$ getent passwd nt\ service+trustedinstaller
	NT SERVICE+TrustedInstaller:*:328384:328384:U-NT
 	SERVICE\TrustedInstaller,S-1-5-80-...:/:/sbin/nologin

If the account doesn't display, check you are using the correct domain membership using AD DS tools or e.g a PowerShell script.

--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains too much technical detail. Reader discretion is advised.
\0ТÒÐÐ¥\a&ö&ÆVÒ\a&W\x06÷'G3¢\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒ÷\a&ö&ÆV×2æ‡FÖÀФd\x15\x13¢\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöf\x17\x12ðФFö7VÖVçF\x17F–öã¢\x02\x02\x02\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöFö72æ‡FÖÀÐ¥Vç7V'67&–&R\x06–æfó¢\x02\x02\x02\x02\x02\x06‡GG\x03¢òö7–wv–âæ6öÒöÖÂò7Vç7V'67&–&R×6–×\x06ÆPРÐ

Re: getent doesn't show all domain users

[Brian Inglis]

On 2019-05-29 03:16, Maayan Apelboim wrote:
> On Tuesday, May 28, 2019 6:15 PM, Brian Inglis wrote:
>> On 2019-05-28 02:36, Maayan Apelboim wrote:
>>> Brian Inglis wrote:
>>>> Systems may have tens to hundreds of local user accounts, and domains 
>>>> may have hundreds to hundreds of thousands of user accounts.
>>>> The system probably caches only active users, and getent enumerates 
>>>> those if no /etc/passwd file exists, as it was designed to enumerate 
>>>> only a few entries from local files.
>>>> As it is, getent will not even enumerate hosts from the local hosts 
>>>> files or resolver.
>>>> It appears that mkpasswd enumerates all local and system accounts in 
>>>> the Security Accounts Manager file at $SYSTEMROOT/System32/config/SAM 
>>>> loaded into /proc/registry/HKEY_LOCAL_MACHINE/SAM/, so it probably 
>>>> does the same for domain accounts from Active Directory Domain Service.
>>> 
>>> Ok, I understand why it won't display all users, but even when I query 
>>> for this specific user that exists in the domain - it returns nothing.
>>> It only works when I have /etc/passwd file in place (generated by 
>>> mkpasswd -d), but I was told in a previous thread that I should not 
>>> use mkpasswd -d anymore, and use getent instead.
>>> Is there something I need to do with getent to get access for all my 
>>> domain users?
>>> Should I keep my previous passwd file generated by mkpasswd -d?
>> 
>> Does "getent passwd" display any active domain+accounts on your system?
>> If someone is logged on to that system from a domain+account?
>> 
>> Check your domain membership:
>> 
>> 	$ echo $USERDOMAIN $USERDOMAIN_ROAMINGPROFILE
>> 
>> and any other DOMAIN environment variables you have, and explicitly specify a
>> known account in that domain before the userid using a plus sign "+"
>> separator:> 
>> 	$ getent passwd domain+account
>> 
>> similar to Trusted Installer:
>> 
>> 	$ getent passwd nt\ service+trustedinstaller
>> 	NT SERVICE+TrustedInstaller:*:328384:328384:U-NT
>>  	SERVICE\TrustedInstaller,S-1-5-80-...:/:/sbin/nologin
>> 
>> If the account doesn't display, check you are using the correct domain 
>> membership using AD DS tools or e.g a PowerShell script.
> 
> Yes, my active domain user is displayed.
> The user I'm searching for is also displayed after a few teaks / restarts.
> Couldn't replicate a stable workaround that always works for me - best 
> solution I found was create passwd with mkpasswd -d and then move the file 
> (was also not very stable, the user was found, then it wasn't and I needed to
> run it again, for now it works).
>
> I'm looking for something that will force getent to query my DC, or maybe 
> delete its cache.
> Any idea?

From what I've seen, only accounts of active processes seem to be retrieved by
getent, as least under Windows 10: please post the output from your system of
the commands:

	$ uname -srvmo
	CYGWIN_NT-10.0 3.0.7(0.338/5/3) 2019-04-30 18:08 x86_64 Cygwin
	$ cmd /c ver

	Microsoft Windows [Version 10.0.17763.503]

You could try running getent from strace and save the output from both a
successful and a failed run e.g. run:

	$ strace -o getent.strace getent passwd domain+account

then rename getent.strace to getent.good|bad.strace depending on the outcome;
also run cygcheck -hrsv > cygcheck.out; and attach all three files as text
attachments to a post here so that, when they are available, someone with
relevant Cygwin and Windows background can take a look at them.

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: getent doesn't show all domain users

[Andrey Repin]

Greetings, Maayan Apelboim!

> Yes, my active domain user is displayed.
> The user I'm searching for is also displayed after a few teaks / restarts.
> Couldn't replicate a stable workaround that always works for me - best
> solution I found was create passwd with mkpasswd -d and then move the file
> (was also not very stable, the user was found, then it wasn't and I needed to run it again, for now it works).

> I'm looking for something that will force getent to query my DC, or maybe delete its cache.
> Any idea?

Whats your NSS configuration? ( /etc/nsswitch.conf )
Do you run with cygserver ?


-- 
With best regards,
Andrey Repin
Friday, May 31, 2019 0:58:15

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: getent doesn't show all domain users

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1364 bytes --]

On May 27 09:59, Brian Inglis wrote:
> On 2019-05-27 03:15, Maayan Apelboim wrote:
> > I have a server in the domain (duplicated from another domain if it matters).
> > At first "getent passwd" run I see the user from the different domain, but 
> > after a few runs it disappears.
> > Even after it disappears getent doesn't return all domain users while
> > mkpasswd -d returns all users.
> > When I try to chown user /home/user I get "invalid user" error - but this
> > user exists in the domain.
> > After a few restarts to the server or logging with the user the problem is
> > solved.
> > But I don't have a constant work around that works smoothly.
> 
> Systems may have tens to hundreds of local user accounts, and domains
> may have hundreds to hundreds of thousands of user accounts.  The
> system probably caches only active users, and getent enumerates those
> if no /etc/passwd file exists, as it was designed to enumerate only a
> few entries from local files.  As it is, getent will not even
> enumerate hosts from the local hosts files or resolver.

Pointing to the user's guide which actually explains why this happens:

https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-mapping-nsswitch-enum

The user's guide!  Probably the most unread document of all times... ;)


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: getent doesn't show all domain users

[Jose Isaias Cabrera]

Corinna Vinschen, on Monday, June 3, 2019 07:14 AM, wrote...
>
> The user's guide!  Probably the most unread document of all times... ;)

Indeed. :-)

josé


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple