While getent passwd and getent group work well for basic user/group resolution on domain-joined Linux systems, they only show a limited subset of Active Directory attributes (typically just name, UID, GID, and home directory). To access the full range of AD attributes, we need deeper integration tools.
Here are the most effective methods to retrieve complete AD user attributes:
# Install required packages on Debian/Ubuntu
sudo apt-get install ldap-utils krb5-user samba-common-bin
This is the most robust approach for modern AD environments:
# First obtain a Kerberos ticket
kinit username@DOMAIN.COM
# Then query AD using ldapsearch
ldapsearch -H ldap://domaincontroller.example.com \
-Y GSSAPI -N -b "dc=example,dc=com" \
"(&(objectClass=user)(sAMAccountName=username))" \
* +For systems using Samba for domain joining:
ldbsearch -H /var/lib/samba/private/sam.ldb \
-b "cn=users,dc=example,dc=com" \
"(&(objectClass=user)(sAMAccountName=username))"A more user-friendly alternative:
adcli show-user username --domain-controller=dc.example.com \
--login-ccache=/tmp/krb5cc_$(id -u)When you get the full attribute list, these are some of the most useful ones:
- userPrincipalName: UPN (user@domain)
- sAMAccountName: Legacy login name
- givenName/sn: First/last name
- memberOf: Group memberships
- pwdLastSet: Password change timestamp
To make the output more manageable, you can pipe through grep or use jq for JSON output:
ldapsearch ... | grep -i "mail:\|memberOf:"
# OR
ldapsearch -o ldif-wrap=no -LLL ... | jq -Rs 'split("\n")'Error: SASL/GSSAPI authentication failure
Solution: Verify time synchronization and DNS resolution
Error: Insufficient access rights
Solution: Use a privileged account or request read permissions
When working with Active Directory (AD) from a Linux machine, the getent passwd command only provides basic user information like UID, GID, and home directory. For full AD attribute access, we need deeper integration tools.
- Linux machine already joined to AD domain
- Proper DNS configuration pointing to AD controllers
- Installed LDAP utilities:
sudo apt-get install ldap-utils(Debian/Ubuntu) orsudo yum install openldap-clients(RHEL/CentOS)
Here's the fundamental command structure to query AD attributes:
ldapsearch -x -H ldap://your.domain.controller \
-D "cn=queryuser,cn=Users,dc=domain,dc=com" \
-W -b "dc=domain,dc=com" \
"(sAMAccountName=targetuser)"
To get all attributes for a specific user:
ldapsearch -x -H ldap://dc01.example.com \
-D "queryuser@example.com" -W \
-b "dc=example,dc=com" \
"(sAMAccountName=jdoe)"
To query specific attributes (mail, telephone, title):
ldapsearch -x -H ldap://dc01.example.com \
-D "queryuser@example.com" -W \
-b "dc=example,dc=com" \
"(sAMAccountName=jdoe)" mail telephoneNumber title
Some AD configurations permit anonymous binds for read operations:
ldapsearch -x -H ldap://dc01.example.com \
-b "dc=example,dc=com" \
"(sAMAccountName=jdoe)"
For frequent use, create a bash script (e.g., ad-query.sh):
#!/bin/bash
USER=$1
ATTRIBUTES=${2:-"*"}
ldapsearch -x -H ldap://dc01.example.com \
-D "queryuser@example.com" -W \
-b "dc=example,dc=com" \
"(sAMAccountName=$USER)" $ATTRIBUTES
| Attribute | Description |
|---|---|
| sAMAccountName | AD username (pre-Windows 2000) |
| userPrincipalName | User principal name (UPN) |
| Email address | |
| displayName | Full display name |
| memberOf | Group memberships |
| pwdLastSet | Password last changed timestamp |