[Samba] My samba can't see its own groups! (4.0.9 as solo AD DC)

Trent W. Buck trentbuck at gmail.com
Sun Nov 10 16:47:36 MST 2013

David Keegel <djk at cyber.com.au> writes:

>> If your clients are linux running samba3, I think that you are
>> running into the 'samba3 winbind != samba4 winbind' problem, you need
>> to use RFC2307 attributes to get your users to have the same uid &
>> gid on the server as on the client.
> The clients (desktops) are all windows, so I don't think that is the
> issue.

As djk says, they're all Win 7 Pro.

> Random brainstorming: Would it make a difference if the samba config
> was written with PI\fnord (where PI is the name of the AD domain)
> instead of fnord for force group and valid users?

I tried that (and PI\\fnord), and it didn't change the behaviour.

> PS: I work with Trent. In case anyone was wondering, gumbo is the name of
> the new Samba4 server (on Debian) which is replacing the old Samba3 server
> (on Ubuntu) with OpenLDAP, so we can use AD features (which makes the
> Windows IT guy happy when he can use MMC, group policy, etc).

Actually the primary reason was so "Dassault Solidworks Enterprise PDM"
could talk to their centralized authentication, since it claimed to
speak only unencrypted LDAPv2, or AD.  Using slapd + olcAllows: bind_v2
allowed EPDM to authenticate, but it wouldn't recognize new users until
you manually created them in EPDM -- which you could only do by
switching from LDAP to internal auth internally.

(On Saturday, I found out "supports AD" is a slight misrepresentation --
it talks to the Windows host it's running on, which can then talk AD.)

In the short term we told it to talk LDAP to Samba 4, and it liked that
better than it liked slapd -- it could slurp in new users automatically
-- which was a nice surprise.

More information about the samba mailing list