[Samba] How does one "look at AD" in Samba4.1?

Stuart Longland stuartl at vrt.com.au
Sat Mar 15 18:52:15 MDT 2014

Hi all,

I'm in the process of setting up a test network with the view of
rebuilding our existing (Samba 3.5-based) NT domain, from scratch.

Most of the clients that will be connecting to it are Windows 7
machines, there is one Windows 8.1 Standard machine (that won't be
joining, but not my problem), and a number of Windows XP virtual
machines.  Presently I'm running a network consisting of a few VMs:

- bnedevdc0 and bnedevdc1: Primary and Back-up domain controller, Ubuntu
14.04 LTS (Beta), Samba 4.1 using BIND DLZ.
- bnedevfs0: my test file server
- clients running Windows 2000 Pro, Windows XP Pro and Windows 2012
Standard Evaluation[1]

Sadly not Windows 7 yet... but we'll get there.

At the moment I've managed to get the two older Windows machines and the
file server joined to the domain.  Windows 2012 refuses to join, it
claims I mistyped the password (despite using the exact same domain,
username and password to join the other two machines), so I've left that
for now.

I'm able to log in using domain accounts on either of the joined Windows
VMs.  So far so good.

Now I come to setting up the file server.  I've configured the machine
as a domain member and I get to here:

My smb.conf contains the following under [global]:
>    workgroup = MYREALM
>    security = ADS
>    idmap config *:backend = tdb
>    idmap config *:range = 70001-80000
>    idmap config MYREALM:backend = ad
>    idmap config MYREALM:schema_mode = rfc2307
>    idmap config MYREALM:range = 500-40000
>    template shell = /bin/bash
>    idmap uid = 500-10000000
>    idmap gid = 500-10000000
>    winbind nss info = rfc2307

wbinfo seems to see all the users and groups:
> admin at bnedevfs0:~$ wbinfo -u
> MYREALM\administrator
> MYREALM\dns-bnedevdc1
> MYREALM\dns-bnedevdc0
> MYREALM\admin
> MYREALM\krbtgt
> MYREALM\guest
> vrtadmin at bnedevfs0:~$ wbinfo -g
> MYREALM\allowed rodc password replication group
> MYREALM\enterprise read-only domain controllers
> MYREALM\denied rodc password replication group
> MYREALM\read-only domain controllers
> MYREALM\group policy creator owners
> MYREALM\ras and ias servers
> MYREALM\domain controllers
> MYREALM\enterprise admins
> MYREALM\domain computers
> MYREALM\cert publishers
> MYREALM\dnsupdateproxy
> MYREALM\domain admins
> MYREALM\domain guests
> MYREALM\schema admins
> MYREALM\domain users
> MYREALM\dnsadmins

Looking good so far, now let's try a getent:
> admin at bnedevfs0:~$ getent passwd 'MYREALM\Administrator'
> admin at bnedevfs0:~$ getent group 'MYREALM\domain admins'
> admin at bnedevfs0:~$ 

Not so good.  At this point I'm told to "look at AD and verify that all
groups have GIDs".  I'm managing this from a Linux command line; how
does one do this?

Stuart Longland
     _ ___
\  /|_) |                           T: +61 7 3535 9619
 \/ | \ |     38b Douglas Street    F: +61 7 3535 9699
   SYSTEMS    Milton QLD 4064       http://www.vrt.com.au

1. The KVM OpenStack image from here:


More information about the samba mailing list