[Samba] Join Samba4 member server to Windows AD

Ismael Yáñez yanez at bss-services.de
Tue Mar 4 07:46:59 MST 2014 

On 27.02.2014 19:24, Denis Cardon wrote:
> Hi Ismael,
>
> ---snip---
>> [global]
>>
>>      workgroup = SD1
>>      security = ADS
>>      realm = SD1.RD.LAN
>>      encrypt passwords = yes
>>
>> #    idmap config *:backend = tdb
>> #    idmap config *:range = 70001-80000
>>      idmap config SD1:backend = ad
>>      idmap config SD1:schema_mode = rfc2307
>>      idmap config SD1:range = 10000-40000
>>
>>      winbind nss info = rfc2307
>> #    winbind separator = +
>>      winbind trusted domains only = no
>>      winbind use default domain = yes
>>      winbind enum users = yes
>>      winbind enum groups = yes
>>
> --snip--
>>
>> As you can see I see the users and groups of the root domain (RD.LAN)
>> and subdomain2 (SD2.RD.LAN) but nothing about subdomain1 (SD1.RD.LAN)
>
> You specified a idmap configuration for SD1 in your smb.conf file with 
> rfc2307, which tells samba looks for uidnumber and gidnumber in active 
> directory for SID<->uid/gid mapping. Those attributes are not 
> populated by default, so wbinfo does not pick up your SD1 entries.
>
>> also when I execute getent passwd and getent group, I only see the Linux
>> users and groups but don't get anything from Windows AD.
>
> In order for getent passwd to work, there have to be a SID<->uid/gid 
> mapping, but have not specified any mapping for SD2 domain, only for 
> SD1, which actually does not work...
>
> Try to fix your idmap. You may use rid to get a consistent mapping 
> between your different servers.
>
> Hope this helps,
>
> Denis

@Damien: I made sure nscd wasn't running and that winbind is the same 
version as samba.

@Dennis: I tried with the following configuration with rid:

[global]

         workgroup = SD1
         security = ADS
         realm = SD1.RD.LAN
         encrypt passwords = yes

         idmap config *:backend = tdb
         idmap config *:range = 70001-80000

        idmap config SD1:backend = rid
        idmap config SD1:range = 30000-39999
        idmap config SD1:base_rid = 1000

         winbind separator = /
         template shell = /bin/bash
         winbind trusted domains only = no
         winbind use default domain = yes
         winbind enum users = yes
         winbind enum groups = yes
         acl group control = yes

         vfs objects = acl_xattr
         map acl inherit = yes
         store dos attributes = yes

But it still doesn't work for SD1, I only get Information for SD2.RD.LAN 
and RD.LAN

I have Samba 4.1.5 running, the latest stable version. The machine is 
running with Ubuntu 12.04.4 LTS

Is there anything I can try maybe on the Windows side of the equation?

Thanks for your help and time!
Ismael

More information about the samba mailing list