[Samba] Samba4 ad dc with Centos7

Rowland penny rpenny at samba.org
Tue Dec 8 13:11:33 UTC 2015 

On 08/12/15 12:27, Marcio Costa wrote:
> Hello, I may have a problem with winbind setup.
>
> -with wbinfo -g and wbinfo -u I get all group/user from AD/DC.
> -with getent group "Domain Users" and getent passwd "remote_user" I can see
> the info about the specific group and specific user.
> -with getent group and getent passwd I only see my local group/users.
>
> -I believe that using "getent group" and "getent passwd" I must see all
> users, right ?
>
>
> -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7;
> -ps auxf show me:
> root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00
> /usr/sbin/samba -D
> root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
> root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  |
> \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground
>
> root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_
> /usr/sbin/samba -D
> root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_
> /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
> root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  |
> \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground
>
> -ls /lib64
> lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2
>
> -/etc/nsswitch.conf
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
>
> -smb.conf
> [global]
>          workgroup = INTRANET
>          realm = INTRANET.UNV
>          netbios name = ITU
>          server role = active directory domain controller
>          dns forwarder = 10.2.3.4
>          idmap_ldb:use rfc2307 = yes

You might as well remove these lines below, they do nothing on a Samba 
DC, well they have *never* worked for me, winbind on a DC works 
differently from on a domain member.

>
>          idmap config INTRANET:backend = ad
>          idmap config INTRANET:schema_mode = rfc2307
>          idmap config INTRANET:range = 10000-9999999
>
>          idmap uid = 10000-9999999
>          idmap gid = 1000-9999999
>
>          # Use settings from AD for login shell and home directory
>          winbind nss info = rfc2307
>
>          winbind use default domain = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>
> I appreciate any help about this issue.
> Thank you.

If you want to use the DC for anything other than authentication and 
don't want to use the 3000000 numbers, you will need to give your users 
a uidNumber attribute containing a unique number inside the range you 
want to use.

Rowland

More information about the samba mailing list