Alessandro Giorgio Togna a.togna at unimarconi.it
Mon Feb 25 11:05:23 MST 2013

Hello everybody,
we're trying to set-up Samba to share directories with Win users from 
some Linux servers.
We've set up kerberos, gotten a ticket, joined the server to the domain, 
we get correct users/groups from "wbinfo" and "getent".
The problem lies in "id": it does not update its user<->group mappings 
when they change on AD, even if "wbinfo" and "getent" get the changes.
If we erase the /var/lib/samba/*.tdb cache the mappings get updated, but 
I guess this should not be the case, they should update automagically.
A thing we've noticed is that "net rpc info" on all our DCs always 
returns "1" as the "sequence number".
We've tried this configuration with centos original rpms and with 
EnterpriseSamba rpms for centos.


          default = FILE:/var/log/krb5libs.log
          kdc = FILE:/var/log/krb5kdc.log
          admin_server = FILE:/var/log/kadmind.log

          default_realm = AAA.LOC
          dns_lookup_realm = false
          dns_lookup_kdc = false
          ticket_lifetime = 24h
          renew_lifetime = 7d
          forwardable = true
        # default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        # default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

          AAA.LOC = {
           kdc = addc01pl.aaa.loc
           kdc = addc02pl.aaa.loc
           admin_server = addc01pl.aaa.loc
           default_domain = AAA.LOC

          .aaa.loc = AAA.LOC
          aaa.loc = AAA.LOC

lmhosts:    localhost    AAA


        workgroup = AAA
        realm = AAA.LOC
        netbios name = BBB
        dns proxy = no
        log file = /var/log/samba/log.%m
        max log size = 1000
        syslog = 0
        security = ads
        domain master = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        #map untrusted to domain = yes
        winbind use default domain = yes
        client ntlmv2 auth = yes
        interfaces = eth2 lo
        bind interfaces only = yes
        #log level = 3
        winbind enum users = yes
        winbind enum groups = yes
        winbind cache time = 60
        password server =,
        max protocol = SMB2
        load printers = no
        printing = bsd
        printcap name = /dev/null
        show add printer wizard = no
        disable spoolss = yes
        idmap cache time = 1
        idmap negative cache time = 1

Thanks for all the help we can get! (we've been reading and trying lots 
of things on forums/mailinglists, but to no avail).

Alessandro Giorgio Togna

Area Sistemi
Università degli Studi G.Marconi
diretto     +39 06 37725445
centralino  +39 06 377251

