[Samba] Winbind problems

Rowland penny rpenny at samba.org
Mon Feb 3 19:26:23 UTC 2020 

On 03/02/2020 18:03, Marcio Demetrio Bacci via samba wrote:
> Hi,
>
> I have a problem in my Samba 4 file server.
>
> I tried to change a directory's permission, but domain groups are not
> recognized:
>
> chown root:"Domain Admins" /home/Empresa
> chown: invalid group: “root:Domain Admins”
>
>
> When I run "getent passwd" command, only local user are listed.
>
> wbinfo commands (wbinfo -g, wbinfo -u, wbinfo -a <user>) are working
> properly.

Yes, but does 'getent passwd username' produce output ?

And does 'getent group Domain\ Admins' produce output ?

> cat /usr/local/samba/etc/smb.conf
> [global]
>      netbios name = FILESERVER
>      workgroup = EMPRESA
>      security = ADS
>      realm = EMPRESA.COM.BR
>      encrypt passwords = yes
>      username map = /usr/local/samba/etc/user.map
>      log file = /var/log/samba/%m.log
>      log level = 1
>      idmap config * : backend = tdb
>      idmap config * : range = 3000-7999
>      idmap config EMPRESA:backend = ad
>      idmap config EMPRESA:schema_mode = rfc2307
>      idmap config EMPRESA:range = 10000-999999
>      idmap config EMPRESA:unix_nss_info = yes
>      idmap config EMPRESA:unix_primary_group = yes

Have you given your users a gidNumber attribute containing a number 
inside '10000-999999'

Have you given the groups that you want to be the users primary groups a 
gidnumber attribute containing a number inside '10000-999999' and then 
given your users a gidNumber attribute containing the gidNumber of a 
relevant group.

Have you given 'Domain Users' a gidNumber attribute containing a number 
inside '10000-999999'

>      winbind nss info = rfc2307
This is not used any more
>      winbind refresh tickets = Yes
>      winbind separator = +
>      winbind use default domain = yes
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
>      template shell = /bin/bash
>      template homedir = /home/%U
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
>
>      [Empresa]
>      comment = Compartilhamentos
>      path =  /home/Empresa
>      valid users = +EMPRESA\"Domain Users"
>      guest ok = no
>      writable = yes
>      browsable = yes
>      create mask = 0777
>      directory mask = 0777

You should set the share permissions following one of these pages:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Rowland

More information about the samba mailing list