[Samba] New ADC configuration

Matthew Daubenspeck matt at oddprocess.org
Tue Jul 16 09:03:22 MDT 2013

On Mon, Jul 15, 2013 at 09:19:48PM +0200, Marc Muehlfeld wrote:
> If you have multiple DCs, then the domain group/user/etc. stuff is
> automatically on each DC (directory replication). Member servers are getting
> the xID information from the DCs. And for that you need an Idmap
> configuration.
> For your member servers, I recommend to use backend AD and retrieve the xIDs
> from AD. Then you can edit the unix user/group information directly from
> ADUC, with all other account data. An example is in the HowTo: https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf
> Also then your user/groups have the same xIDs on all members.

It looks like I am close. I followed the wiki, replacing the necessary
items and started smbd, nmbd, and winbindd. The net ads join initially
failed with some DNS issues, I fixed those, and the join succeeded. Here
is what works:

# wbinfo -p
Ping to winbindd succeeded

# wbinfo -u

Newly added users appear as well, after the winbind cache time is up.

# wbinfo -g
allowed rodc password replication group
enterprise read-only domain controllers
denied rodc password replication group
read-only domain controllers
group policy creator owners

However, I can't seem to get getent or id working.

# id administrator
id: administrator: no such user

# id testuser1
id: testuser1: no such user

However, if I create a temporary local user, then it seems to work

# id testuser1
uid=1002(testuser1) gid=1002(testuser1)

Here is nsswitch.conf

# Begin /etc/nsswitch.conf

passwd: files winbind
group: files winbind

What could I be missing? Here is smb.conf on the member server:


   workgroup = NWLTECH
   security = ADS
   realm = NWLTECH.ORG
   encrypt passwords = yes
   log level = 3

   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config NWLTECH:backend = ad
   idmap config NWLTECH:schema_mode = rfc2307
   idmap config NWLTECH:range = 500-40000
   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

   path = /home/samba/share1
   read only = no

More information about the samba mailing list