[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 3 06:42:57 MDT 2015

On 03/04/15 13:05, Andrey Repin wrote:
> Greetings, Ashish Yadav!
>>>> I'm trying to get the former PDC back into domain after performing a
>>> classic
>>>> migration.
>>>> AD DC is running fine... if you can call it that.
>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article,
>>> and
>>>> rejoined the domain. Went fine apart from failed DNS update with local
>>> zone.
>>>> # net ads testjoin
>>>> Join is OK
>>>> But there's no data in getent, and domain users are unable to
>>> authenticate on
>>>> the server.
>>>> So, where do I start looking?
>> Please check your  /etc/nsswitch.conf file, it should look contains this,
>> passwd: compat winbind
>> group:    compat winbind
>> For more information, please go through Samba Wiki first,
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
> Please read the message - I explicitly stated that nsswitch.conf is amended as
> suggested on the wiki.

OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain 
classicupgrade', this should have given you users with uidNumber 
attributes and groups with gidNumber attributes.

If,as you said, you used the smb.conf from the member server wiki page, 
you will have something like this in your smb.conf:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    idmap config SAMDOM:backend = ad
    idmap config SAMDOM:schema_mode = rfc2307
    idmap config SAMDOM:range = 10000-99999

Two questions:
Did you change 'SAMDOM' to your workgroup name ?
Are your users & groups uidNumber & gidNumber attributes inside the 
'10000=99999' range ?


More information about the samba mailing list