[Samba] How does one "look at AD" in Samba4.1?

Stuart Longland stuartl at vrt.com.au
Sun Mar 16 23:42:14 MDT 2014

Hi Steve,
On 16/03/14 11:14, steve wrote:
> On Sun, 2014-03-16 at 10:52 +1000, Stuart Longland wrote:
>> Not so good.  At this point I'm told to "look at AD and verify that all
>> groups have GIDs".  I'm managing this from a Linux command line; how
>> does one do this?
> e.g. for Domain Users:
> ldbedit --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

This has been a *big* help.  I knew the information I needed was in LDAP
somewhere, just didn't know how to get at it to edit it.

> Now add something like RID+20000:
> gidNumber: 20513

You mention "RID", where do I find this?  What's the significance of the

> now:
> getent group Domain\ Users
> will return.

Well, this half-works now: I can do a `getent group 'MYDOMAIN\Domain
Users', and get a result.

It doesn't know about 'Domain Users' however: it seems to go looking for
this in a domain called BNEDEVFS0 (the hostname of the machine).

That said, it seems to be working well enough that a Windows 2000 and
Windows XP system are both talking to this domain happily exchanging
data with it.  (Logons work, files are reported by the Linux server as
being owned by MYDOMAIN\administrator... it'd be nice to ditch the
MYDOMAIN\ prefix but at least it works.)

Should I be concerned about the requirement for this prefix?

Stuart Longland
Systems Engineer
     _ ___
\  /|_) |                           T: +61 7 3535 9619
 \/ | \ |     38b Douglas Street    F: +61 7 3535 9699
   SYSTEMS    Milton QLD 4064       http://www.vrt.com.au

More information about the samba mailing list