[Samba] Samba as AD member can not validate domain user

Mon Apr 6 03:09:31 MDT 2015

Citēju Rowland Penny <rowlandpenny at googlemail.com>:

>> getent passwd shows list of local users, freezes for a while and exits;
>
> This is possibly because you may have (somehow) the same username in  
> AD and /etc/passwd

even with the "problematic" user removed behaviour is the same (with  
net ads leave, remove krb5 keytab and join +restart)
>
>> id user shows user info if it exists locally.
>
> On an AD joined machine id should show user info if the user exists  
> in AD and has the required rfc2307 attributes.

I re-checked what I have on AD DC:
1. getent passwd shows local + AD users (AD users having uids in the  
range of 30000XX)
2. getent group shows local + AD grous, AD groups having gids in the  
range of 30000XX, just Domain Users having gid 100
3. ldbsearch -s sub -H private/sam.ldb '(cn=Domain Users)' objectSID gidNumber
gives onlyObjectSID without gidNumber;

CFG files from fileserver:
============
krb5.conf
[libdefaults]
default = INTERNAL.DOMAIN.LV
dns_lookup_realm = false
dns_lookup_kdc = true

===========
nsswitch.conf
passwd:         compat winbind
group:          compat winbind
shadow:         compat files

hosts:          files dns
networks:       files

services:       files
protocols:      files
rpc:            files
ethers:         files
netmasks:       files
netgroup:       files
bootparams:     files

automount:      files
aliases:        files nisplus
publickey:      nisplus
=============
SMB.conf on fileserver
[global]
         security = ADS
         workgroup = INTERNAL
         acl group control = yes
         inherit acls = Yes
         map acl inherit = Yes
         realm = INTERNAL.DOMAIN.LV
         kerberos method = secrets and keytab
         idmap config internal:backend = ad
         idmap config internal:range = 10000-3001000
         idmap config internal:schema_mode = rfc2307
         idmap config *:range = 2000-9999
         idmap config *:backend = tdb
         dedicated keytab file = /etc/krb5.keytab
         winbind enum users = Yes
         winbind enum groups = Yes
         winbind separator = \
         winbind refresh tickets = Yes
         winbind nss info = rfc2307
         winbind use default domain = yes
         winbind trusted domains only = yes
         utmp = yes
         wins server = sambadc.DOMAIN.lv
         wins support = yes
         dns proxy = no
         wins proxy = no
         wtmp directory = /var/log/wtmp
         preferred master = no
         log level = 4
         bind interfaces only = Yes
         interfaces = lo, eth1
         netbios name = FS2
         os level = 33
======================
smb.conf on AD DC
[global]
         wins support = yes
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,  
drepl, winbind, ntp_signd, kcc, dnsupdate
         winbind trusted domains only = yes
         os level = 65
         workgroup = INTERNAL
         realm = INTERNAL.DOMAIN.LV
         name resolve order = bcast wins host
         log level = 4
         idmap_ldb:use rfc2307 = yes
         preferred master = Yes
         map to guest = Bad Password
         security = user
         server role = active directory domain controller
         domain logons = Yes
         kerberos method = secrets and keytab
         server string = Samba AD DC Server %v
         domain master = Yes
         winbind use default domain = yes
         utmp = yes
         max log size = 5000
         netbios name = SAMBADC
         local master = Yes
         wtmp directory = /var/log/wtmp

I feel lost and I do not understand what else to read or how to detect  
what is wrong with cfg.

Janis