[Samba] samba4 as ADS member: some users visible, others not

Stefan G. Weichinger lists at xunil.at
Tue Dec 29 16:32:02 UTC 2015

I have to add a brand new fedora 23 server with samba 4.3.3 to an
existing Windows ADS domain.

The join is OK:

# net ads testjoin
Join is OK

I use winbind as I still have to learn about sssd (and I am unsure which
one to prefer).

config (workgroup and realm edited):

	workgroup = customer
	realm = my.customer
	server string =
	security = ADS
	map to guest = Bad User
	username map = /etc/samba/smbusers
	map untrusted to domain = Yes
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	template shell = /bin/bash
	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind nss info = rfc2307
	idmap config customer:range = 10000-999999
	idmap config customer:schema_mode = rfc2307
	idmap config customer:backend = ad
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	force create mode = 0664
	force directory mode = 0775
	printing = bsd
	level2 oplocks = No



wbinfo -u
wbinfo -g list all users and groups from ADS

getent passwd only gives me around 20 users from ADS ...

-> some users get access to shares, some not!

I assume this has to do with "idmap config customer:range" ?

How to determine the values of the max ids?

Do I have to "reset" some mappings after changing this parameter?

What else to check for?

thanks for any help on this, Stefan

More information about the samba mailing list